hacker - Pwim.Net

Ransomware Gang Evil Corp Group Strikes Again with New Ransomware WastedLocker

A ransomware gang called Evil Corp Group is back in action, after having been in retirement for an undetermined period of time. The malware hacker group strikes again by developing a ransom software dubbed WastedLocker.

Who is behind Evil Corp?

Evil Corp Group is a Russian-based cybercriminal group that is led by Maksim Yakubets. The group rose to popularity in 2007 and was infamously known for targeting big US firms.

They demand million-dollar payments as ransom, and they are reputed for having stolen at least $100 million from banks and financial institutions in at least 40 countries. According to global cybersecurity expert NCC group:

“Evil Corp are selective in terms of the infrastructure they target when deploying their ransomware. Typically, they hit file servers, database services, virtual machines and cloud environments.”

The cybercriminal group rose to popularity after they developed the Dridex and Bitpaymer ransomware. From the get-go, Evil Corp Group has changed their virtual identity numerous times in order to stay undetected.

New production: WastedLocker

The newly developed malware WastedLocker aims to encrypt the files of the infected host. Though it does not have anything in common with its precedent Bitpaymer—WastedLocker has been labeled a threat by cybersecurity officials due to its connection to the notorious Evil Group.

In fact, alleged leader Yakubets and his partner-in-crime Igor Turashev have been charged in a 10-count indictment for monetary fraud, conspiracy, computer hacking, and wire fraud.

Bitcoin demanding ransomware WannaCryFake

WannaCryFake, much like its counterpart WastedLocker, is a Bitcoin (BTC) demanding ransomware. The malware operates when a computer system is infected with the bug, then data is encrypted, held hostage, and a ransom in Bitcoin is demanded in exchange for the decryption of the files. Finally, only after the ransom has been paid, the attackers will release the stolen data back to the victim.

Solutions to ransomware

Though it may be daunting, there are solutions brought up by cybersecurity firms to track down hacker gangs and put an end to their cybercriminal activities.

Emisoft, a cybersecurity firm, aims at tracking down malicious phishing and ransomware attacks. They released a free decryption tool aimed at putting an end to illegal Bitcoin mining activities.

Hacking Ransomware Group REvil Threatens to Strike Again

Previously known to be the company that hacked entertainment media firm Grubman Shire Meiselas & Sacks, the cyberattack gang REvil does not appear to be giving up their devious activities any time soon.

Their new scheme once again entails ransomware but this time the demands are targeting big-shot celebrities, such as rap star Nicki Minaj, NBA superstar Lebron James, and Mariah Carey.

Grubman Shire Meiselas & Sacks

The reputed American law firm Grubman Shire Meiselas & Sacks caters mainly to Hollywood celebrities. Among other well-known entertainment performers, they are the official legal representatives of known celebrities such as Lady Gaga, Elton John, Mary J. Blige, and many more.

News of the cybercriminal activities pertaining to REvil group surfaced last month. The hacking group boasted that it had previously managed to hack and extract a massive amount of encrypted data from a reputed American IP law firm, and stolen data from the US navy. They then proceeded to auction off the data that was illegally stolen during their ransomware attacks.

In fact, their criminal gains amounted to a cumulative sum of 756 gigabytes worth of documents, most of which contained sensitive information on stolen music and private information on the entertainment biz.

REvil ransomware group has previously been known to target companies such as Travelex, which guarantees the lowest transactional prices for foreign exchanges in the United States of America.

Revealing the devious schemes behind REvil

REvil is notorious for demanding popular cryptocurrency payouts such as Bitcoins, in exchange for a release of the stolen data. However, the ransomware gang has decided to switch to heists targeting Monero (XMR) payouts. These are known to be more safe, secure, and highly untraceable.

What is Monero?

Monero is a cryptocurrency that was founded in 2014. It resulted from a fork of ByteCoin. With Monero, the advantage is that account privacy and fund transactions are completely in the power of the crypto user himself.

The ransomware group has revealed future plans that include hacking President Donald Trump. Judging by the POTUS’ reaction to Bitcoin, ransomware hacking threats such as Revil’s may lead to an angry Twitter comment or another huge reaction of the POTUS.

Trump has previously been known to be quite vocal about his reservations on cryptocurrency trends, such as Bitcoin. This was evidenced in a Tweet he made in July 2019, that talked about their high volatility and thin air concept.

