Category: Ransomware

Categories
Bitcoin Crypto News Hackers Ransomware

Dutch Uni Recovers Double the Ransom it Paid in BTC During 2019

In a compelling display of how bitcoin is unsuitable for criminal activities, Netherlands-based Maastricht University has shared a positive tale of how the bitcoin it paid in ransom in 2019, since tracked and recovered, has appreciated significantly in the interim:

A Profitable Ransom

As outlined by the university, it suffered a ransomware attack in 2019 that prevented more than 25,000 staff and students from accessing critical research data, email, or library resources. The hackers encrypted hundreds of Windows servers and backup systems, denying access to business-critical services pending a ransom payment of €200,000 (US$208,000) in bitcoin.

As reported by Dutch newspaper De Volkskrant, the university agreed to pay the attackers after a week, “partly because personal data was in danger of being lost and students were unable to take an exam or work on their theses”.

After launching an investigation, Dutch police traced a Ukrainian bank account belonging to a known money launderer. Investigators were able to establish that a relatively small amount of the ransom money, some €40,000 (US$41,000) worth of bitcoin, had been paid.

Chain analysis at work, used to identify the hacker. Source: Bitquery

Prosecutors were able to seize the offending account in 2020 and, through chain analysis techniques, were able to trace the remaining bitcoin. While information remains limited on why it took so long to return the funds, it appears as if the tedious wheels of bureaucracy might have worked in the university’s favour.

Since paying the ransom, the €200,000 (US$205,000) worth of bitcoin has more than doubled to €500,000 (US$515,000), even despite bitcoin plummeting some 75 percent below its all-time high.

Needy Students to Benefit from Recovery

Commenting on the windfall, Maastricht University ICT director Michiel Borgers said it would be directed to students in need:

This money will not go to a general fund, but into a fund to help financially strapped students.

Michiel Borgers, director of ICT, Maastricht University

De Volkskrant has reported that the investigation remains ongoing as authorities search for those responsible for the exploit. As crypto crimes soared to new heights in 2021, efforts to combat ransomware attacks have been increasingly ramped up by authorities including the US Federal Bureau of Intelligence, which recently established its crypto crime unit.

Categories
Crime Cryptocurrencies Cryptocurrency Law Ransomware Scams

FBI Announces Crypto Crime Division to Tackle Ongoing Ransomware Attacks

The US Department of Justice has announced the establishment of the National Cryptocurrency Enforcement Team (NCET). The unit, which will specialise in crypto-related crime, has also appointed its first director – long-time prosecutor Eun Young Choi.

The Federal Bureau of Intelligence (FBI) released a statement on February 17 detailing the announcement. NCET aims to counter the criminal misuse of digital assets, and the team will be composed of prosecutors with backgrounds in crypto, money laundering, forfeiture and cybercrime. The proliferation of ransomware will be a particular concern of the unit.

Director Choi, who has a decade’s experience as a cybersecurity prosecutor, has stated she is excited to lead the team:

https://www.pli.edu/faculty/eun-young---choi-28943

[As the world of] digital assets grows and evolves, the department, in turn, accelerates and expands its efforts to combat their illicit abuse by criminals of all kinds.

NCET director Eun Young Choi

The NCET announcement has stirred a lot of discussion on Twitter, with many questioning whether the US government has ulterior motives:

FBI’s Recent Crypto History

The US government has intervened in several crypto-related matters over recent years. Notably, the Justice Department impounded US$3.6 billion in bitcoin earlier this month. This was accompanied by the arrest of a would-be rapper and her husband on charges of conspiring to launder some of the funds, part of the proceeds of the notorious Bitfinex hack of 2016.

In late 2021, US law enforcement seized an impressive US$154 million in bitcoin that had been stolen from Sony Life Insurance Company Ltd. The money had been embezzled by a rogue employee using a business email compromise.

By Lauren Claxton, Crypto News Guest Author

Categories
Banking Bitcoin Crime Crypto News Crypto Wallets Ransomware

FBI Seizes $154 Million in Bitcoin Stolen from Sony by Rogue Employee

US law enforcement has taken legal action to seize and return over US$154 million embezzled from Sony Life Insurance Company Ltd by an employee in a textbook business email compromise (BEC) attack.

Rei Ishii, 32, a Tokyo-based employee of the Sony Corporation subsidiary, allegedly diverted the funds when Sony Life attempted to transfer them between its financial accounts.

