dice.camp is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon server for RPG folks to hang out and talk. Not owned by a billionaire.

Administered by:

Server stats:

1.7K
active users

#bianlian

0 posts0 participants0 posts today

#ESETresearch discovered previously unknown links between the #RansomHub, #Medusa, #BianLian, and #Play ransomware gangs, and leveraged #EDRKillShifter to learn more about RansomHub’s affiliates. @SCrow357 welivesecurity.com/en/eset-res
RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted #LockBit and #BlackCat. Since then, it dominated the ransomware world, showing similar growth as LockBit once did.
Previously linked to North Korea-aligned group #Andariel, Play strictly denies operating as #RaaS. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates.
BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them.
Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected.
Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and #Embargo offer their killers as part of the affiliate program.
IoCs available on our GitHub: github.com/eset/malware-ioc/tr

Amhertstburg Family Health in Ontario, Canada has posted an undated notice on its website, "* ATTENTION* we are currently experiencing delays in our phone system. Please be patient with us at this time, we are working as quickly as possible to resolve this issue. This notice will be removed once the issue has been resolved. Thank you."

That notice is probably not coincidental with the fact that #BianLian added them to their #DLS today. Worryingly, BianLian claims to have acquired 624 GB of files including:

Clients Personal Data.
Employees Personal Data
SQL base
Network users folders

They provide no files as proof of claims, but this doesn't look good for the health provider.

#databreach #ransomware #HealthSec #cybersecurity #infosec

@brett

Onapsis and Flashpoint produced a 29 report on the cyber threat landscape for SAP applications over the past 4 years. SAP is the world's largest provider of enterprise application software. The report highlights the material risk of SAP ransomware attacks and the growing maturity of cybercriminal capabilities. Their appendices at the bottom list known SAP vulnerabilities (if they're on CISA's Known Exploited Vulnerabilities (KEV) Catalog), as well as MITRE ATT&CK techniques associated with SAP exploitation, and threat actors (financially motivated and ransomware groups) targeting SAP-using organizations. 🔗 (PDF) go.onapsis.com/threat-report/c

Good article highlighting ongoing #ransomware threats involving U.S. #education entities over a holiday, when security teams are likely especially under-staffed or at least less focused: therecord.media/cincinnati-sta

In total, ransomware operators publicly threatened five schools and colleges on extortion sites over the past week, the latest in a rising number of such threats involving higher & lower education over the past year. On top of the cases mentioned in the article, the #Hive & #BianLian ransomware groups each also threatened public K-12 school systems in the last week.

The news comes 10 days after the latest U.S. federal government #StopRansomware alert focused specifically on Hive, which has threatened a wide range of #criticalinfrastructure entities, including #healthcare orgs. The alert offered a great summary of the techniques & procedures associated with Hive. Here is a fantastic new blog highlighting detection engineering ideas around recent Hive behaviors: micahbabinski.medium.com/catch

A fair amount of #TTP intelligence now exists around the other ransomware threatening education orgs last week and over the past year. I look forward to maintaining & expanding this dashboard which shows a combined visual currently covering the nine ransomware threatening schools since last year: app.tidalcyber.com/share/8d9f2

Direct links to specific ransomware heatmaps:

#ViceSociety app.tidalcyber.com/share/5f23e
Hive app.tidalcyber.com/share/7d996
BianLian app.tidalcyber.com/share/b5e2d
And some quick metrics and resources around the trend of ransomware extortion threats involving education orgs infosec.exchange/@IntelScott/1

Analyzing #TTP overlap for nine top #ransomware

This originates from analysis of ransomware targeting schools, but most of these families have threatened a range of critical infrastructure & other industries too

Each ransomware covered here has published extortion threats involving a school or university during the past year, and this trend is increasing. I tallied 66 ransomware extortion threats against these #education entities since last October. A few groups dominate (see pie chart), and victim count jumped especially high in recent months for schools (K-12) (see bar chart).

The #malware covered here (and count of associated extortion threats against education entities) are: #ViceSociety (25), #Pysa (8), #LockBit 3.0 (7), #ALPHV / #BlackCat (6), LockBit 2.0 (5), #Hive (4), #BianLian (3), #Quantum, Snatch (2), & #Conti, #REvil, Sabbath, and Stormous (1 each). Also #HelloKitty / #FiveHands, which is used by Vice Society, but no relevant posts were observed.

Visual summary of my analysis: app.tidalcyber.com/share/8d9f2

Overall the nine ransomware map to 131 unique techniques total, sourced from 30 recent public reports, mainly malware analysis & government advisories ("Show only labelled techniques" gives the best view). The underlines & numbers in the cells indicate number of malware mapped to that technique. Background color gradient represents number of sources referencing it. This tool helps with pivoting to defenses and analytics (think Sigma rules), offensive tests (Atomic Red Team), and data sources (make sure you have proper logging enabled) mapped to the same techniques.
#threatintel #SharedWithTidal