Latest news with #DOGEBigBalls
Forbes
10-05-2025
- Forbes
New DOGE-Trolling Attacks Confirmed — $1 Trillion Payment Demanded
New DOGE Big Balls ransomware attacks spotted. Update, May 10, 2025: This story, originally published May 9, has been updated with further information regarding the newly confirmed DOGE Big Balls ransomware threat payloads as well as correcting a malformed link to the original threat research report. Just as you were hoping the ransomware threat might have started to ebb, the bad news keeps flowing in. From government warnings as hackers target passwords and 2FA codes to use in their extortion attacks, one ransomware campaign dropping zero-days, and researchers indicating a 5,365 ransomware attack rampage. There has been some good news, such as the notorious LockBit group being hacked and details of their crypto wallets being leaked. But the good news is in the minority, as this latest report has confirmed: the DOGE Big Balls ransomware attackers are back with a new payload alongside that by now infamous Elon Musk-trolling $1 trillion ransom demand. In case you missed it the first time around, the strange tale of the DOGE Big Balls ransomware attack is quite the oddball, even for the world of cybersecurity, where threats often border on the bizarre. It all started on April 15 when I reported how a ransomware group was weaving political conspiracy theory into malware code in an apparent attempt to throw cyber-defenders and law enforcement off the scent. That ransomware was given the name of DOGE Big Balls because it referenced software engineer and DOGE worker, who has an online nickname of Big Balls, and even included his home address and telephone number in the ransomware note. Fast forward to April 23, and things started getting even more outlandish as the ransomware attackers upped the ante by including a $1 trillion demand in the ransomware note. This appeared, once again, to be a direct DOGE-trolling exercise, aimed at Elon Musk as much as anyone. 'Give me five bullet points on what you accomplished for work last week, or you owe me a TRILLION dollars,' the note demanded. It would be too easy to suggest you can't take this bunch of cybercriminals seriously, but that would be a mistake, as threat intelligence has just landed regarding another twist and turn in the DOGE ransomware campaign, including dangerous new payloads and tools being used in ongoing attacks. The Netskope report describes new scripts and binaries, as well as custom and open-source tools, and new ransomware payloads. In all, Fróes detailed a total of 14 payloads that had been observed during the extensive investigation into the latest DOGE ransomware threat. The first was the aptly-named a Microsoft software installer file suspected of arriving by way of either that old chestnut, the phishing email, or possibly the exploitation of an exposed vulnerable service. Whatever the initial infection vector, Fróes said, the file executed a malicious PowerShell script. Next up is which, it was reported, executes the real content by creating a Windows shortcut file in the startup directory so as to be sure it will execute once a user is logged in. This also makes the EdgeAutoUpdaterTask, which needs no user interaction as it is created in the Startup folder and forces 'the download and execution of the script,' which is next in the payload queue. 'It creates a directory named 'hidden' under the Windows Startup folder and modifies its attributes to hide the directory,' Fróes explained, and attempts to disable Windows Defender protections. A number of further scripts were then downloaded, with various payloads including one that bypasses anti-malware scan interface technology, a Windows standard that is designed to allow integration with anti-malware products to add further protections against attacks. Another collected useful information from the now infected machine to send back to the attackers, and looks for password hashes that can be used. Domain controllers are targeted, new users added to any Domain Admin machines found, and access to the infected computer enabled. 'During our investigation,' Fróes said, 'we noticed that both the payloads and the URLs used to download the payloads were updated quite often.' That there was a large number of payloads, and these were updated at an alarming frequency, Fróes said, it only goes to reinforce how 'complex and dangerous attacks involving this ransomware can be, using many different tools to cover phases like lateral movement, privilege escalation, credential dumping, and more.' So, regardless of the DOGE-trolling and the frankly ridiculous $1 trillion demand, take note when Fróes concluded the report by stressing the 'significant negative impact' that a successful DOGE Big Balls ransomware attack can have on a business. At the end of the day, no matter the bizarreness of the attacker, ransomware is no joke.