Culprit Diverts Funds, Converts Them to Crypto

Ishii was alleged to have done this by falsifying transaction instructions, which caused the funds to be transferred to an account he controlled at a Californian bank. He later converted the stolen funds into more than 3879 bitcoins held in an offline cryptocurrency cold wallet.

In a crude attempt at blackmail, Ishii also tried to block his supervisor and several Sony Life executives from assisting in the investigation by emailing them a “ransom note” typed in English and Japanese:

If you accept the settlement, we will return the funds … [But] if you [file] criminal charges, it will be impossible to recover [them]. We might go down [for] this, but … you [will] be right there next to us. We strongly recommend to stop communicate (sic) with any third parties, including law enforcement.

Ransom note from Rei Ishii, accused embezzler and former employee of Sony Life Insurance Co Ltd

Earlier this month, following a joint investigation by the FBI and Japanese authorities, the 3879 bitcoins (worth more than US$150 million at the time) in Ishii’s cold wallet were seized after the FBI obtained the private key and transferred the ill-gotten crypto to its own bitcoin wallet.

Tokyo’s Metropolitan Police Department arrested Ishii on the same day and criminally charged him on suspicion of obtaining US$154 million dollars via fraudulent money transfers.

In a statement, Acting US Attorney Randy Grossman said:

This case is an example of amazing work by FBI agents and Japanese law enforcement, who teamed up to track this virtual cash. Criminals take note: You cannot rely on cryptocurrency to hide your ill-gotten gains from law enforcement.

Acting US Attorney Randy Grossman

Echoes of the REvil Ransomware Case

The case echoes charges filed by the US Department of Justice last month against a REvil ransomware affiliate responsible for the July attack against the Kaseya MSP platform. This case had ripple effects as far as Australia, with more than US$6 million seized from another REvil partner.

Categories
Crypto News Cryptocurrencies Ransomware Regulation

CIA Head Confirms Rumours: We Are Working on Crypto Projects

Conspiracy theorists were vindicated yesterday when Central Intelligence Agency (CIA) director William Burns admitted at the Wall Street Journal‘s CEO Summit that the CIA was indeed involved in various crypto projects.

Details Are Murky, Obviously

One of the oldest conspiracies out there, at least in the crypto space, is that the CIA is responsible for creating Bitcoin. For the most part, that view is widely discredited and in the end is irrelevant, as Spencer Schiff pointed out.

While the CIA didn’t invent Bitcoin, it has however confirmed that it is involved in the crypto industry across various projects, although details of what that specifically entailed were absent from the discussion.

Burns, who was only recently appointed, responded to a question about whether the intelligence agency was equipped to handle ransomware attacks and the like, particularly those emanating from abroad (such as the Colonial Pipeline attack earlier this year).

Speaking about his predecessor, Burns noted that:

He [likely to be David Cohen, but unclear] had set in motion a number of different projects focused on cryptocurrency and trying to look at second- and third-order consequences as well, and helping with our colleagues in other parts of the US government to provide solid intelligence on what we’re seeing.

William Burns, CIA director

CIA Focused on Ransomware Attacks

Details as to what Burns and the CIA were doing remain opaque. One plausible theory is that they are establishing networks in order to understand them with a view to targeting and disrupting others. Another theory is that they are looking to undermine crypto networks’ credibility to quash a growing sentiment that the US dollar’s hegemony is drawing to a close.

One clue, however, was something Burns said, suggesting that criminal activities, specifically ransomware attacks, were one of the main focuses:

One of the ways of getting at ransomware attacks and deterring them is to be able to get at the financial networks that so many of those criminal networks use, and that gets right at the issue of digital currencies as well.

William Burns, CIA director

Of course, Twitter has been rife with speculation, ranging from genuine concern to satire. One user even joked that perhaps the CIA was behind NFT sensation the Bored Ape Yacht Club.

One thing’s for sure – when it comes to the CIA, things will never quite be what they seem.

Categories
Bitcoin Crypto News Europe Hackers Ransomware

European Electronics Giant ‘MediaMarkt’ Victims of $50 Million Bitcoin Ransomware Attack

German multinational electronics chain MediaMarkt has suffered a ransomware attack disrupting the organisation’s IT systems globally, rendering all in-store computers inaccessible to employees. The business has been brought to a standstill unless it pays a US$50 million bitcoin ransom.

