Tag Archives: Ransomware

U.S. Department of Treasury Sanctions Russian Ransomware Actor



The U.S. Department of the Treasury posted a press release titled: “Treasury Sanctions Russian Ransomware Actor Complicit in Attacks on Police and U.S. Critical Infrastructure”. From the press release:

Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), designated Mikhail Matveev (Matveev) for his role in launching cyberattacks against U.S. law enforcement, businesses, and critical infrastructure. Concurrently, the U.S. District Courts for the District of New Jersey and the District of Columbia unsealed indictments against Matveev. Additionally, the U.S. Department of State announced an award of up to $10 million for information that leads to the arrest and/or conviction of Matveev under its Transnational Organized Crime Rewards Program.

“The United States will not tolerate ransomware attacks against our people and our institutions,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Ransomware actors like Matveev will be held accountable for their crimes, and we will continue to use all available authorities and tools to defend against cyber threats.”

The press release continued: The impacts of ransomware attacks are far-reaching, with victims experiencing the loss and disclosure of sensitive information and disruption of critical services. Russia is a haven for ransomware actors, enabling cybercriminals like Matveev to engage openly in ransomware attacks against U.S. organizations.

According to analysis conducted by Treasury’s Financial Crimes Enforcement Network (FinCEN), 75 percent of ransomware-related incidents reported between July and December 2021 were linked to Russia, its proxies, or persons acting on its behalf. Russia-linked ransomware variants such as Hive, LockBit, and Baby, which Matveev helped to develop and deploy, have been responsible for millions of dollars in losses to victims in the United States and around the world. The Hive ransomware group alone has targeted more than 1,500 victims in over 80 countries, including hospitals, school districts, financial firms, and other critical infrastructure.

The U.S Department of Justice released news titled: “Russian National Charged with Ransomware Attacks Against Critical Infrastructure” From the news:

The Justice Department today unsealed two indictments charging a Russian national and resident with using three different ransomware variants to attack numerous victims throughout the United States, including law enforcement agencies in Washington D.C. and New Jersey, as well as victims in healthcare and other sectors nationwide…

…On or about June 25, 2020, Matveev and his LockBit coconspirators allegedly deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey. Additionally, on or about May 27, 2022, Matveev and his Hive coconspirators allegedly deployed Hive against a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. On April 26, Matveev and his Babuk coconspirators allegedly deployed Babuk against the Metropolitan Police Department in Washington, D.C…

…Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces over 20 years in prison…

Engadget reported: In April of 2021, for instance, [Matveev] was linked to a Babuk ransomware attack that saw the computers of the Metropolitan Police Department in Washington DC locked out. Last May, Matveev, whose online pseudonyms include Wazawaka, Uhodiransomwar, m1x, and Boriselcin, was allegedly involved in a Hive ransomware attack that targeted a healthcare NGO in New Jersey.

Engadget also reported that the Department of Justice is offering a reward of up to $10 million for information that leads to the arrest of Matveev.

I always find it interesting when more than one official U.S. Department works together on fighting crime, especially when the crime involves ransomware attacks. Ideally, this coordination should make ransomware thieves think twice before (potentially) ending up in prison.


U.S. Department of Justice Seized $2.3M in Bitcoin from Ransomware Hackers



The U.S. Department of Justice announced that it seized 63.7 bitcoins currently valued at approximately $2.3 million. According to the Department of Justice, “these funds allegedly represent the proceeds of a May 8, ransom payment to individuals in a group known as DarkSide.” This is the group that targeted the Colonial Pipeline, causing it to shutdown.

As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes. 

The Wall Street Journal reported a quote from Stephanie Hinds, acting U.S. attorney for the Northern District of California (where the seizure warrant was obtained). “The extortionists will never see this money. This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools and extortion for undeserved profits.”

The Wall Street Journal also reported that the FBI officially discourages victims from paying ransoms because doing so can become a booming criminal marketplace and often won’t actually result in the restoration of the frozen computer systems.

Krebs on Security reported that Colonial Pipeline stated that the hackers only hit its business IT networks – not its pipeline security or safety systems. Colonial Pipeline shut down its pipeline as a precaution.

According to Krebs on Security, DarkSide (which is described as a “ransomware-as-a-service” syndicate) shut down on May 14, 2021, after posting a farewell message to affiliates. The message said that its Internet servers and cryptocurrency stash were seized by unknown law enforcement entities.

