The US Cybersecurity and Infrastructure Security Agency (CISA) has announced that it detected no evidence that foreign adversaries succeeded in preventing citizens from voting or changing vote tallies. CISA expects continuing attempts to interfere with certification and, of course, to conduct malign influence campaigns.
There’s no sign of respite, however, from criminal scams using election-themed come-ons to distribute malspam by exploiting uncertainty over the outcome of the vote. Malwarebytes describes how the gang that runs the QBot banking Trojan has taken a page from Emotet’s playbook, delivering its malicious emails as thread replies to make them less obvious to defenses. (Emotet, by the way, continues, BankInfo Security notes, an unwelcome renaissance.) QBot’s payload is carried in an attached Zip file with the phishbait name “ElectionInterference.” In the attachment is an Excel spreadsheet crafted to look like a secure DocuSign file. The marks are invited to enable macros to “decrypt” the document. Once enabled the QBot Trojan calls home and begins harvesting data, both credentials and emails that can be used in further campaigns.
BleepingComputer reports on a new ransomware strain, “RegretLocker,” now being analyzed by several threat researchers. RegretLocker, first noticed in October, is still operating on a relatively small scale, but it will bear watching for some of its advanced features: it encrypts virtual hard drives and closes open files for encryption.
Coveware’s third-quarter ransomware report describes Maze’s retirement and Ryuk resurgence. It also explains why paying ransomware operators to delete stolen data is, as KrebsOnSecurity puts it, “bonkers.”