Forbes
09-05-2025
- Forbes
New $1 Trillion DOGE-Trolling Ransomware Attacks Confirmed
New DOGE Big Balls ransomware attacks spotted. Just as you were hoping the ransomware threat might have started to ebb, the bad news keeps flowing in. From government warnings as hackers target passwords and 2FA codes to use in their extortion attacks, one ransomware campaign dropping zero-days, and researchers indicating a 5,365 ransomware attack rampage. There has been some good news, such as the notorious LockBit group being hacked and details of their crypto wallets being leaked. But the good news is in the minority, as this latest report has confirmed: the DOGE Big Balls ransomware attackers are back with a new payload alongside that by now infamous Elon Musk-trolling $1 trillion ransom demand. In case you missed it the first time around, the strange tale of the DOGE Big Balls ransomware attack is quite the oddball, even for the world of cybersecurity, where threats often border on the bizarre. It all started on April 15 when I reported how a ransomware group was weaving political conspiracy theory into malware code in an apparent attempt to throw cyber-defenders and law enforcement off the scent. That ransomware was given the name of DOGE Big Balls because it referenced software engineer and DOGE worker, who has an online nickname of Big Balls, and even included his home address and telephone number in the ransomware note. Fast forward to April 23, and things started getting even more outlandish as the ransomware attackers upped the ante by including a $1 trillion demand in the ransomware note. This appeared, once again, to be a direct DOGE-trolling exercise, aimed at Elon Musk as much as anyone. 'Give me five bullet points on what you accomplished for work last week, or you owe me a TRILLION dollars,' the note demanded. It would be too easy to suggest you can't take this bunch of cybercriminals seriously, but that would be a mistake, as threat intelligence has just landed regarding another twist and turn in the DOGE ransomware campaign, including dangerous new payloads and tools being used in ongoing attacks. The Netskope report describes new scripts and binaries, as well as custom and open-source tools, and new ransomware payloads. 'During our investigation,' Fróes said, 'we noticed that both the payloads and the URLs used to download the payloads were updated quite often.' That there was a large number of payloads, and these were updated at an alarming frequency, Fróes said, it only goes to reinforce how 'complex and dangerous attacks involving this ransomware can be, using many different tools to cover phases like lateral movement, privilege escalation, credential dumping, and more.' So, regardless of the DOGE-trolling and the frankly ridiculous $1 trillion demand, take note when Fróes concluded the report by stressing the 'significant negative impact' that a successful DOGE Big Balls ransomware attack can have on a business. At the end of the day, no matter the bizarreness of the attacker, ransomware is no joke.
Forbes
27-04-2025
- Business
- Forbes
The 5,365 Ransomware Attack Rampage — What You Need To Know
Verison's DBIR report reveals ransomware rampage. As cyberattacks of all flavors continue at an astonishing speed, the FBI issues a do-not-click warning and threat actors find worrying new ways to compromise your accounts, do not ignore the old guard. That's the takeaway from the latest Verizon data breach investigations report, which has revealed that the ransomware rampage is far from over. Given that certain ransomware actors are getting a lot of virtual column inches courtesy of a $1 trillion ransom demand if victims don't respond with a DOGE-trolling bullet list of achievements for the week, you might be excused for thinking that the extortion business has become something of a joke. That, dear reader, would be a big mistake. How big? Well, just look at the numbers: according to the 2025 Verizon DBIR, ransomware attacks have risen by 37% since last year, and are now present in 44% of breaches. Despite the silliness of the DOGE Big Balls ransomware attackers, the median ransom amount paid has decreased from $150,000 to $115,000. The numbers that concern me, and should you, are the ones relating to the presence of ransomware malware itself in data breach incidents. The Verizon DBIR report analyzed 22,000 incidents, of which 12,195 were confirmed data breaches. Some 44% of these, 5,365 to be precise, contained ransomware. That is a 37% jump and represents the extent to which the ransomware rampage is impacting businesses. "The DBIR's findings underscore the importance of a multi-layered defense strategy," Chris Novak, vice president of global cybersecurity solutions at Verizon Business, said. "Businesses need to invest in robust security measures, including strong password policies, timely patching of vulnerabilities, and comprehensive security awareness training for employees." The ransomware rampage is set to continue, according to Nick Tuasek, lead security automation architect at Swimlane, who warns that the 'popularization of Ransomware-as-a-Service on the dark web, sophisticated insider threat recruitment efforts by ransomware operators, and the continued rise of the cryptocurrency economy,' will drive this resurgence. Tactics are changing as well, with some threat actors moving to the deletion of data as part of their normal operations, Brandon Williams, chief technology officer at Conversant Group, has warned. 'If this gains traction this year,' Williams said, 'organizations will not have a method to recover by simply paying a ransom and hoping to get a working decryption tool.' The only method of recovery will be backups, but as Williams said, backups do not typically survive these kinds of ransomware breaches. 'According to our own research, ' Williams said, '93% of cyber events involve targeting of backup repositories, and 80% of data thought to be immutable does not survive.' Regardless of the ransomware actor and the ransomware malware deployed, the foundational controls still matter. 'Knowing your total attack surface, testing your environment with an eye toward efficient remediation is key,' Trey Ford, chief information security officer at Bugcrowd, said. Enterprise controls, including visibility, hardening, and MFA for domain admin and remote access, are paramount. 'There is a strong correlational reason cyber insurance underwriters care about those key controls and coverage in the application process,' Ford concluded. If those controls are not adequate, cyber insurance underwriters might have to pay out. Do not let the ransomware rampage swallow your data whole in the coming year; take heed of the warnings and act now to defend your enterprise.
