Categories
2023 News-EN

NOKOYAWA: ANALYSIS OF THE RE-EMERGED RANSOMWARE GROUP

news

NOKOYAWA: ANALYSIS OF THE RE-EMERGED RANSOMWARE GROUP

Nokoyawa ransomware group re-emerged on Dark Web with a new list of victims and some peculiar behavior.

Nokoyawa DLS

Here’s what we’ve discovered so far.

It’s not a new ransomware group

Nokoyawa ransomware group is not new in the cybercrime scenario: in fact, it gained attention following a March 2022 report by Trend Micro, where the cybersecurity firm was originally linking their operation to the Hive ransomware family.

At the time Nokoyawa was showing similarities in Hive attack patterns and used tools.

There are connections with another group

This time the group is showing some interesting connection with Snatch, another cybercrime group.

Indeed, among the 26 victims named in Nokoyawa’s DLS, it seems that 6 were also targeted by Snatch and appear among their victims:

  • Gaston College
  • MSX International
  • City of Modesto
  • Canadian Nurses Association
  • Chattanooga State Community College
  • Liveaction

According to Cyble The Cyber Express this may not be a coincidence but the sign of a collaboration agreement.

In any case it is certainly a reminder of the way in which criminal organizations are increasingly collaborating with each other in order to maximize the results of their operations.

They were probably relying on a 0-day

Analysing the Nokoyawa malware strain, the ransomware is targeting 64-bit Windows-based systems in double extortion attacks.

According to Kaspersky the group may have used a (at the time) zero-day vulnerability of Microsoft Windows to deploy the ransomware .
The vulnerability, identified as CVE-2023-28252, was subsequently promptly fixed and patched by Microsoft.

The victims belong to several categories

Analysing Nokoyawa victims we discovered that they belong to 12 main categories:

  • Education
  • Organizations
  • Professional / Scientific / Technical
  • ICT
  • Transportation / Storage
  • Gov / Mil / LE
  • Construction
  • Healthcare
  • Manufacturing
  • Wholesale / Retail
  • Energy / Utilities
  • Financial / Insurance
Nokoyawa victims

Education (19% of total attacks), Organizations, Professional / Scientific / Technical and ICT (11% each) are the most targeted categories.

Most of the victims are in America

Over two-thirds of the victims (61%) are in America, while 23% of the victims are in Europe.

Nokoyawa affected continents

Other continents involved in Nokoyawa’s attacks are Oceania (8% of attacks), Africa and Asia (4% each).

The US is the country most targeted by the group (54% of total attacks).

Nokoyawa affected countries

Other affected countries are:

  • UK
  • Australia
  • France
  • Philippines
  • Romania
  • Morocco
  • Canada
  • Brazil
  • Germany

They’re speeding up

We detected 26 victims of Nokoyawa in 2023, 5.2 per month on average.

Nokoyawa attacks in 2023

The attacks, which started quietly in the first months of the year, grow decisively in May where we already have 11 attacks in the group’s assets.

Nokoyawa last victim in May 2023

Ultimately Nokoyawa appears to be a particularly dangerous ransomware group.

On the one hand, the group has clearly demonstrated that it can count on several criminal associations that appear to have been beneficial.

On the other hand, Nokoyawa’s double extortion operations seem to be accelerating.

In this case, our recommendation is to update and keep secure the information systems, especially those based on Windows.

Stay Cyber Safe!

Latest news

HACKS OF TODAY 02/07/2023

Today's HOT includes 19 ransomware victims by the notorious LockBit 3.0, Play, Darkrace, BlackCat/ALPHV, BianLian, Akira and Trigona gangs. The average Cyber Risk Factor is 3.7. Read...

Read More

HACKS OF TODAY 01/06/2023

Today's HOT includes 7 ransomware victims by the notorious LockBit 3.0, Akira, BlackBasta, RansomHouse and Darkrace gangs. The average Cyber Risk Factor is 3.4. Read below the...

Read More

HACKS OF TODAY 31/05/2023

Today's HOT includes 7 victims: 5 ransomware by the notorious LockBit 3.0 and BlackBasta gangs and 2 data leaks. The average Cyber Risk Factor is 4.0. Read...

Read More
Categories
2023 News-EN

8BASE, THE NEWLY DISCOVERED RANSOMWARE GANG

news

8BASE, THE NEWLY DISCOVERED RANSOMWARE GANG

The new ransomware group is called 8Base: they define themselves as “honest and simple pentesters” who offer their victims the most loyal conditions for the return of their data.

8Base presentation

Here’s what we’ve discovered so far.

It’s not such a new group

Although they have only now become known, it seems that the group’s operations have already begun in April 2022, while the last victims date back to May 2023.

