Ransomware/Malware
EncryptHub Breaches Hundreds of Organizations to Deploy Infostealers, Ransomware
EncryptHub, also known as Larva-208, is a sophisticated threat actor that has been targeting organizations globally with spear-phishing and social engineering attacks since June 2024. By impersonating IT support, the group uses SMS and voice phishing, along with fake login pages for popular corporate VPN products, to steal credentials and multi-factor authentication tokens. Once inside, they deploy Remote Monitoring and Management (RMM) software to gain remote access, then use PowerShell scripts to install data-stealing malware such as Stealc and Rhadamanthys, as well as a custom ransomware encryptor. EncryptHub has compromised at least 618 organizations, deploying a range of malware to steal sensitive data, including cryptocurrency wallets, VPN credentials, and password manager data. The group is affiliated with RansomHub and BlackSuit ransomware and has demonstrated a high level of sophistication, tailoring its attacks to evade detection and achieve high-value breaches.
New Report Shows Global Ransomware Crisis Worsened in 2024, Urging Stronger Cybersecurity Measures
BlackFog's "2024 State of Ransomware Report" reveals that ransomware attacks reached unprecedented levels in 2024, with a 25% increase in disclosed incidents and a 26% rise in undisclosed ones compared to the previous year. This surge was driven by new ransomware variants and groups, including the prominent LockBit and the newcomer RansomHub, which caused significant damage to sectors such as healthcare, government, and manufacturing. The report highlights the growing threat to critical infrastructure, with attackers increasingly using data exfiltration tactics and extortion methods alongside encryption. Despite efforts by governments and organizations to combat these threats, ransomware continues to evolve, with the emergence of AI-driven attacks and ransomware-as-a-service (RaaS) models complicating defenses.
The Rise of the New Nascent Anubis RaaS Operation
The newly emerged Anubis ransomware-as-a-service (RaaS) operation, identified late last year, is poised to become a significant threat with its expansive affiliate programs. These include options for traditional ransomware attacks, stolen data monetization, and revenue-sharing with brokers. Anubis has shown a preference for data extortion over encryption in its attacks, though it still maintains the ability to encrypt files. Anubis's operators are suspected to be experienced individuals, possibly former affiliates of other ransomware groups, contributing to the group's growing menace.
The Rising BlackLock Ransomware Problem
Despite emerging just last March, the BlackLock ransomware-as-a-service (RaaS) group rapidly became one of the most prolific, ranking as the seventh most active ransomware gang after a 1,425% surge in activity between October and December. BlackLock targets Windows, VMware ESXi, and Linux systems with double extortion tactics, using proprietary malware and a custom leak site to demand immediate ransom payments while hindering organizations' ability to assess breaches. The group recruits affiliates and traffers through the Russian cybercrime forum RAMP, prioritizing speed over security for early-stage attackers, although a more cautious approach is taken for higher-level roles like programmers.
Phishing/Scams
Toll Scams Are Targeting Texas Drivers
The Texas Department of Transportation (TxDOT) is warning residents about an ongoing toll scam targeting drivers. Fraudulent text messages, known as "smishing," are being sent, claiming recipients have overdue toll balances. TxDOT assures customers that it never sends such reminders via text and that legitimate communications will only come from the number 22498. Victims of these scams should contact TxTag customer service directly and report the issue to the FBI’s Internet Crime Complaint Center. The public is advised to remain cautious and verify any suspicious messages by logging into their TxTag accounts or contacting customer service.
Phishing Scam Targets Facebook Users
Meta has issued a warning about a phishing scam targeting Facebook users, where scammers send fake text messages falsely alleging violations of trademark rules. These messages aim to deceive recipients into revealing personal information. Users are advised to remain vigilant and avoid engaging with unsolicited communications that request sensitive data.
Alert Issued to All Gmail Users
Gmail users have been warned about a growing scam that uses artificial intelligence to create convincing voice and video messages designed to steal money and personal information. These sophisticated phishing attacks start with a call claiming that a Gmail account has been compromised, followed by a legitimate-looking email from Google asking for the user's Gmail recovery code. If tricked, victims not only lose access to their Gmail account but also risk identity theft and the loss of sensitive data. Experts from Malwarebytes advise users to be cautious about unsolicited communications, avoid clicking on suspicious links, and verify any security alerts directly through trusted channels. The FBI has also issued warnings about the rise of such AI-driven scams.
Artificial Intelligence
Hackers Use AI to Breach Systems Faster
A new report reveals that AI is enabling hackers to breach systems faster than ever, with attacks now taking as little as four hours to steal data and six hours to encrypt it. Hackers are shifting away from ransomware and focusing on data theft, with 80% of breaches involving stolen data, while only 20% include encryption. Phishing, especially voice phishing targeting the manufacturing sector, is now the top method for data theft. The report highlights the importance of businesses adapting their security strategies, using AI and automation to detect and contain threats quickly, while also addressing common vulnerabilities and eliminating blind spots to improve defenses against these evolving attacks.
FBI Warns of AI-Fueled Cyberattack Phone Calls
Hackers and scammers are becoming more dangerous with the use of AI, and the FBI has warned that this year is already witnessing a significant increase in sophisticated phishing attacks. These scams involve AI-powered calls that spoof bank or support services, tricking victims into transferring money to "avoid getting hacked." The attackers can even manipulate caller IDs to make the call appear as though it’s coming from a legitimate source. This wave of “scareware” is particularly concerning as it targets both Apple and Android devices, with scammers using highly convincing tactics that even cautious individuals may find hard to distinguish. The FBI emphasizes that billions are lost annually to such scams, urging people to stay vigilant even when the call seems legitimate.
Fortra Brand Protection
Discover how Digital Risk Protection from Fortra can protect your organization’s critical digital assets and data from these online threats.