Member of Dark Overlord Crypto Hacking Group Pleads Guilty to Ransom Attacks

UK national Nathan Wyatt was found guilty of multiple charges this week after extracting personal information from victims, demanding payment in Bitcoin as a ransom to prevent Wyatt from exploiting sensitive data obtained by illicit means.

Wyatt, a member of the notorious Bitcoin ransom group “The Dark Overlord”, was found guilty of multiple charges this week in the U.S and faces a five-year prison sentence and a $1.5 million fine according to reports.

The U.S Department of Justice sentenced Wyatt following a string of hacks and ransom attacks on high profile businesses and individuals. Among the targets of these attacks was streaming platform Netflix, which was threatened in 2017 with two failed extortion attempts resulting in the leak of season five of the hit show “Orange Is The New Black” unless they met the demands of the group by handing over a substantial sum in Bitcoin.

Among the information obtained by The Dark Overlord was stolen medical records, client files, and personal information from several U.S companies, with ransom demands ranging between $75,000 and $300,000 worth of Bitcoin forming the basis for much of the investigation.

Wyatt achieved this by contacting executives at victim companies and informing them that their data had been compromised. The report also alleged that Wyatt had sent threatening messages to family members of company executives to further persuade the victims to pay.

Wyatt was identified as a member of The Dark Overlord group when records of phone numbers registered in his name were found, linking Wyatt to his victims. In 2017 Wyatt was arrested in the U.K, where he would later be extradited to the U.S in 2019 where he faced several charges.

This week Wyatt pleaded guilty before a U.S Federal court to six counts, including conspiring to commit aggravated identity theft to computer fraud.

The cost of ransomware attacks is at an all-time high, with cryptocurrency often being the preferred vessel for laundering tainted funds through reputable exchanges. This presents an interesting and pressing new paradigm for the security of blockchain-based applications, with privacy coins such as Monero entering the conversation.

Origin Protocol Puts $1 Million Bounty on Hacker As OUSD Stablecoin Loses Stability

Origin Protocol’s issued stable coin the Origin Dollar (OUSD) was hacked earlier this week, resulting in a loss of $7 million. Origin has now announced a $1 million bounty reward for anyone who can bring the hacker responsible for destabilizing its stablecoin to justice.

Following the $7 million dollar hack on Origin Protocol’s OUSD, the stablecoin which should be stable at $1 has fallen to a value of 86 cents.

On Nov.18, Mathew Liu, the co-founder of Origin Protocol, confirmed the incident and said that the cause of the attack was a flash-loan transaction.The attacker used a flash loan and exploited vulnerabilities within OUSD contracts to initiate what is called a “reentrancy attack”, which led to the loss of funds.

According to an update to its official blog, Origin is now offering a reward for the defi protocol’s attacker to be brought justice. Origin Protocol’s co-founder Josh Fraser wrote in the update:

“We are offering a bounty of $1,000,000 USD to anyone that supplies substantial information or evidence leading to the return of customer funds.”

The OUSD stablecoin project hack resulted in a loss of funds worth $7 million in combined Ethereum and DAI stablecoin cryptocurrency, including $1 million deposited by the company employees and founders.

In the update on Nov.19, the article makes an appeal to the hacker’s to keep Origin’s $1 million portion of the money but to consider returning the $6 million in customer funds who may not all be rich.

The update reads:

“If you examine the wallet addresses that held OUSD, you will realize that many of our users are not degens or whales… Keep Origin’s funds, but don’t punish our users, many of whom were new to crypto.”

Origin Protocol said that they have traced the funds and know that the hacker used both renBTC and Tornado Cash (mixers) to wash and move the funds.

Original Protocol is the latest to suffer from flash loan attacks, which have become common in the DeFi sector. Flash loans are a new emerging service within the DeFi landscape that allows users to instantly borrow funds without the need for collaterals to access the loans. However, criminals try to exploit borrowed funds to manipulate the DeFi market – commonly identified as flash loan attacks.

JBS Paid Hackers $11M Worth of Bitcoin to Set Free From Hacker Attack

JBS, the world’s largest meat producer based in Brazil, revealed that the company had paid hackers a ransom of about $11 million worth of Bitcoin to solve the Ransomware. The company CEO revealed to The Wall Street Journal Wednesday.

JBS USA Holdings Inc. learned the company was under attack last Sunday, receiving blackmail messages from hackers and demanding a ransom payment in Bitcoin. The hacker cyber attack caused a complete shutdown of beef processing operations across the United States, which led to fundamental business disruptions.

The CEO of JBS SA’s U.S. division revealed in an interview with The Wall Street Journal on Wednesday and said:

“It was very painful to pay the criminals, but we did the right thing for our customers.”

