Latest news with #Comparitech
Yahoo
a day ago
- Politics
- Yahoo
‘This is a wake up call' Cyber security expert weighs in on City of Abilene cyber attack
ABILENE, Texas ()- On Friday, April 18th, 2025, The City of Abilene became aware of a cyber attack on city computer systems. Now, more than a month later, the investigation into that attack is ongoing, and an alleged deadline has come and gone the city stating no intention to pay any would-be ransom for the stolen data. KTAB/KRBC sat down with Cybersecurity expert and CEO of CyberCatch, Sai Huda, for insight into how attacks like this one have played out in the past and what might lie in the city's future. 'This is a wakeup call for the City of Abilene,' Huda said. Despite today's deadline, City of Abilene says they still won't pay ransom in cyberattack The City has been relatively quiet on the matter as investigation has been conducted but that's not without reason. Because this attack involves data theft and security measures, city staff is exercising an abundance of caution to mitigate the extent of the attack within city systems and prevent the investigation from becoming compromised. With that in mind, lets discuss what we know so far. What is a Ransomware attack? How has the City responded? What is at risk? What can we do now? This kind of malicious software is something that Huda is quite familiar with, telling KTAB/KRBC that it is not uncommon for an entity such as the City of Abilene to be targeted by such an attack. 'Very typical these days where the attackers, the bad actors, install the ransomware into the system, shut down file systems. But while they do that, they also are able to make a copy of valuable data and exfiltrate that. In other words, transmit that out, and then they'll use that to threaten the victim. In this case, the city of Abilene and say, hey, pay this ransom by this deadline. Otherwise, we will not only leave you encrypted and so you won't be able to access any file systems, but also will start to sell that data on the dark web or release it publicly in increments to embarrass you. And it's all about really money at this point,' said Huda. Cyber Security watchdog group, Comparitech published a research article into the Abilene Cyber attack in which they were able to identify the Russian-based ransomware group Qilin as having claimed responsibility for the attack. City of Abilene doesn't dispute report of cyber attack ransom from Russian ransomware gang In that same article, Comparitech states that Qilin mainly targets victims through phishing emails to gain access to computer systems and introduce the malicious software. The group claiming responsibility for 25 confirmed ransomware attacks in 2025 to date. Seven of which were against government entities all across the U.S. An initial news release put out by the City of Abilene states that, 'upon receiving reports of unresponsive servers City staff began immediately executing the incident response plan in place. Affected servers and critical assets were disconnected from the network to mitigate further spread of the attack. And an investigation with 'industry-leading cybersecurity experts' was launched. Cyber incident disrupts City of Abilene's network systems, including phones Since that day the City IT department has been working to restore affected city services and minimize downtime. Some systems were taken offline intentionally out of an abundance of caution, again to mitigate spread. While the city has neither confirmed nor disproven the claims of an alleged ransom placed on the data and deadline of May 27th, 2025 to pay that ransom. A statement was put out by the City of Abilene saying, 'the City of Abilene administration reiterates that it has decided no ransom will be paid related to the cyber incident that began on April 18, 2025. The city administration has collaborated closely with cybersecurity experts and legal counsel to reach this determination.' Huda says that he feels this was the right decision for the city to make as he has seen similar situations play out to undesirable outcomes when the ransom is paid. 'I think the city is doing the right thing which is not to pay the ransom because then that's sort of paying for bad behavior. you're rewarding for bad behavior,' Huda going on to say, 'some of the victims, which include cities, have paid the ransom simply because they've done a cost benefit analysis and said, you know what? It's gonna cost us this much money and time to recover when the impact is so severe. So let's just pay the ransom, get the decryption keys, unlock the files, and, you know, we're going to have to have a good faith that these guys will not sell that data. They'll destroy it. So some of them, unfortunately have paid. But, we're seeing a trend now which is positive that they're not paying the ransom.' Huda stating that even if the city decided to pay the ransom there is no guarantee that the stolen data would have been released. 