With Hackmanac we analyzed their DLS (Dedicated Leak Site) on the Dark Web and we discovered that at the moment there were 66 victims, 45 in 2022 and 21 in 2023, who evidently refused the negotiations.

The list of victims is in fact accompanied by the complete publication of the data stolen during the attack.

They mostly target SMBs

8Base seems to target mainly small and medium-sized companies, mostly belonging to the Professional / Scientific / Technical sector (36% of attacks known so far) and Manufacturing (17%).

8Base victims

Other sectors affected to a lesser extent are:

  • Wholesale/Retail
  • Construction
  • Healthcare
  • ICT
  • Financial/Insurance
  • Transportation/Storage
  • Organizations
  • Agriculture / Forestry / Fishing
  • Education
  • Gov/Mil/LE
  • Other Services

The victims are mainly in America and Europe

Analyzing the victims listed in the 8Base DLS, it appears that two thirds of the victims are in America (62%), while a further quarter in Europe (24%).

8Base affected continents

The most targeted countries are the United States and Brazil:

8Base affected countries

Other less affected countries are:

  • Australia
  • Germany
  • UK
  • Mexico
  • Portugal
  • Belgium
  • Egypt
  • China
  • Spain
  • Madagascar
  • France
  • Peru
  • Canada
  • Turkey
  • Guatemala
  • Venezuela
  • India
  • Italy

Among the victims also the Italian company SiComputer, attacked on 03/29/2023 and whose data were published a month later.

8Base SiComputer victim

They have very clear ideas

A characteristic of the group is that their ransom note is particularly detailed.

In addition to the payment terms in bitcoins, clear instructions are in fact provided which prohibit the involvement of third parties, such as the police, agencies (FBI, CIA, NSA, …) or negotiators.

8Base terms of service

Finally, specific guarantees are provided on the management of the data held by the group.

 

As in the case of MalasLocker, which we wrote about in our previous article, we are once again in the presence of a cybercriminal group that mainly targets small and medium-sized businesses.
This trend, which seems popular recently, highlights how small companies are a frequent target of cybercriminal operations.

The advice is to monitor computer systems, keep them updated and be aware of cyber threats.

Stay Cyber safe!

Latest news

HACKS OF TODAY 02/07/2023

Today's HOT includes 19 ransomware victims by the notorious LockBit 3.0, Play, Darkrace, BlackCat/ALPHV, BianLian, Akira and Trigona gangs. The average Cyber Risk Factor is 3.7. Read...

Read More

HACKS OF TODAY 01/06/2023

Today's HOT includes 7 ransomware victims by the notorious LockBit 3.0, Akira, BlackBasta, RansomHouse and Darkrace gangs. The average Cyber Risk Factor is 3.4. Read below the...

Read More

HACKS OF TODAY 31/05/2023

Today's HOT includes 7 victims: 5 ransomware by the notorious LockBit 3.0 and BlackBasta gangs and 2 data leaks. The average Cyber Risk Factor is 4.0. Read...

Read More
Categories
2022 News-EN

PROTECT YOUR BUSINESS WITH CYBER ATTACKS ANALYSIS

news

PROTECT YOUR BUSINESS WITH THE CYBER ATTACKS ANALYSIS

In the previous article we explored how our cyber attacks analysis works.

BUT WHAT ARE THE ADVANTAGES OF THIS ANALYSIS AND HOW CAN YOU USE IT TO PROTECT YOUR BUSINESS?

Companies, institutions, research centers, insurance companies that offer policies against cyber risks, professionals dealing with threat modeling, cyber risk management and cyber strategy: the cyber attacks analysis can be useful to various entities.

In particular, we can identify 4 main objectives.

a)  Check the Cyber ​​Security strategy

From the analysis of the threats depicted in the scenario that we present each year, it is possible to understand where cyber security strategies have failed and how to improve them.

In fact, it is important that companies, as well as institutions and even more critical infrastructures, frequently check their defenses, as cyber problems are constantly evolving.

Getting insight into the latest threats that have proven successful is certainly the best way to gauge how effective your defenses might be or where to make changes to your overall strategy.

b) Identify threats specific to your industry

Still with regard to the refinement of one’s cyber defenses, evaluating which problems of the digital world particularly afflict one’s own product sector is a priority.

Cyber ​​attacks, in fact, include different types and do not affect all business areas in the same way.

It is reasonable to assume that institutions, critical infrastructures and multinationals or large companies are more exposed to cyber risks than small or medium-sized companies, but it is also true that they have fewer resources to manage emergencies.

Obtaining information on specific threats for your area and analyzing their trends over the years is therefore absolutely strategic to assess the situation and understand how to best defend yourself.

c) Optimize the budgets dedicated to Cyber ​​Security

The world of Cyber ​​Security is complex, we know, and unfortunately there is no single solution capable of remedying all related risks like a “magic bullet“.