According to the US Federal Investigation Agency, the hackers came from a Russian-related organisation called REvil. The authority did not figure out how REvil managed to penetrate the company’s systems.

The world’s largest supplier of meats products operates the business by processing beef, poultry, and pork from Australia to South America and Europe and hiring more than 240,000 employees worldwide. Nogueira added that the company completed the payment after ensuring that most JBS factories were restarted and operating normally.

The US government did not recommend that ransomware victims pay for the attackers. However, JBS company decided to accept the hackers their blackmail request by ensuring that the data will not be leaked and preventing hackers from attacking the global meat supply chain again and customers for its potential risks.

Similar cybercrimes also happened to Colonial Pipeline as well. The largest gasoline pipeline operator in the United States was targeted recently. Colonial Pipeline paid approximately $4.4 million in Bitcoin to regain control of its operations and resume services.

The recent wave of frequent ransomware intrusions suggests that the tendency of hackers to attack targets has begun to change. Hackers have shifted from targeting data-rich companies such as retailers, banks, and insurance companies to basic service providers such as hospitals, transportation operators, and food companies.

$3.6B Worth Bitcoins Scam, Founders of South African Crypto Exchange Africrypt Are Missing

The total value of $3.6 billion Bitcoins disappeared while the founders of South African cryptocurrency exchange AfriCrypt are missing, Bloomberg reported.

A pair of the brother of 20-year-old Ameer Cajee and 17-year-old Raees Cajee founded South Africa-based digital currency exchange AfirCrypt in 2019 to attract high-net-worth individuals and celebrities.

The company claimed its platform was hacked on April 13 but urged its investors not to report the incident to lawyers and authorities, claiming the report would hinder the recovery of funds.

Hanekom Law Firm has accepted the request from their client of the victim for further investigation. Yet, the law firm was doubtful and sceptical related to the hacking incident, comment this:

“We were immediately suspicious as the announcement implored investors not to take legal action. Africrypt employees lost access to the back-end platforms seven days before the alleged hack.”

The law firm found that later the pair of founders of AfriCrypt immediately moved to the UK after the incident and closed all contact information.

Reportedly, the brothers have transferred 69,000 BTC from AfriCrypt’s account and customer wallet to an account in the First National Bank (FNB) in Johannesburg. According to the current bitcoin price, the transaction price of $32,968, worth an estimated $2.275 billion.

Attorney Hanekom stated that these funds were transferred to various dark web tumblers and mixers, causing challenges with severe fragmentation and untraceable funds.

The authority said the investigation was undergoing and transferred the case to a special division of the South African Police Force. Yet, the South African government faces legal challenges due to its incomprehensive laws targeting cryptocurrencies assets.

Russian Hackers Hijack YouTube Channels to Broadcast Crypto Scams: Google

Search engine giant Google has made a series of claims, accusing Russian hackers of hijacking YouTube channels for malicious purposes.

Per a recent blog post shared by the Threat Analysis Group (TAG) of the American multinational company, hackers usually deploy a Cookie Theft Malware, which through the YouTuber’s password and cookie data, can be downloaded to the hacker’s servers.

The entire compromise begins with email correspondence for advertisement collaboration. Google said these hackers often impersonate an existing and established business, which offers a high level of legitimacy to the sender. Unsuspecting YouTubers who click and visit the embedded cloned websites with fake domains risk giving up their data to the hacker.

With access to a channel, the hackers can either auction it out to the highest bidder or use it to broadcast live cryptocurrency-related scams.

“The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing, or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams,” the TAG report detailed.

The easy adoption of digital currencies in fraud and cyber thefts has caused massive friction in platforms like YouTube to allow crypto-related contents, which was a source of uproar for a while. However, with the recent upsurge in phishing scams, Google said it had decreased the volume of related phishing emails on Gmail by 99.6% since May 2021.

“We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts. With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz, and aol.com),”

The search engine added that in order “to protect our users, we have referred the below activity to the FBI for further investigation.”

Sky Mavis Promises to Compensate Lost Users for Ronin Hack

After hacking and stealing $625 million from the Ronin blockchain, the Singapore-based game studio Sky Mavis pledges to repay users, according to Bloomberg.

The hackers reportedly stole around 173,600 ether and $25.5 million in Coin tokens on March 23. At current prices, the stolen funds are worth approximately $615 million. According to blockchain analytics firm Elliptic, this is the second-largest cryptocurrency hacker theft on record.