'And a lot of times the ransomware gangs actually will go away. All of a sudden they're gone they've taken the ransom payment. They haven't provided the decryption keys and they certainly haven't destroyed the data. So, you know, they're really not trustworthy to begin with. And so why reward them?' Huda said. With an entity like the City of Abilene that has connections to businesses, non-profits, and direct interaction with individuals, the data that was targeted could span a wide range of fields as Huda explained. 'In this case City of Abilene's customers. They could be businesses they could be individuals and as much information about them as possible,' said Huda. In his professional opinion, Abilene may have become a more high priority target for cyber attacks due to recent increased notoriety through the announcement of the A.I Project Stargate. 'The City of Abilene has now appeared, if you will, big time on the map. The project Stargate, which is the largest investment in A.I in US history, which entails building this massive data center at City of Abilene, is really of importance to these bad actors. But imagine all the people that are already involved in that project. So the construction people, the different suppliers, there are high value targets for these bad actors because maybe they can be ransomed or maybe their data could be used to infiltrate other valuable information about the data center. And when it comes online, that becomes even more valuable,' Huda said. While there is currently no evidence to believe that Stargate and the Lancium clean compute facility played a factor in the ransomware gang's decision to target Abilene, Huda says the sheer amount of data and information that are involved in the venture are no doubt of high value to bad actors. 'So plans, designs, how those chips are being made, where they're being shipped to. What volume of chips are being made, what types? That's a really strategic importance. And so, you know, these these that actors in this case might be a criminal gang, but, you know, they may be supported by adversary nation states such as Russia,' suggested Huda. As the City continues to investigate and address the attack that has already happened, Huda says businesses and individuals should be taking a cybersecurity inventory to defend against potential future attacks, data loss, and identity theft. 'So first of all, businesses should be proactive right now and think that they possibly could be attack, target and therefore put some measures in place. So like an incident response plan, which is basically a plan that says, hey, can we recognize a potential incident happening? And if we do, can we quickly come together and prevent that ransomware, for example, from infecting all of our computers?…Backup files should be regularly backed up. They should be offsite, offline, inaccessible to the ransomware, because frequently the ransomware will actually be programed to hunt for those backup files,' Huda said. Huda advised individuals who may have been impacted by the attack to check their passwords and consider changing any passwords that are linked to City of Abilene accounts. Stating also that passwords should be varied between different accounts and not be made simple or easy to guess. As far as any potential fallout from this attack for Abilene citizens, Huda says to be on guard for identity theft and keep a close monitor on all financial or banking accounts you utilize. 'Individuals should, number one be paying attention to their credit reports. Put a credit monitoring alert on. Maybe put some credit freezes but be especially on guard for potential identity theft. That could happen not necessarily from this gang, but, you know, other gangs, other criminals that they may sell that data to who may perpetrate that type of fraud, which is identity theft. Open up credit cards, open up bank loans, different types of other expenses, you know, using the identity of the consumer. So that's the risk to the consumer,' said Huda. Prior to this report, KTAB/KRBC reached out to the City of Abilene with a list of questions. City staff stated that they are actively working to gather the relevant information, but were unable to respond in time for this report. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Yahoo
21-05-2025
- Yahoo
City of Abilene doesn't dispute report of cyber attack ransom from Russian ransomware gang
ABILENE, Texas () – A report from Comparitech claims that a Russian ransomware group has taken responsibility for the cyberattack targeting the City of Abilene. The city has acknowledged this new information but hasn't confirmed or denied its validity. Cyber incident disrupts City of Abilene's network systems, including phones Back in April, city officials announced that a cyber incident had disrupted Abilene's internal network, leaving several servers unresponsive. On May 19, Comparitech reported that the ransomware group known as Qilin claimed to have stolen 477 GB of data from the city and is demanding a ransom payment by May 27, 2025. While the exact amount of the alleged ransom is unknown, the City of Abilene shared its firm stance: it will not pay. 