Latest news with #Balloonfly
Time of India
2 days ago
- Business
- Time of India
FBI warns of 'dangerous' hacking campaign linked to North Korean attack group
The Federal Bureau of Investigation (FBI), in collaboration with the US Cybersecurity and Infrastructure Security Agency (CISA), has issued a joint cybersecurity advisory following a surge in confirmed victims of Play ransomware attacks in May. The FBI reports that these threat actors have impacted over 900 organisations across North and South America, as well as Europe, including businesses and critical infrastructure providers. The updated advisory, released as part of the ongoing Stop Ransomware campaign, includes findings from new investigations this year that reveal an evolution in the cybercriminal group's tactics, techniques and procedures (TTPs). The advisory aims to inform organisations on how to defend against these attacks. Who are the hackers, why this is dangerous and more details According to FBI (via Forbes) advisory, Play a closed ransomware group, operating independently to "guarantee the secrecy of deals" regarding exfiltrated data. Play ransomware is believed to be linked to Andariel, a North Korean state-sponsored attack group associated with the Democratic People's Republic of Korea's "Reconnaissance General Bureau." Researchers suggest Play is an "integral part" of Andariel's cyberattack arsenal, distributed by threat groups such as Balloonfly. The hackers leave ransom notes with victims that do not include an initial demand or payment instructions. Instead, victims are directed to contact the attackers via email, often using unique German email domains. The FBI noted that some victims are contacted by telephone and threatened with data release to compel ransom payment. Balloonfly has been implicated in multiple incidents involving Play ransomware deployment, primarily against businesses in the US and Europe, often using a malware backdoor to infect Windows systems. Microsoft Threat Intelligence Center and Microsoft Security Response Center previously observed Play ransomware being deployed after attackers exploited a zero-day vulnerability in the Windows Common Log File System. This flaw was mitigated in April. The FBI emphasizes that the Play ransomware campaign shows no signs of abating and urges organisations to enhance their defenses immediately. AI Masterclass for Students. Upskill Young Ones Today!– Join Now
Forbes
08-05-2025
- Forbes
60,000 Bitcoin Wallets Leaked As LockBit Ransomware Hackers Get Hacked
LockBit ransomware hackers have been hacked. Scammers who prey on the fears of individuals are high on my list of 'most hated' cybercriminals, if I'm being honest, but they are not number one. That honour belongs to the organized ransomware gangs that have absolutely no qualms about attacking hospitals and blood banks, literally putting lives at risk in the pursuit of illicit profit. While offering to pay $250,000 for information on gang members, and law enforcement takedowns and trolling, undoubtedly have an impact when it comes to slowing the ransomware rampage, perhaps the biggest threat could come from inside the gang operations themselves. It is encouraging to see reports delving into the techniques and tactics used by ransomware groups such as Balloonfly, the Play malware via an exploited Windows zero-day vulnerability, as this can only help defenders protect organizations from future attacks. Threat intelligence is, and always has been, paramount to the fight against cybercrime. Thomas Jefferson wrote, in 1817, 'that knowledge is power, that knowledge is safety, and that knowledge is happiness,' and I can't help but be reminded of that today. I doubt, however, that members of the LockBit cybercrime group will find much safety or happiness in the knowledge that has just been leaked. As confirmed by Lawrence Abrams at Bleeping Computer, the LockBit ransomware group has been hacked. The group's 'dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump,' Abrams said. A threat actor account on X, was first to spot the hack, and Abrams confirmed that the database itself contained almost 60,000 unique bitcoin wallet addresses as well as more than 4,400 negotiation messages between attackers and victims. Interestingly, there is also a table of admins and ransomware affiliate actors, including plaintext passwords. Whoops. Although there is some amusement in the dark web LockBit affiliate control panels being defaced with a statement saying 'crime is bad,' this is a serious business, hopefully with a positive conclusion. However, the LockBitSupp threat actor, thought to be the administrator of the ransomware group, has stated that private ransomware keys have not been impacted, which is a shame. We can only hope that this is, at long last, the final act as far as LockBit is concerned. I'll be keeping my fingers crossed it is the end of the road for LockBit and my eyes open for the next ransomware cybercrime group to get hacked.
