At a glance.
- BlackCat gang demands $5 million in Austrian ransomware attack.
- Fraudster claims exceed reality.
- CISA releases ICS advisories.
- Pro-Russian DDoS campaigns.
- Sanctions inhibit ransomware.
BlackCat wants $5 million from Carinthia.
The Austrian state of Carinthia, under ransomware attack by the BlackCat gang (also known as "ALPHV," and which is a rebranding of DarkSide/BlackMatter) since Tuesday, has, according to BleepingComputer, received a ransom demand. BlackCat wants $5 million to restore access to systems its attack disrupted. Carinthian authorities say that its public-facing websites are down, and that passport administration, collection of fines, and processing of COVID tests are among the services that have been affected. They've found no evidence that BlackCat succeeded in stealing data, and indeed none of the usual teasers have been posted to the gang's dumpsite. Carinthia does not intend to pay the ransom, and its services are beginning restoration today.
Fraudster pressures Verizon.
Verizon has confirmed to Vice that a scammer has contacted the phone company with a claim to have accessed sensitive internal data. Specifically, the scammer said they'd obtained an internal corporate employee database which they threatened to release if they weren't paid a $250,000 bounty. “A fraudster recently contacted us threatening to release readily available employee directory information in exchange for payment from Verizon. We do not believe the fraudster has any sensitive information and we do not plan to engage with the individual further,” Verizon told Vice. “As always, we take the security of Verizon data very seriously and we have strong measures in place to protect our people and systems.”
CISA releases ICS advisories.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released two industrial control system (ICS) advisories for Horner Automation Cscape Csfont and Keysight N6854A Geolocation server and N6841A RF Sensor software.
The following notes concern the cyber phases of Russia's hybrid war against Ukraine. The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Pro-Russian DDoS attacks.
Imperva offers a timeline of distributed denial-of-service (DDoS) attacks conducted in the Russian interest by nominally hacktivist organizations. Killnet is the most notable of those groups. Imperva's timeline shows Killnet's development:
- "23 January 2022 – KILLNET emerged as a pro-Russian hacker group.
- "25 February 2022 – created a post on their Telegram titled ‘ANONYMOUS, YOUR TIME IS UP!’ in response to pro-Ukrainian hacktivist elements.
- "28 February 2022 – the group created a ‘call to arms’ post addressing hackers in the ‘Russian Federation and the CIS countries’.
- "Also February 2022 – the group shared a link to the Telegram group of Cyber Army of Russia encouraging KILLNET followers to subscribe to the channel to see KILLNET attacks.
- "Date unknown – Announced partnership with XakNet – indicating several pro-Russian hacktivist elements have joined forces to conduct cyber warfare operations against Ukraine and its allies. Attacks have included multiple cyber attacks against pro-Ukrainian targets including a US airport and several Ukrainian government entities.
- "20 April 2022 – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed KILLNET as one of several pro-Russia cybercrime groups which could pose a threat to critical infrastructure organizations."
KIllnet's targeting has been varied, but its activities haven't risen above a nuisance level. DDoS is easy to attempt, but it's proving difficult to conduct with significant effect. For all that, Microsoft cautions, in an NPR interview, not to dismiss the cyber phases of Russia's hybrid war as inconsequential: there has been no shortage of attempted disruption of Ukrainian networks since shortly before the Russian invasion began.
Sanctions and their effect on ransomware.
Ransomware operations appear to be on the way to becoming collateral damage in the sanctions that have been imposed on Russia. CPO Magazine, citing recent remarks by NSA cyber security director Rob Joyce, describes the ways in which controls on bank transfers and other remittance mechanisms have inhibited payments to ransomware gangs. "Ransom payments are more difficult to process due to lack of access to assorted banking options, and inability to purchase necessary technology to set up the infrastructure for new ransomware campaigns." Collateral damage in this case may be wayward as a description of what's going on, since the effect while not directly intended isn't unwelcome, either. Call it a side benefit; call it gravy.