'The City of Abilene has been working with cyber security professionals since the incident began on April 18th and, given their expert direction along with adherence to the City's organizational values and standards, determined the payment of any kind of ransom to criminal entities of this sort would not take place,' the city shared. Federal authorities investigating Abilene cyber attack, certain services still impacted According to Comparitech, Qilin has threatened to publicly release the stolen data if the city does not comply. The group has reportedly posted sample files as proof, including tax documents and other government records allegedly taken from city servers. Due to the ongoing investigation, officials say they're still limited in what they can publicly disclose. 'The City of Abilene understands that various aspects of functionality across several departments and services have been affected by the network outage that followed the cyber incident, and we sincerely apologize for the frustration and disruption this has caused. Our employees are working diligently to serve our community, with all essential needs like emergency response, water, and solid waste continuing operations throughout this time. We greatly appreciate everyone's patience and understanding,' the city shared. City of Abilene files Catastrophe Notice due to cyber attack City officials say more details will be released as they become available and once the investigation concludes. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Techday NZ
13-05-2025
- Business
- Techday NZ
Andy Frain notifies 100,000 after major ransomware breach
Andy Frain Services has notified over 100,000 individuals that their personal information was compromised in a data breach that occurred in October 2024. The security firm, which provides services to clients such as the NFL, NBA, and NASCAR, confirmed that notifications were sent to 100,964 people affected by the breach. Details of the compromised information have not been provided. In November 2024, the ransomware group Black Basta claimed responsibility for the incident, stating that it had stolen 750 GB of data from Andy Frain Services. The company has not commented on the veracity of Black Basta's claims or if the group was directly involved in the incident. Commenting on the timing of the notifications, Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, raised concerns about the delay in informing those impacted. Grimes said, "I'm not sure why it took nearly 7 months for Andy Frain Services to notify the impacted people. That's 7 months hackers could have been using the learned information to abuse potential victims. If I do business with Andy Frain Services, I would like to know how the breach happened, if they know. Was it social engineering, unpatched software or firmware, or some other cause. Because if they don't know how it happened it's much tougher to put in place the right mitigations to make sure it's less likely to happen again." Black Basta, the group that claimed responsibility, is one of several ransomware gangs active internationally. Paul Bischoff, Consumer Privacy Advocate at Comparitech, provided context about the group's operations. In a recent blog post, Bischoff wrote, "Black Basta, not to be confused with Blackcat or BlackSuit, is a ransomware gang that first surfaced in early 2022. It operates a ransomware-as-a-service business wherein third-party clients pay Black Basta to use its ransomware and infrastructure to launch attacks and collect ransoms. Black Basta often extorts victims both for a key to restore infected systems and for not selling or publicly releasing stolen data. Black Basta has claimed 166 confirmed ransomware attacks since it began, compromising more than 11.7 million records. Its average ransom demand is about USD $2.9 million." The frequency and impact of ransomware attacks remain significant, according to Bischoff. He noted, "In 2025 to date, Black Basta has claimed five victims, all of which it claimed in January. None of those attacks have been confirmed yet. In 2024, Comparitech researchers logged 793 confirmed ransomware attacks on US organizations, compromising more than 268 million records. 64 of those attacks hit service-based businesses like Andy Frain and compromised 1.6 million records." Bischoff also provided figures regarding the financial aspect of these attacks. He stated, "The average ransom across all industries is just north of USD $2.3 million, and USD $787,000 for service-based businesses. In 2025 so far, we've recorded 112 confirmed ransomware attacks in total, five of which hit service-based businesses. Ransomware gangs made another 1,365 attack claims this year that haven't been acknowledged by the targeted organizations." Andy Frain Services has not provided details about how the breach occurred or commented on whether steps have been taken to address the vulnerabilities that led to the incident. The company continues to work with those affected, but specific guidance or advice to individuals whose information was compromised has not been released.