Forbes
25-04-2025
- Forbes
DOGE-Trolling Ransomware Hackers Demand $1 Trillion In Chilling Attack
These DOGE ransowmare hackers demand a trillion dollar payment. Update, April 25, 2025: This story, originally published April 23, has been updated with further details regarding the DOGE ransomware attack and information from a new FBI report about the FOG malware threat used following the latest trillion-dollar ransom note demand. The same criminal group behind the DOGE Big Balls ransomware attack has just upped the ante. A newly updated ransom note sent to victims is now trolling Elon Musk and DOGE by demanding a ridiculous extortion fee of, and I trust you are sitting down, one trillion dollars from victims. This one has Dr Evil written all over it. Here's everything you need to know about the DOGE ransomware attackers, the FOG malware they have adapted, and the nature of that outrageous ransom note demand. Although there is no doubt that ransomware threats should be taken very seriously, what with a massive surge in ransomware attacks this year, new password-cracking tools being employed to gain initial access, and some very concerning political moves by big names in the extortion-racket industry, not all the players take themselves as seriously it would seem. I certainly hope that's the case as far as the DOGE ransomware attackers and the newly updated ransom note left for victims is concerned. The ransomware group behind the recent DOGE Big Balls threat, using a variant of existing malware known as FOG, and trying to pin responsibility for the attacks on a well-known member of the Department of Government Efficiency team, has just updated its ransom note. The original threat was already bad enough, using a ZIP file with a deceptive shortcut to execute a multi-stage PowerShell infection chain exploiting a known Windows vulnerability, CVE-2015-2291, to gain kernel-level access and privilege escalation. The attack also, it has to be said, employed the political commentary and conspiracy theory tactic within the ransomware scripts and code. These included such things as 'The CIA didn't kill Kennedy you idiot. Oswald is a very deranged person that felt ostracized by his own country.' Now, as detailed in an April 21 security report by researchers Nathaniel Morales and Sarah Pearl Camiling at Trend Micro, the ransomware appears to have started trolling DOGE and Elon Musk mercilessly. In reference to the now-infamous Musk demand for federal workers to email DOGE what they had achieved, leaving them fearing for their jobs if they did not comply, the ransom note has been altered to read: 'Give me five bullet points on what you accomplished for work last week or you owe me a TRILLION dollars.' In an April 23 FBI internet crime report, B. Chad Yarbrough, the FBI operations director for criminal and cyber, confirmed that ransomware is 'the most pervasive threat to critical infrastructure' and played an increasingly important role in the $16.6 billion cost of cybercrime to individuals and organizations in the U.S. across 2024. Interestingly, the FBI report said that the FOG ransomware threat, a variant of which has been used in the DOGE Big Balls attacks, was the most reported of new ransomware attacks during 2024. The bureau's Internet Crime Complaint Center provides this information to field offices to help the FBI 'identify new ransomware variants, discover the enterprises the threat actors are targeting, and determine whether critical infrastructure is being targeted,' the FBI said. 'The most alarming thing about the FBI's IC3 report is that its numbers are just the tip of the formidable iceberg of organized cybercrime,' Dr Ilia Kolochenko, CEO at ImmuniWeb, said. Warning that a 'growing number' of U.S. organizations prefer to silently settle with ransomware groups that carry a strong reputation for keeping attacks and data confidential following payment, Kolochenko said that it's likely we will see this option continue to be taken. 'In all cases,' Kolochenko advised, 'the final decision to pay or not to pay should be brainstormed with cybercrime experts and lawyers having experience in such matters. Otherwise, you are running a sprint on thin ice.' In the case of the DOGE attacks, maybe less consideration is required when the demand is for a trillion dollars. 'The ransomware payload embedded in the samples has been verified as FOG ransomware,' the Trend Micro report warned, 'an active ransomware family targeting both individuals and organizations.' 'FOG ransomware is a relatively new ransomware family that enterprises must add to their watchlist,' Trend Micro said, adding that 'the impact of a successful ransomware attack could still potentially cost enterprises financial loss and operational disruption,' regardless of the DOGE references and the trolling nature of the ransom note itself. The security researchers noted that the FOG ransomware itself has compromised some 100 victims in the first three months of the year, before the DOGE-trolling started, it would seem. In January, there were 18 victims, 53 in February and 29 in March. Trend Micro said that the de-obfuscated script in the ransom note executed a PowerShell command which performs a multi-stage operation: retrieving a ransomware loader ( and other PowerShell scripts. 'It also opens politically themed YouTube videos and includes written political commentary directly in the script,' the report stated, which adds to the trolling-element of the attack. FOG also takes your security very seriously, at least as far as stopping defenders from analyzing the malware is concerned. 'We have observed that prior to dropping its payload,' the security researchers confirmed, 'the malware investigated checks various indicators, such as processor count, RAM, MAC address, registry, and tick count, to detect a sandbox.' If any of these security checks should fail, then FOG will exit the entire process. As such, it's imperative that you do not think that just because the attackers might act like clowns, the threat itself isn't serious. Indeed, the ransomware demand itself is all business. 'We are the ones who encrypted your data and also copied some of it to our internal resource,' the attackers state. They then advise the victim that the sooner they are contacted, the sooner they can get everything resolved, offering instructions on using a Tor browser to get the next steps. The DOGE references are not the only trolling in the updated ransom note, there's also a 'Don't snitch now' warning. This could be in response to the ransomware informer platform that I have previously reported on. The humor — I guess that's what it is an attempt at — continues with a warning from the attackers that they have 'grabbed your trilatitude and trilongitude (the most accurate) coordinates of where you live,' in order to prove that they are lying. Not lying and not funny, but not to be ignored either.