Personally, I find it interesting that the U.S. Department of Justice has the ability to seize cryptocurrency from thieves who received it after inflicting a company with ransomware. Perhaps this will serve as a warning to those who are interested in obtaining cryptocurrency through illegal means.


Colonial Pipeline Shut Down Due to Cyberattack



Colonial Pipeline Co. is the main pipeline carrying gasoline and diesel fuel to the U.S. East Coast, The Wall Street Journal reported. It has been shut down due to a cyberattack. It never occurred to me that someone would do a cyberattack on a company that transports fuel, but that is what has happened.

According to The Wall Street Journal, Colonial Pipeline Co. operates the 5,500-mile Colonial Pipeline system that takes fuel from the Gulf Coast to the New York metro area. The company yesterday learned that it was the victim of a cyberattack, and “took certain systems offline to contain the threat, which has temporarily halted all pipeline operations.”

The New York Times reported the following:

…But the shutdown of such a vital pipeline, one that has been serving the East Coast since the early 1960s, highlights the huge vulnerability of aging infrastructure that has been connected, directly or indirectly, to the internet.

The New York Times reported that Colonial Pipeline has not indicated whether its systems were hit by ransomware or another form of cyberattack. The Wall Street Journal reported that the attack appeared to involve ransomware. Both news sites stated that Colonial Pipeline Co. is working with private security firm FireEye.

It appears that if the cyberattack problem can be resolved quickly, it might not have much of an effect on gas prices. If the problem cannot be solved soon, it could potentially cause gas prices to increase. This is happening when the United States is starting to open up more as the population gets vaccinated, and people are planning to travel or book summer vacations.


New Orleans City Hall Hit by Ransomware



It is always worrying when a city government is hit by a ransomware attack. That appears to be what happened to the New Orleans City Hall on December 13, 2019. According to the New Orleans Times-Picayune, workers were told a cyberattack had struck the city government.

The workers were told to turn off and unplug their computers. City websites were down. In addition, the New Orleans Police Department was also told to shut down their computer equipment and remove everything from the network. This is not the first time Louisiana has had this problem.

State government was hit by a ransomware attack last month, though it was able to restore its system without giving in to demands. Gov. John Bel Edwards declared a state of emergency, and the state Office of Motor Vehicles was hit especially hard, with many of its offices forced to close for several days.

In a press conference, Chief Information Officer Kim LaGrue said there was evidence of both phishing attempts and ransomware. No city employees reported providing login information in response to the emails, thanks to cybersecurity training that started in the fall of this year. It was unclear if ransomware had been installed or had begun to encrypt any city systems.

The odd thing about this situation is that, according to Mayor LaToya Cantrell, no requests for money had been made as a result of the ransomware attack.

Typically, thieves who use ransomware demand a specific amount of money, in a certain currency, to be delivered to them before a deadline. If the attacker wasn’t after money – what were they looking for?


Ransomware threat grows as April sets a new record



bigstock-Computer-Hacker-in-suit-and-ti-31750772

Ransomware is the latest phase in online fraud. Think of it as an old-time mafia shake-down. It amounts to protection money. Your data gets encrypted and you have to pay to unlock your own files. It’s a deplorable practice, but unfortunately also a lucrative one.

And it’s that promise of money that keeps the market for these things going. In fact, a new report claims April was the biggest month yet for this sector of malware.

Enigma Software Group did a study of all infections, covering more than 65 million since April 2013. The results were disturbing. It claims it “found that ransomware in April 2016 more than doubled the total from March 2016. Additionally, ransomware made up a larger percentage of overall infections in April than in any other month in the last three years”.

The trend has resulted in some high-profile attacks, including a hospital being hit. In many cases, it’s both individual users as well as businesses.

“It’s not just businesses that are being hit by ransomware”, says ESG spokesperson Ryan Gerding. “Every day thousands and thousands of people turn on their personal computers only to find their most precious photos and other files have been locked up by bad guys”.

The best defense against these attacks is to backup your data, either in the cloud or on an external drive that you can disconnect from the network, a it propagates across drives and computers to ensure that you have no access to it. There is also the usual advice — think before you click links and keep your system up to date, both OS and software.

Image Credit: Bigstock