Multimillion-Dollar Ransom Demand

MediaMarkt suffered a Hive ransomware attack on November 7, causing network outages in its IT infrastructure across all branches in the Netherlands and Germany, with the attackers demanding a multimillion-dollar ransom in bitcoin (BTC). The attack has allegedly encrypted and blocked various key services of the retailer, including its ability to accept credit cards and accept returns in some stores. Online sales are reportedly unaffected. 

According to a report from Dutch news channel RTL, on every hacked computer there is a file containing the message: “Your network has been hacked, and all data has been encrypted. To regain access to all data, you must purchase our decryption software”.

MediaMarkt (Belgium) spokeswoman Janick De Saedeleer told local news channels: “We are investigating everything at the moment; I can only confirm that this is an international attack.”

The company immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible.

MediaMarkt statement

Up to 3,100 Servers Possibly Affected

With over 1,000 stores across Europe and reported revenues of nearly US$25 billion per year, MediaMarkt is Europe’s largest and most profitable electronics retailer, making it a big red target for cyber criminals. Screenshots posted from Twitter claim that 3,100 servers were compromised, though this information is yet to be verified.

Copy of the ransom not found on MediaMarkt computers

Initially, the ransom demand was US$240 million, according to tech website Bleeping Computer, but that amount dropped almost immediately when MediaMarkt began negotiating.

Hive Hacker Group Behind the Attacks

While there are many groups that have active hacking campaigns, the MediaMarkt’s attackers are known as Hive. The group, which has previously hacked hospital computer systems, among others, handles its business quite professionally. It even has a sort of “customer service” division where victims can chat with the hackers to negotiate the ransom and get a few hostage files back as proof. Those who fail to pay in time will find that their information will be up for grabs on the group’s website. By leaking this data, the hackers put pressure on their victims.

Alongside the rise in crypto prices this year, ransomware attacks have also increased in frequency and levels of damage. According to blockchain data company Chainalysis, by May the tally of stolen crypto from ransomware attacks had already reached US$81 million.

In July, Australian software provider Kaseya was hit by a ransomware attack affecting various Aussie retailers. Members of the REvil group were found to be responsible and police seized more than US$6 million in stolen funds.

Categories
Crime Crypto News Ransomware

$6 Million in Crypto Seized from REvil Ransomware Group

The US Department of Justice has announced charges against a REvil ransomware affiliate responsible for the July attack against the Kaseya MSP platform, which had ripple effects as far as Australia, and also seized more than US$6 million from another REvil partner.

The alleged ringleader is 22-year old Ukrainian national Yaroslav Vasinskyi, arrested for cybercriminal activity last month at the behest of the US when he tried to enter Poland. Vasinskyi is one of seven REvil ransomware affiliates apprehended so far in a concerted international effort to combat a growing ransomware threat.

According to the indictment, Vasinskyi is a long-time affiliate of the REvil ransomware operation, having been involved since March 2019 and deploying an estimated 2,500 attacks against businesses worldwide.

Ransom Demands Top $767 Million

An FBI investigation revealed that Vasinskyi’s ransom demands totalled US$767 million but victims paid only $2.3 million. He is believed to have deployed ransomware on the networks of at least nine US companies. The entire REvil ransomware operation has ensnared more than US$200 million since it began its activities and encrypted at least 175,000 computers.

Of all the companies attacked, Kaseya’s ransom was by far the biggest, with US$70 million demanded to decrypt all its systems.

The US has requested Vasinskyi’s extradition and has unsealed the charges against him. Law enforcement has also impounded US$6.1 million from another REvil ransomware affiliate, Russian national Yevgeniy Polyanin, who is still at large. Polyanin is believed to be responsible for about 3,000 ransomware attacks against various organisations, including multiple US government entities and private-sector companies, extorting around US$13 million in total.

The joint charges against Polyanin and Vasinskyi are:

  • conspiracy to commit fraud and related activity in connection with computers (one count for each defendant);
  • intentional damage to a protected computer (nine counts for Vasinskyi, 12 for Polyanin); and
  • conspiracy to commit money laundering (one count for each defendant).

Seven REvil Affiliates Apprehended in Five Months

A total of seven affiliates of the REvil ransomware operation have been apprehended over five months with assistance from various jurisdictions, including police from Romania, Canada, France, the Netherlands, Poland, and the governments of Norway and Australia.

The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other REvil actors in Romania are the culmination of close collaboration with our international and private sector partners.