Techday NZ
13-05-2025
- Business
- Techday NZ
Ransomware surge sees hackers demand up to USD $8.6 million
On International Anti-Ransomware Day, cybersecurity experts are warning that ransomware threats continue to surge in scale and sophistication, with attacks increasingly targeting cloud infrastructure and exploiting human vulnerabilities rather than solely compromising computers and networks through traditional malware. The 12th of May marks the anniversary of the 2017 WannaCry attack that paralysed critical services worldwide, notably disrupting the National Health Service in the United Kingdom. Since then, ransomware has become a household term—albeit one still shrouded in technical complexity for many. Rebecca Moody, Head of Data Research at Comparitech, reflected on the shift, stating, "In 2017, ransomware, to many people, was still a huge unknown. Fast-forward to today, and it's a word within a lot of people's vocabulary—even if they don't understand the technical jargon surrounding it. This is because of large-scale attacks like WannaCry and the current attack on Marks and Spencer, bringing these types of attacks to the forefront." Moody revealed that ransomware attacks have not subsided. "Sadly, however, while awareness around these types of attacks has grown, so too has the number of attacks. Since 2018, we've seen yearly increases in the number of ransomware attacks (except for a dip in 2022), and the amount of data involved in these attacks has also risen exponentially." Hackers have honed their focus on double-extortion tactics, whereby criminals not only encrypt systems for ransom but also steal sensitive data for additional leverage. According to Comparitech's analysis, the UK has suffered 281 confirmed ransomware attacks since 2018, resulting in the breach of over 3.3 million records. Recent average ransom demands have reached nearly USD $8.6 million (GBP £6.5 million). For 2024 alone, there have been 40 attacks, affecting nearly 1.2 million records, with 12 attacks already reported so far this year. Moody noted that while no breaches have yet been reported for this year's attacks, significant numbers may emerge as incidents involving major companies such as Marks and Spencer and Co-op are investigated. "As we've seen with Harrods, Co-op, and M&S, social engineering tactics were used to carry out these attacks, whereby employees were tricked into changing their passwords," Moody added. She underscored that despite the evolving threat landscape, the fundamentals for defending against ransomware remain unchanged: maintaining up-to-date systems, patching vulnerabilities promptly, regular backups, robust incident response planning, and comprehensive staff training. This year, attention is also focusing on the rise of identity and cloud-driven attacks. Fabio Fratucello, Field CTO at CrowdStrike, explained: "Ransomware remains one of the most persistent and damaging threats facing organisations today. It has evolved far beyond being just an endpoint issue—it's now a challenge rooted in identity, cloud infrastructure and data security." Fratucello cited data from CrowdStrike's 2025 Global Threat Report, noting, "79% of initial access attacks are now malware-free and access broker activity has surged by 50% year over year. This shows a clear pivot towards stealth and credential-based attacks, making traditional defences obsolete." He advocated for unified, AI-driven platforms that deliver protection and visibility across endpoints, identities, and the cloud, arguing that legacy, fragmented tools are no longer sufficient. "In today's threat landscape, visibility is protection. And protection must start with consolidation," Fratucello asserted. Looking ahead, the interplay of artificial intelligence and cybercrime is poised to be the next frontier. KnowBe4, a prominent security company, predicts that agentic AI ransomware—autonomous, intelligent bots orchestrating attacks—will soon pose an unprecedented threat. Roger Grimes, KnowBe4's data-driven defense evangelist, commented: "AI agentic ransomware will gain initial access, analyse the environment, determine how to maximise malicious hacker profits, and implement the attacks. And it will not be just one attack, but a series of escalating attacks to maximise a malicious hacker's profit." Ransomware payments escalated over the past year, with average amounts climbing to USD $2.73 million, according to KnowBe4. Grimes highlighted that malicious actors typically adopt innovations six to twelve months after they are developed by legitimate cybersecurity researchers. He urged organisations to leverage AI and advanced defences now to prepare for the threats on the horizon. As cybercriminals continue to refine their tactics and exploit both technology and human factors, experts unanimously stress the enduring importance of proactive security practices. Regular training, technological consolidation, and continual vigilance remain the cornerstones of effective cyber defence against one of the digital age's most formidable adversaries.
