SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption. The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk.
Read more…
Source: SophosLabs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Phishing works so well crims won’t bother with deepfakes, says Sophos chap
October 17, 2022
Panic over the risk of deepfake scams is completely overblown, according to a senior security adviser for UK-based infosec company Sophos. “The thing with deepfakes is that we aren’t seeing a lot of it,” Sophos researcher John Shier told El Reg last week. Shier said current deepfakes – AI generated videos that mimic humans – aren’t the ...
- MyDeal data breach impacts 2.2M users, stolen data for sale online
October 17, 2022
Woolworths’ MyDeal subsidiary has disclosed a data breach affecting 2.2 million customers, with the hacker trying to sell the stolen data on a hacker forum. MyDeal is an Australian retail marketplace that connects online shoppers with local retailers. Retail giant Woolworths purchased 80% of the company in September but said their systems are on a completely different ...
- Venus Ransomware targets publicly exposed Remote Desktop services
October 16, 2022
Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices. Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide. However, there was another ransomware using the same encrypted file extension since 2021, but it is unclear if ...
- New PHP information-stealing malware targets Facebook accounts
October 16, 2022
A new Ducktail phishing campaign is spreading a never-before-seen Windows information-stealing malware written in PHP used to steal Facebook accounts, browser data, and cryptocurrency wallets. Ducktail phishing campaigns were first revealed by researchers from WithSecure in July 2022, who linked the attacks to Vietnamese hackers. Those campaigns relied on social engineering attacks through LinkedIn, pushing .NET Core ...
- FYI: Microsoft Office 365 Message Encryption relies on insecure block cipher
October 14, 2022
Microsoft Office 365 Message Encryption claims to offer a way “to send and receive encrypted email messages between people inside and outside your organization.” And according to WithSecure, it’s not fit for purpose: the encryption method employed, known as Electronic Codebook (ECB), is insecure for data with repeating patterns, such as plaintext or uncompressed images or ...
- New “Prestige” ransomware impacts organizations in Ukraine and Poland
October 14, 2022
The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland utilizing a previously unidentified ransomware payload. MSTIC researchers observed this new ransomware, which labels itself in its ransom note as “Prestige ranusomeware”, being deployed on October 11 in ...