Christopher Wray, FBI director

In July, several retail operations in Australia were affected by REvil’s attack on Kaseya. Consequently, last month the Australian government outlined plans to tighten the screws on ransomware attacks on local businesses and individuals.

Categories
Australia Crypto News Hackers Ransomware Regulation Scams

Australian Police Seize $1.6 Million of Cryptos Acquired Through Stolen Netflix Accounts

The Australian Federal Police (AFP), in collaboration with the US Federal Bureau of Investigation (FBI), has uncovered cryptos and cash to the value of A$1.66 million during an investigation of a convicted Sydney-based hacker. The man was arrested and subsequently ordered by the Supreme Court of New South Wales to forfeit the ill-gotten gains to the Commonwealth, according to the AFP.

Largest Commonwealth Forfeiture of Cryptocurrencies

Evan McMahon, 23, who was convicted earlier this year of selling stolen Netflix and Spotify subscriptions, has been ordered to hand over proceeds in the form of cryptocurrencies and cash to the value of A$1.66 million, of which A$1.2 million are cryptos – the largest forfeiture of cryptos to date in Australia.

The court was told McMahon conspired with US accomplice Samuel Joyner to steal the log-in details and passwords of streaming service customers, subsequently selling them online at a cheaper rate. McMahon pleaded guilty to various offences in October 2020 and was sentenced to two years and two months’ imprisonment in April 2021.

The investigation began in 2018 when the FBI passed on information to the AFP about an account generator website called WickedGen that sold stolen account details for online subscription services such as Netflix, Hulu and Spotify.

Following sentencing, the AFP-led Criminal Assets Confiscation Taskforce (CACT) obtained restraining orders over cryptos, PayPal and bank accounts held in false names, which were suspected to be controlled by McMahon.

Australia’s Home Affairs Minister Karen Andrews says the funds will be redistributed to support crime prevention, community safety-related initiatives, and law enforcement. Andrews added:

Good work by the AFP has seen a criminal stripped of their ill-gotten gains, and this money redirected to enhancing the safety and security of communities right around Australia.

Karen Andrews, Minister for Home Affairs

AFP Clamps Down on Cryptos

Many criminal organisations have turned to cryptos in an effort to hide their profits, but authorities are now moving to seize cryptos linked to illegal activities.

In the UK, police recently seized 48 bitcoin from a 16-year-old who ran an operation that scammed thousands of victims after extracting their personal details via a copycat website of gift voucher platform Love2Shop.

In Australia, the AFP has executed a series of an initiatives designed to decentralise organised criminal syndicates away from illegally obtained profits by confiscating cryptocurrencies, designer items, homes and luxury vehicles.

The government recently passed amendments to the Surveillance Legislation Bill, granting the AFP and Australian Criminal Intelligence Commission (ACIC) new powers to surveil, intercept data, and also alter data online.

The Australian government has also mapped out plans to permit the seizure of cryptos amid a 15 percent increase in ransomware attacks. The “Ransomware Action Plan”, released last month by the Department of Home Affairs, outlines several measures in an effort to deter and punish cybercriminals. Part of the plan includes confiscating illicit cryptos.

Categories
Australia Crypto News Ransomware

Australia Moves to Permit Seizure of Crypto Amid 15% Increase In Ransomware Attacks

The Australian government has mapped out plans to tighten the screws on ransomware attacks on local businesses and individuals. 

In a 16-page document titled the Ransomware Action Plan”, the Department of Home Affairs has outlined several measures to deter and punish cybercriminals. Part of the strategy includes the confiscation of illicit cryptocurrencies. 

Mooted Powers to ‘Seize and Freeze’

The department is seeking authorisation to seize and freeze cryptocurrency transactions that are linked to cyberattacks in Australia, irrespective of where the transaction originates from. It also seeks to modify the existing law on how law enforcement agencies can track and recover stolen funds. 

In addition to this, the government wants to criminalise the buying and selling of malware or stolen data in ransomware attacks. It also flagged plans to set up a task force within the Australian Federal Police to focus on ransomware, and legislation that requires ransomware incident reporting. 

Our tough new laws will target this online criminality and hit cybercrooks where it hurts most – their bank balances […] We need to ensure that Australia remains an unattractive target for criminals and a hostile place for them to operate.

