In an unprecedented multi-national operation, the FBI and other law enforcement agencies have collaborated to take down the 700,000 PC botnet controlled by the ransomware group, Qakbot. As one of the most prolific ransomware groups of the last 15 years, Qakbot used malicious email attachments to spread across infected devices around the globe, encrypting sensitive files, and connecting them to a botnet that was used to further infect unknowing victims. By re-directing botnet traffic to a series of FBI-controlled servers, agents were able to push downloads for a Qakbot uninstaller file, which subsequently disconnected the infected machine from the botnet and prevented further malware installations.
LockBit Locker targets Spanish architecture firms
Following the leak of the LockBit 3.0 ransomware builder, Spanish authorities are warning local architecture firms of a new campaign that is targeting them specifically and using an embedded archive of python scripts to launch a ransomware attack. The ransom note claims the attack was initiated by LockBit Locker, though it is using source code like that of ALPHV/BlackCat, which is a newer iteration of the former ransomware group, BlackMatter. Ransom negotiations are also being conducted from an email, 'lockspain@onionmail.org', rather than LockBit’s established dark web leak site, further separating LockBit Locker from the main LockBit ransomware group.
Prospect Medical breach claimed by Rhysida ransomware group
Two weeks after the cyberattack that shutdown operations at several medical facilities operated by Prospect Medical Holdings, the Rhysida ransomware group have taken responsibility for the attack and published a 1TB trove to their leak site. The stolen data is said to contain 500,000 Social Security Numbers and a significant amount of patient health records and other personally identifiable information (PII). It is unclear if Prospect Medical will be paying the ransom demanded, especially as it currently stands at 50 Bitcoins, or roughly $1.3 million.
Cyberattack forces University of Michigan offline
Over the weekend, staff at the University of Michigan were forced to take several of their systems offline after identifying a cyberattack that was impacting their campus network. While officials were able to fully restore the affected systems, they made the decision to keep the network disconnected from the Internet as they continued to investigate the source of the intrusion and determine if anything else was illicitly accessed. This attack was unfortunately timed, as it occurred just weeks after the cyberattack on Michigan State University, and the evening before classes were set to start at the University of Michigan.
SIM-swapping attack allows breach of multiple cryptocurrency firms
Recently, officials from the financial advisory firm, Kroll confirmed that several of their cryptocurrency clients had been breached after threat actors were able to SIM-swap an employee’s phone number to one of their controlled devices. The affected cryptocurrency firms were FTX, Genesis, and BlockFi, all of which began contacting their own clients to warn them of the impending phishing frauds. Clients of FTX started receiving phishing emails within days of the initial attack, encouraging them to withdraw funds from their FTX accounts.