Techday NZ
09-05-2025
- Business
- Techday NZ
Broadcom forces VMware clients to roll back crucial updates
Broadcom's recent changes to VMware licensing agreements are causing concern among IT professionals. Reports suggest that customers are being forced to roll back security updates, potentially exposing them to previously patched vulnerabilities. In early May 2025, VMware's parent company Broadcom began issuing cease-and-desist letters to customers with perpetual licences whose customer support had expired. These letters, according to reports verified by Ars Technica and highlighted by Comparitech in an analysis, demand that customers remove all updates made after the end of their support contracts, under threat of audits and possible litigation. The only exception to this demand allows customers to retain updates addressing zero-day vulnerabilities, or those with a Common Vulnerability Scoring System (CVSS) score of 9.0 or higher. All other security updates must be rolled back in compliance with Broadcom's current policy. Network administrators and IT professionals have expressed alarm at this directive's potential security and operational ramifications. According to users active on technical forums, including Reddit's /r/sysadmin, affected companies are placed in a difficult position: either remove important updates and risk security lapses, switch to more expensive subscription packages, or face the possibility of legal actions. Comparitech's analysis described this as leaving companies in a "zero-sum game" that could jeopardise future business prospects and the security of sensitive data. "Broadcom has effectively created a zero-sum game in which many existing customers who were grandfathered in after it purchased VMWare must now make a choice that could cost them millions and risk not only the future of their company but also the secure data that they maintain," the analysis stated. The policy has broader cybersecurity implications because rolling back updates reintroduces known vulnerabilities into network environments. These are security flaws that cybercriminals, including ransomware groups such as those behind the notorious WannaCry attacks, have previously exploited. "Update and security patch rollbacks are not benign. They reintroduce well-documented security flaws that cyber criminals have already learned to scan for and exploit," the analysis explained. The security concern is that ransomware gangs may target these known vulnerabilities, exploiting them to breach companies that had already patched the flaws. "Broadcom's efforts to force security rollbacks effectively threaten license holders with an order-of-magnitude increase in their risk of a data breach. While the company holding the license ultimately has the legal responsibility and business imperative to protect data, such actions on Broadcom's part raise serious ethical questions when businesses are forced to decrease protections and increase risk," Comparitech notes. Beyond security, update rollbacks could negatively affect the stability of critical IT infrastructure. Many updates patch security holes and deliver performance improvements and compatibility enhancements. Reverting to previous software states may destabilise hypervisors, break integrations with backup or disaster recovery tools, and disrupt operations in environments where reliability is crucial. "When companies are forced to revert their systems to an earlier state, it can quickly destabilise hypervisors, completely invalidate integrations with backup or DR tooling, and painfully disrupt resource scheduling for virtual workloads," Comparitech warned. For organisations in sectors such as education, healthcare, and government, where large volumes of regulated personal or health information are managed, system failures and downtime can become significant operational and financial risks. The sentiment among long-time VMware customers is described as betrayal and frustration. "This is like a mafioso shaking down a shopkeeper for protection money. I swear, if they won't be reasonable on my next phone call with them, then I will make it my mission — with God as my witness — to break the land speed record for fastest total datacenter migration to Hyper-V or Proxmox or whatever and shutting off ESXi forever. I'm THAT pissed off," one IT professional commented in April 2025 on /r/sysadmin. Comparitech's analysis suggests that Broadcom's actions put companies in a position where expensive migration to alternative platforms or subscription services may be the only safe option. However, these can be lengthy and complex processes. Many organisations may face significant costs or risks during the transition, and some may be unprepared to switch off VMware infrastructure quickly. With Broadcom reportedly willing to take legal action against non-compliant customers, as seen in an ongoing case against Siemens, the only immediate recourse for affected companies is to fortify their IT security. Steps recommended include hardening network perimeters, isolating vulnerable systems, implementing strict access controls, enhancing monitoring and detection, regular vulnerability scanning, auditing backup systems, reducing internet-facing exposures, and establishing a rapid response plan during the migration period. Broadcom completed its acquisition of VMware in 2023 and subsequently shifted VMware's licensing strategy. Perpetual licences for VMware products were discontinued, and new requirements pushed customers towards pricier, multi-year subscription models. In early 2024, the company also ended the availability of VMware's free ESXi hypervisor. It began restricting access to software downloads and binaries for customers without an active support-and-subscription agreement. "Broadcom's push to change VMware's licensing strategy was terrible from a customer service and customer satisfaction standpoint, but not immediately dangerous to customers and their data. However, the company's new efforts to strong-arm perpetual license holders into pricier subscription packages by canceling or failing to allow renewals of SnS agreements push its strategy into potentially unethical realms that endanger companies and their customers," Comparitech noted in its analysis. Comparitech plans to continue monitoring ransomware attack trends to assess whether future incidents can be traced to systems exposed through the forced rollback of security updates under Broadcom's policy.
