Newsletters

South Korean researchers have cracked the encryption scheme used by the Rhysida ransomware and have released a decrypter that can allow victims to recover files without paying the ransom.

The decrypter is available through the website of South Korea's cybersecurity agency (KISA) and is based on a white paper published by academics from Kookmin University and KISA members.

The decryption tool works only for Windows systems and exploits a weakness in the ransomware's cryptographically secure pseudo-random number generator (CSPRNG). This is an algorithm that takes data from a local PC to generate a random number that is then used to create an encryption key that Rhysida uses to encrypt a victim's files.

An international law enforcement operation has led to the capture of two individuals believed to have created and operated Warzone RAT, a Malware-as-a-Service operation that has been running since at least 2019.

Authorities have detained Daniel Meli, a 27-year-old from Malta, and Prince Onyeoziri Odinakachi, a 33-year-old from Nigeria.

Meli allegedly created and sold the Warzone RAT through its official website at warzone.ws. Odinakachi allegedly worked as a customer support, providing help to the malware's buyers.

Ransomware gangs made out like bandits last year, collecting an estimated $1.1 billion worth of cryptocurrency via ransomware payments, according to blockchain tracking company Chainalysis.

The number is at an all-time high for ransomware operations and is almost double 2022's figure when experts saw only $567 million going to ransom payments.

The 2022 dip can be attributed to Russia's invasion of Ukraine, which disrupted relations in the cybercriminal underground as gangs shuffled members or some operations were "redirected/hijacked" towards hacktivism or cyber espionage.

The US is grappling with Chinese cyber actors who appear to be building the capability to disrupt critical infrastructure during a potential military conflict. 

In late-breaking news, the US agencies responsible for cyber security and critical infrastructure have released an advisory about the group known as Volt Typhoon. 

The advisory states [emphasis added]:

The US government has restricted visas for individuals involved in the development and misuse of commercial spyware.

The Department of State says commercial spyware has facilitated repression and enabled human rights abuses.

"Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases. Additionally, the misuse of these tools presents a security and counterintelligence threat to U.S. personnel," Secretary of State Antony Blinken said in a statement.

The identities of two Iranian cyber groups have been exposed over the course of seven days last week.

The US government linked the Cyber Av3ngers group to six individuals working for the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), while a report from Iran International linked the Black Shadow group to an Iranian IT company named "Raahkarha-ye Fanavari-e Etela'at-e Jahatpardaz" (or Jahatpardaz Information Technology Solutions).

The "doxing" events come as Iranian cyber activity entered a new and more aggressive stage after Iran-backed Hezbollah attacked Israeli territories on October 7 last year.

All journalists take pride in being able to put together smart and intelligible sentences that convey a story. However, three weeks after Invanti disclosed the existence of two zero-days in its Connect Secure VPN appliance, things have become so twisted and convoluted that, at this point, I feel like it's time to bring out the bulleted list format in order to put some order in the ginormous clusterf**k that these zero-days have become.

So, for the sake of clarity—both mine and yours—let's review where things stand with the recent batch of Ivanti zero-days and their exploitation.

Ripple founder hacked: A threat actor has hacked and stolen $112.5 million worth of crypto-assets from Chris Larsen, the co-founder and executive chairman of the Ripple (XRP) cryptocurrency. Larsen confirmed the hack and said that only personal accounts were affected. Even if Ripple Labs accounts were not affected, Ripple's price dropped 5% in the aftermath of the hack. [Additional coverage in CoinTelegraph]

The National Security Agency (NSA) has been embroiled in a US Senator's campaign against intelligence agencies' purchase and use of data obtained illegally by data brokers.

US Senator Ron Wyden, a member of the US Senate Select Committee on Intelligence, is pushing to stop US intelligence agencies buying Americans' personal data obtained illegally by data brokers.

Wyden announced the push in a recent press release in which he announced the release of letters saying the NSA was buying 'internet records' that could reveal what websites Americans visited and the apps they used.

Brazil's Federal Police has detained five members of Grandoreiro, a malware gang specialized in stealing funds from banking customers with a custom-built banking trojan.

The group has been active since 2019 and is believed to have stolen at least $3.9 million from customers at banks in Brazil, Mexico, and Spain.

Brazilian officials say Spanish financial institution CaixaBank identified the Grandoreiro members and worked with Interpol and Spanish police to get them detained.

Federal investigators are warning companies not to delete chats and preserve conversations that have taken place via business collaboration and ephemeral messaging platforms.

In press releases on Friday, the US Department of Justice and the US Federal Trade Commission announced that they updated the language in their preservation letters and specifications—documents they send to companies under federal investigations.

The new language updates evidence preservation procedures to cover modern tech stacks such as Slack, Microsoft Teams, and Signal.