On the contrary, the threats are different, so the defensive strategies will have to foresee a mix of technical, training, organizational and management solutions.

The cyber attacks analysis is very important to understand which components must not be missing in your specific mix and how to spend the corporate Cyber ​​Security budget more effectively and efficiently.

Only by understanding which threats concern your own sector you can be certain that you are reasonably evaluating the most correct purchases and actions.

d) Obtain data on cyber incidents

Our sample includes over 7,000 successful cyber attacks in the last 4 years, including more than 2,500 against Critical Infrastructures.

A number of notable events from which it is possible to deduce a lot of information, from the reasons for the attack, the product sector targeted, the type of technique used, the geographical area, the criticality of the attack and related impacts.

These information can be very relevant in particular for insurance companies that provide policies against cyber risks and that need data useful for assessing the frequency and severity of threats and to be able to correctly calculate the premium for the mitigation of the residual risk.

Although the aim of raising awareness on IT Security issues remains our main objective, the criticality of the situation that has arisen following the extraordinary growth of cyber threats has convinced us that this analysis must continue to evolve, transforming itself into a real work and decision support tool.

Contact us for more details and see a sample of our data on our Dashboard.

Latest news

HACKS OF TODAY 02/07/2023

Today's HOT includes 19 ransomware victims by the notorious LockBit 3.0, Play, Darkrace, BlackCat/ALPHV, BianLian, Akira and Trigona gangs. The average Cyber Risk Factor is 3.7. Read...

Read More

HACKS OF TODAY 01/06/2023

Today's HOT includes 7 ransomware victims by the notorious LockBit 3.0, Akira, BlackBasta, RansomHouse and Darkrace gangs. The average Cyber Risk Factor is 3.4. Read below the...

Read More

HACKS OF TODAY 31/05/2023

Today's HOT includes 7 victims: 5 ransomware by the notorious LockBit 3.0 and BlackBasta gangs and 2 data leaks. The average Cyber Risk Factor is 4.0. Read...

