Corvus Threat Intel
Nation-States Face Ransomware Attacks & BlackByte Steals Data From 49ers
Government agencies and nation-states face ransomware attacks and the BlackByte ransomware gang has a lasting impact on the San Francisco 49ers.
Ransomware Attack on Chile Government
In what seems to be becoming a more common occurrence, ransomware groups have been carrying out high-profile attacks against nation states. Chile’s CSIRT announced a ransomware attack impacting operations of a government agency. The attack began on August 25, targeting Microsoft and VMWare ESXi servers. While attribution is currently undetermined, some postulate that the ransomware group is new. According to a BleepingComputer article, fingerprints left behind by the attackers suggest possible overlap with the new defunct Conti group. Shortly before shutting down, the Conti group carried out a high profile attack on the government of Costa Rica in May 2022, gaining access to government systems using compromised VPN credentials.
Why This Matters
This is another example of several ransomware attacks against national government agencies in recent months. We don’t yet know specifically what agency was affected but we are left to wonder about the pattern and ask why. Attacks on governments are almost certainly a tempting status symbol, as was evident in Conti’s public and braggadocious rhetoric after its attack on Costa Rica. However, there is risk in attacking the government of a major world power. Perhaps this is why countries like Costa Rica, Chile, and Montenegro have been the ideal victims as they are small enough to mitigate potential retaliation. Other ransomware groups have learned this lesson the hard way including when the DarkSide gang attacked the Colonial Pipeline and incurred the wrath of the US government.
Cuba Ransomware Extorts Government of Montenegro
The veteran Cuba ransomware gang carried out an attack against the Government of Montenegro, demanding $10 million. The U.S. embassy warned that the attack could cause widespread disruption to key public and government services even as numerous government websites were temporarily disabled. As a member of NATO, Montenegro is receiving assistance investigating the attack from allies that include an FBI rapid-response Cyber Action Team. While the full scope of the attack is unclear, there have been reports of state-owned power utilities switching to manual operations as a result of the attack. Cuba has previously attacked one other known government on a smaller scale when they extorted a Canadian town in March of 2022.
Why This Matters
As noted previously, ransomware attacks against nation-states seem to be a theme of late. Perhaps this is a calculated move by Cuba who, while a relative veteran, has never been the most active or visible group. Or it could indicate an influx of new personnel from other now defunct ransomware gangs with more of an appetite for making waves.
BlackByte Ransomware Steals Data on 20K Individuals from San Francisco 49ers
You probably remember, just before the 2022 Super Bowl, the San Francisco 49ers suffered a ransomware attack. The 49ers acknowledged the incident and worked to restore their systems while the BlackByte ransomware gang claimed responsibility. After a more thorough investigation, the 49ers confirmed that personal information belonging to 20,930 individuals was accessed or stolen as part of the February attack. This data includes names and social security numbers. The NFL team has begun sending notification letters to impacted individuals, offering complimentary identity theft protection services.
Why This Matters
Modern ransomware is more than encryption. In nearly all cases, threat actors steal sensitive data while inside a network. This is then used as additional leverage in the extortion. Attackers will threaten to leak or sell the sensitive information if their demands are not met. Recovering encrypted data is only one part of post-attack efforts. Dealing with the fallout of stolen data can be protracted and costly.
This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.
Rackspace hit by a ransomware attack, healthcare industry (also) hit by ransomware, and Google Chrome faces a critical vulnerability.
Cuba ransomware operation, another breach at LastPass, new hacks on an old vulnerability.