Karen Andrews, Minister of Home Affairs

Australia Records 15% Increase in Ransomware Attacks in 2020-21

The new plan comes in response to a surge in ransomware attacks in Australia. The country has been a major target for cyber attackers. Australia reportedly recorded about a 15 percent increase in ransomware attacks in the 2020-21 financial year, at a total cost of A$1.4 billion (about US$1 billion).

Last year, Australian media market research company Nielsen was disrupted in a suspected ransomware attack. And as recently as July 2021, a number of Australian businesses were also affected by a REvil ransomware attack on their software provider, Kaseya.

Categories
Crime Crypto News Hackers Monero Ransomware Zcash

US Government Offers $10 Million Bounty for Cyberattacks, Enticing with Crypto Payments

Following the infamous Colonial Pipeline attack earlier this year and a slew of copycat ransomware attacks, the US government has gone on the offensive by announcing a bounty program to counteract the ongoing risk of cybercrime.

Reward for Attacks on “Critical Infrastructure”

In a statement, the US Department of State’s Rewards for Justice (RFJ) program noted it was offering a reward of up to “US$10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against US critical infrastructure”.

Cars queue to refuel following the “Colonial Pipeline” cyberattack which crippled the US’ biggest fuel pipeline based in Washington, DC, May 15, 2021. Source: Daily Sabah

The RFJ statement went further, saying:

Commensurate with the seriousness with which we view these cyber threats, the Rewards for Justice program has set up a Dark Web (Tor-based) tips-reporting channel to protect the safety and security of potential sources.

Office of the Spokesperson Source: US Department of State

Bounty May be Paid in Crypto – Bitcoin or Privacy Coins?

Recognising that potential whistleblowers may wish to be paid in crypto, the statement noted that:

The Reward For Justice program also is working with interagency partners to enable the rapid processing of information as well as the possible relocation of, and payment of, rewards to sources. Reward payments may include payments in cryptocurrency.

Office of the Spokesperson Source: US Department of State

The official statement did not specifically disclose which cryptos would be accepted as a means of bounty payment.

However, given the nature of cybercrime and the fact that the RFJ has set up a Tor-based reporting channel, it is likely that potential whistleblowers will elect to remain anonymous. Accordingly, they are likely to prefer privacy coins such as Monero or Zcash over open-source networks such as Bitcoin.

Cyberattacks have not been limited to the US. Last year, Australian television networks were impacted by various cyber attacks and, most recently, this month thousands of retailers were affected by a supply-chain ransomware attack.

Categories
Australia Bitcoin Crypto News Ransomware

Australian Retail Companies Hit by Bitcoin Ransomware Attack

The massive supply-chain ransomware attack on software provider Kaseya last week also affected retail companies in Australia. The Australian federal government’s Cyber Security Centre (ACSC) made this known in a report on 6 July, saying it’s working with the affected companies to ascertain the extent of the impact and possible mitigation measures. 

REvil Ransomware Attack on Kaseya

On 5 July, the notorious Russian ransomware gang Sodinokibi, also known as REvil“, pulled a large-scale supply-chain attack on Kaseya VSC. More than 1,000 businesses that use Kaseya’s IT solutions in countries including Australia, the US and South Africa were affected by the incident. 

The cybercrime gang reportedly took advantage of a zero-day vulnerability on Kaseya’s VSC software to infect the chain of businesses on the network. Prior to the attack, the Dutch Institute for Vulnerability Disclosure (DIVD) alerted Kaseya but the IT solutions provider wasn’t quick enough to patch the flaw. 

The REvil gang launched the attack while DIVD was still in the process of fixing the problem. Consequently, several companies linked to the Kaseya VSC network were locked out of their data via encryption.

The REvil group demanded about AS$92 million (US$70 million) to release the global decrypter for the data. 

Potential Impact on Aussie Retailers 

Several Australian retail businesses linked to the compromised network were also hit by the attack. 

There is a lot of chatter among incident responders in Australia that there are impacted businesses here.

Josh Lemon, Managing Director of Digital Forensics and Incident Response, Ankura

Although the ACSC and the FBI are jointly investigating the extent of the attack and viable mitigation advice, Aussie retailers are advised to shut down Kaseya servers until further notice. ACSC also recommended activating Multi-Factor Authentication (MFA) as an extra layer of security.

REvil’s latest attack comes weeks after receiving a Bitcoin ransom demand worth about US$11 million from the world’s largest meat producer, JBS SA. Last year, Australian non-profit organisation Anglicare Sydney also suffered a ransomware attack in which 17 gigabytes of data were stolen.