Read More
				
					-----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFyONI0BEAC3wJRo5qhtr1KsqVdMz7b5JqHmt7H0ZZr14oJ9TV/hD9LMfrKpnQ94dFGnpfGa BKC1wSoJN4Yfs5lg5YmN4hmHmm6PkjgQdenVgL4YDfLDodwn5DgXKuywRBqIFbbnTDvFAb03DX2A FPnc+4g2QHsfiFycz+ISg/Z+8i21gY3j5oZlrdMKVWrNczrNc/lDJqJ36RSYDn1QzAW1ZGY/pUXk imPRvLew5Idr3462sZVVhuUFMD3Uf/W1SaS3bSEQM89pSYKZfo8AFpAs659Mn7gqKru6ndxilRdF wJGQuepqR8kz+vVPLyxJj68ii2ZBIY50RQvSBgJRnNF/Htp30cuk3v8jfSGZit9XYTTGQThVbfGR ZcKWze/iF+es110+mNXA/8s7jKs95PI+z1Foc9o74Ujs8dvjEGHTaESIEzX3JtEZUCZUiPt/P8pU Jw0ewbj1XCacYxYVsR7ODlf6GEsjt868WcjiqsuuZo2rzO4og9hFU5DlBzuePklfhw8dO5CiMN2H vtSkAn4DkgHqC+JiciHc9h5Cvvfjp52oQPj1eYmU3LkOvGFmPXVIts3VfxsQT3gk+DmrQ4J//fAl tNRSbMBnGu5F/qnLLkJmKRKPKNNcpjptFznKxLZbxW5QbAeDok3ho8YQACfADKcrmaIRkoPr8/mn PxZgMSMB87W7sQARAQABzSRTb2ZpYSBTY296emFyaSA8c29maWFAaGFja21hbmFjLmNvbT7CwZQE EwEIAD4WIQTNwEbcXbH0vegGlHCd6fr0nsTifwUCXI40jQIbIwUJEswDAAULCQgHAgYVCgkICwIE FgIDAQIeAQIXgAAKCRCd6fr0nsTifwKuD/4+3MaN+9eFiltI06fFBjr1Csh0OLFw89jFnpuYl9Sm ImVqmBwrnm+APxxLK4M+FMuNm4fW08X249t09Nsf0ba6UJ0HR/7/fRTipjzRLqHSr0+ZjVUGHhon fuuFZgNzPA5RmQZZCyiwyqZJs7pLn1QI/CtlDP6MsQhadywbkO/5LlDoBoYh/2DYNA/mtEfJbvc/ cOvfk47thj5OzcXJEWFxz7h2P5C2ELwxdhNPC+uqcOQkTScnuIBJooheJPhdmqOtOwrbUUIfaryM IESrol3Jg3/MUOe7FLXhwCSQGY1iefzl4py2jTeK936GMBHifLSUCA88lpE7ALkbf3+qJ9ABra9G e9e0dirIlPvFgBkEBBXsoIReQLrhHKFBtvKdrrE9Rb7kAwon+sW+3Uf6Ie3M8nTisGy2AmlI/tQ5 V0MHU2UJUNcc59hk7ADIlXN64eeqELgsMtlR4wEHd6nwcEpoPCTWfrVSwzsPtXUGNAGbgGxISv/F ltcFJ6Qw6Zy4f+YBEyCx/7GA3kjLllkcHv4kwHpP+WQCzbjh2JdkGEp5AY7puil1AtOFcbirbHbR 83KVeqx4Vvlyh2jhIDQYB/9qpTDC1xDKpndn40gnNd5hvjK0I0Xvbhb0PLhCpJQ5tsvPiQHjhOMF Wye3ZigaX1gTZxE29MLtwBbOYdGCYG0MrM7BTQRcjjSNARAAupAKTZXLRktriUVqhkZpU8zUVwrW ik6siStg7BppSJuKVW+Ic8QIagW0I48d2jZIIXrQRvqVBixn8eeBTE8Cujum1mZyhTw2sri3gE9i 81gisF17T/uewzRyYwx8obMfSEBnwJa44td7VjtbfLMRtfneK9R40+kELhhvXZa3DBbcG86zHVPU f1YkLX4RNSyjz4vOCX3WlcIAOr6MJA8DT+F5mUCVEhnkeUbflXtxRSeTUTfOw/3MYLs+mc6hWwLq gqTMcIQhDrYEY5wUgb5Mj86NR/uvsThL6MtWCJWVbfxHxM575woyTdD9E6HGO6loHYdky/7I+XFZ twgxsGn6HJYT+Gwn9BI5/DiwT1Qb/AyADktN1jGmZGTlniS+hly7rm0EHb2CTTM5zT1fh/sCOtQb nYIUf2in2cIfcFvzeFrUbDk2HfJMp5FmY6tBEV5xyNCww/mBkW2nuZy9CvAheJEOGoO8lyonPU2u ARq345LdbS6l+VdivPmZoLNpIMRw9MSTYmzm08h7C+/6hxzpjw1/nWZ+W2k9VpLutEs7KMtsbZR4 WhVFVS1uhqxrnjoeBHznh360Ou8SR+PFO0HIrYz4W7ayfcBhqcsGrM9u1E892gjUVTbPv8UoXQ8S Zm9ra2jqbfZGbyOpMIlyMzHTak7r0IZvCedEUDCimitbw98AEQEAAcLBfAQYAQgAJhYhBM3ARtxd sfS96AaUcJ3p+vSexOJ/BQJcjjSNAhsMBQkSzAMAAAoJEJ3p+vSexOJ/C+wP/iGvKG1NldCT2gR7 oWhmvgBnsD7qjC57RX0Go7WD1lmrWP4xWpvM6Tj0V4ZsXnyB8zUR38p49PPymjwy51FAss5PYh8S bVC1/sKC5Sae3kiAoMGH29MBAwL1IkJ8PNw6uOJHhUIJgKT5RWk2f7q3+Tha19slXwD/FC1IcBJK baxyVkG3cG5AnNvvKZyFAUNZ9FiBycaNHO4o6bCcCzSsaRLL2azudJLrF8UYPfTNBQ6Cr4QLqaRb t+ZqL2nqmcadO1AtxLtq5lQjxbhJ3jSYIcQJRq0ztbIBcPrdR2B/dfVED9cU5leSmNXxrh09gJ7N tmUpVo5fBcbf6fP7h2HIFBpH+G/8UUlcbm9pQ5Jcb8FEom0JrfaIAuv1gEIJAk1mkqLNzWUs8KuL nCBBVT2+2hfEZjtjUYbCLVB4LRCsLs9CY1wS3yKca90S8m0tfKcSj3K3k8qlKodkE2raX2GW2dm9 b200ENbb41B1uZlPts4Yh/AMfLqoNv8wyw0GlUQ2DqgDqviLANYbg4/GHwTLwO2b9UMHuTVU3woS 1LRKt0iPPsd+ir+9YRAVt5LB5XTS5C5cdIW9JSXQ+0cnbr3LPZCBulOew/M72liBINKWKGoUyueF 73ckNO9S7pzTOCpjn3+gAuzN/itwgwrMLoqUqqBuxzd7cKNJHTFdTIfTm53f =KIMs -----END PGP PUBLIC KEY BLOCK-----