Ronin said that they are now actively recovering the stolen cryptocurrency, adding that:

“We are working directly with various government agencies to ensure the criminals get brought to justice,”

The Ronin Network has suffered what is being tagged as the largest hack in the history of Decentralized Finance (DeFi), which funds over $625 million carted away by the hackers.

Ronin Network is an Ethereum sidechain created with Axie Infinity’s community. It is the product of the search by the Axie Infinity team for a fast, cheap, and reliable network resident on the Ethereum blockchain.

A spokesperson from Sky Mavis said:

“We are committed to ensuring that all of the drained funds are recovered or reimbursed, and we are continuing conversations with our stakeholders to determine the best course of action”

Hackers used hacked private keys to create withdrawals through overlooked nodes and currently lose 173,600 ETH and $25.5 million in USDC.

Sky Mavis COO Aleksander Leonard Larsen said the stolen funds included Axie Infinity’s treasury revenue in addition to user deposits.

The total value of $3.6 billion Bitcoins disappeared while the founders of South African cryptocurrency exchange AfriCrypt are missing, Bloomberg reported last June.

Online cryptocurrency exchange Liquid Exchange was attacked by hackers and transferred approximately $80 million worth of cryptocurrency on August 19, 2021.

US Seizes $500K in Crypto Paid as Ransom to North Korean Hackers

The U.S. Justice Department has revealed seizing crypto funds worth $500,000, which were paid as a ransom to North Korean hackers. The seizure was conducted after the FBI filed a warrant in May this year.

The seized funds were paid as a ransom by health care providers in Colorado and Kansas.

Lisa Monaco, the deputy attorney general, stated:

“Thanks to rapid reporting and cooperation from a victim, the FBI, and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui.’”

Monaco added:

“Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain.”

Based on court documents, North Korean hackers used Maui to wreak havoc by encrypting servers and files of a medical centre in Kansas, which later paid a ransom of approximately $100K in Bitcoin (BTC) to regain access.

In April 2022, the FBI was able to track a Bitcoin payment worth $120K to one of the seized crypto accounts based on the cooperation of the Kansas medical centre.

The recovered funds are expected to be returned to the victims. Matthew Olsen, an assistant attorney general, acknowledged:

“Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, but is also good business. The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”

Meanwhile, a recent Chainalysis report revealed that the rising usage of crypto mixers was drawing public attention, with illicit activities like scams, ransomware, terrorism financing, and the darknet market taking the lion’s share.

The blockchain analytic firm noted:

“The increase in illicit cryptocurrency moving to mixers is more interesting, though. Illicit addresses account for 23% of funds sent to mixers so far in 2022, up from 12% in 2021.”

Mixers offer enhanced privacy in crypto transactions, and they can be abused by cybercriminals and hackers when hiding the origin of the funds.

DeFi Hacker Returns $5.4M to Euler Finance

On March 18, Euler Finance, a decentralized finance (DeFi) platform, received a surprising gift from the hacker who had drained $197 million from the platform just a few days earlier. The attacker returned 3,000 ETH ($5.4 million) to Euler Finance’s deployer address, citing a change of heart.

The attack on Euler Finance, which occurred on March 15, was one of the biggest DeFi hacks of 2023 so far. The attacker was able to drain $197 million through multiple transactions and later used a multichain bridge to transfer the funds from the Binance Smart Chain (BNB) to Ethereum. The stolen funds were then moved into Tornado Cash, a crypto mixer that anonymizes transactions.

In response to the hack, Euler Finance announced a $1 million reward to anyone who could help track down the hacker and retrieve the funds. The platform also demanded that the hacker return 90% of the funds within 24 hours to avoid possible jail time.

It is unclear why the hacker returned the funds, but it may have been due to the pressure from the $1 million bounty or the fear of getting caught. This is not the first time a DeFi hacker has returned stolen funds. In July 2022, the attacker who stole $600 million from Poly Network returned the funds and even received a job offer from the company.

DeFi hacks are becoming more common as the industry grows and attracts more attention from hackers. According to CipherTrace’s 2023 DeFi Decentralized Exchange (DEX) Report, DeFi hacks have already surpassed $1 billion in 2023. To prevent such attacks, DeFi platforms are investing in better security measures and insurance policies.

The return of the funds to Euler Finance may come as a relief to the platform and its users, but it also highlights the need for better security measures in the DeFi industry. As the industry continues to grow and mature, it is likely that we will see more hacks and exploits, but hopefully, we will also see more successful recoveries and stronger security measures.