Forbes
24-04-2025
- Business
- Forbes
DOGE-Trolling Ransomware Hackers Demand $1 Trillion
These DOGE ransowmare hackers demand a trillion dollar payment. Update, April 24, 2025: This story, originally published April 23, has been updated with information from a new FBI ransomware report following the latest DOGE attackers' trillion-dollar ransom demand. The same criminal group behind the DOGE Big Balls ransomware attack has just upped the ante. A newly updated ransom note is now using Elon Musk and DOGE references with a demand for, are you sitting down, one trillion dollars from victims. Although there is no doubt that ransomware threats should be taken very seriously, what with a massive surge in ransomware attacks this year, new password-cracking tools being employed to gain initial access, and some very concerning political moves by big names in the extortion-racket industry, not all the players take themselves seriously it would seem. The ransomware group behind the recent DOGE Big Balls threat, using a variant of existing malware known as FOG, and trying to pin responsibility for the attacks on a well-known member of the Department of Government Efficiency team, has just updated its ransom note. As detailed in an April 21 security report by researchers Nathaniel Morales and Sarah Pearl Camiling at Trend Micro, the ransomware now appears to have started trolling DOGE and Elon Musk mercilessly. In reference to the now-infamous Musk demand for federal workers to email DOGE what they had achieved, leaving them fearing for their jobs if they did not comply, the ransom note has been altered to read: 'Give me five bullet points on what you accomplished for work last week or you owe me a TRILLION dollars.' In an April 23 FBI internet crime report, B. Chad Yarbrough, the FBI operations director for criminal and cyber, confirmed that ransomware is 'the most pervasive threat to critical infrastructure' and played an increasingly important role in the $16.6 billion cost of cybercrime to individuals and organizations in the U.S. across 2024. Interestingly, the FBI report said that the FOG ransomware threat, a variant of which has been used in the DOGE Big Balls attacks, was the most reported of new ransomware attacks during 2024. The bureau's Internet Crime Complaint Center provides this information to field offices to help the FBI 'identify new ransomware variants, discover the enterprises the threat actors are targeting, and determine whether critical infrastructure is being targeted,' the FBI said. 'The most alarming thing about the FBI's IC3 report is that its numbers are just the tip of the formidable iceberg of organized cybercrime,' Dr Ilia Kolochenko, CEO at ImmuniWeb, said. Warning that a 'growing number' of U.S. organizations prefer to silently settle with ransomware groups that carry a strong reputation for keeping attacks and data confidential following payment, Kolochenko said that it's likely we will see this option continue to be taken. 'In all cases,' Kolochenko advised, 'the final decision to pay or not to pay should be brainstormed with cybercrime experts and lawyers having experience in such matters. Otherwise, you are running a sprint on thin ice.' In the case of the DOGE attacks, maybe less consideration is required when the demand is for a trillion dollars. 'The ransomware payload embedded in the samples has been verified as FOG ransomware,' the Trend Micro report warned, 'an active ransomware family targeting both individuals and organizations.' As such, it's imperative that you do not think that just because the attackers might act like clowns, the threat itself isn't serious. Indeed, the ransomware demand itself is all business. 'We are the ones who encrypted your data and also copied some of it to our internal resource,' the attackers state. They then advise the victim that the sooner they are contacted, the sooner they can get everything resolved, offering instructions on using a Tor browser to get the next steps. The DOGE references are not the only trolling in the updated ransom note, there's also a 'Don't snitch now' warning. This could be in response to the ransomware informer platform that I have previously reported on. The humor — I guess that's what it is an attempt at — continues with a warning from the attackers that they have 'grabbed your trilatitude and trilongitude (the most accurate) coordinates of where you live,' in order to prove that they are lying. Not lying and not funny, but not to be ignored either. Report any such attacks to the FBI here.
