An international coalition of law enforcement agencies has dismantled hundreds of illegal installations of Cobalt Strike, a penetration testing tool frequently abused by state-sponsored and criminal hackers in ransomware attacks. The operation, coordinated by Britain’s National Crime Agency (NCA), targeted 690 IP addresses hosting illegal versions of the software across 27 countries.
Cobalt Strike, now owned by Fortra, was developed in 2012 to simulate hacker attacks on networks. However, its effectiveness has led to widespread abuse by malicious actors using pirated versions. The crackdown is part of broader efforts to combat ransomware gangs by disrupting critical points in their operations, similar to the recent seizure of bulletproof hosting provider LolekHosted.
In addition to legitimate uses, Cobalt Strike has been exploited by hackers linked to Russia, China, and North Korea. The NCA highlighted that pirated versions of the software, available on illegal marketplaces and the dark web since the mid-2010s, have become a preferred tool for network intrusions and rapid ransomware deployment.
Typically, unlicensed versions of Cobalt Strike are used in spear phishing campaigns to install beacons on target devices, allowing attackers to profile and remotely access networks. Its multifunctional nature, including command and control management, makes it a ‘Swiss army knife’ for cybercriminals and nation-state actors, according to Don Smith, VP of threat research at Secureworks Counter Threats Unit.
Europol confirmed Fortra’s significant efforts to prevent software abuse and its partnership throughout the investigation. Nevertheless, older versions of Cobalt Strike have been cracked and used by criminals, linking the tool to numerous malware and ransomware cases, including those involving RYUK, Trickbot, and Conti.
The University Hospital Centre in Zagreb, Croatia, was hit by a cyberattack on 27 June, claimed by the LockBit ransomware group. The attack crippled the hospital’s networks, forcing emergency patients to be redirected to other facilities. Despite the disruption, hospital officials assured that patient safety was never compromised. Over 100 experts worked tirelessly to restore the IT systems, bringing the hospital back online within 24 hours.
LockBit, a Russian-affiliated ransomware group, posted on its dark leak site that it had stolen a large cache of sensitive data from the hospital in Croatia, including medical records and employee information. The hospital has not confirmed the specifics of the stolen data but has involved the authorities, and a criminal investigation is underway. LockBit, operating since 2019, has been linked to over 1,400 attacks globally and continues to evade law enforcement despite setbacks like the FBI and Interpol’s Operation Cronos.
The attack on KBC Zagreb coincided with multiple cyberattacks on Croatian government agencies by another Russian-linked group, NoName057(16). Known for targeting the critical infrastructure of nations supporting Ukraine, NoName denied responsibility for the hospital attack, emphasising their principle of not targeting medical facilities. NoName has been responsible for numerous cyberattacks across Europe, affecting several countries’ banking systems and critical infrastructure.
On 8 June, Kadokawa, a Japanese media conglomerate, reported a data security incident on its website, stating that multiple servers within the Kadokawa Group had become inaccessible. In response, the company promptly shut down the affected systems and investigated to determine the incident’s nature and scope.
The ongoing investigation revealed various services, including Niconico, Kadokawa’s official website, and the e-commerce site ‘ebten,’ were impacted. Kadokawa is also looking into potential information leaks resulting from the incident.
Subsequent updates from Kadokawa confirmed that the disruption was caused by a large-scale cyberattack involving ransomware. Emergency measures were taken, such as shutting down servers and forming a task force to assess the damage, identify the cause, and restore operations. The ransomware attack primarily targeted Niconico’s systems, Japan’s popular video-sharing service, as well as affected the company’s payment system, leading to payment delays for some business partners.
The BlackSuit ransomware group claimed responsibility for the attack on Kadokawa and listed the company as a victim on its data leak site. The group alleges to have stolen over 1.5TB of confidential data and threatened to publish it on 1 July unless ransom demands were met.
Kadokawa acknowledged the hacker group’s claims and stated that they are investigating the possibility of data leakage with external cybersecurity experts. The company reassured stakeholders that no credit card information of customers, including Niconico users, is stored in their systems, ensuring that such data remains secure.
A recent report from SentinelLabs and Recorded Future analysts contends that cyberespionage groups have increasingly turned to ransomware as a strategic tool to complicate attribution, divert attention from defenders, or as a secondary objective for financial gain alongside data theft.
The report specifically sheds light on the activities of ChamelGang, a suspected Chinese advanced persistent threat (APT) group that uses the CatB ransomware strain in attacks targeting prominent organisations globally. Operating under aliases like CamoFei, ChamelGang has targeted mostly governmental bodies and critical infrastructure entities, operating mostly from 2021 to 2023.
Employing sophisticated tactics for initial access, reconnaissance, lateral movement, and data exfiltration, ChamelGang executed a notable attack in November 2022 on the Presidency of Brazil, compromising 192 computers. The group leveraged standard reconnaissance tools to map the network and identify critical systems before deploying CatB ransomware, leaving ransom notes with contact details and payment instructions on encrypted files. While initially attributed to TeslaCrypt, new evidence points to ChamelGang’s involvement.
In a separate incident, ChamelGang targeted the All India Institute Of Medical Sciences (AIIMS), disrupting healthcare services with CatB ransomware. Other suspected attacks on a government entity in East Asia and an aviation organisation in the Indian subcontinent share similarities in tactics, techniques, and procedures (TTPs) and the use of custom malware like BeaconLoader.
These intrusions have impacted 37 organisations, primarily in North America, with additional victims in South America and Europe. Moreover, analysis of past cyber incidents reveals connections to suspected Chinese and North Korean APTs.
Why does it matter?
The integration of ransomware into cyberespionage operations offers strategic advantages, blurring the lines between APT and cybercriminal activities to obfuscate attribution and mask data collection efforts. The emergence of ChamelGang in ransomware incidents stresses adversaries’ evolving tactics to achieve their objectives while evading detection.
Hackers have encrypted systems at Indonesia’s national data centre with ransomware, causing disruptions in immigration checks at airports and various public services, according to the country’s communications ministry. The ministry reported that the Temporary National Data Centre (PDNS) systems were infected with Brain Cipher, a new variant of the LockBit 3.0 ransomware.
Communications Minister Budi Arie Setiadi informed that the hackers demanded $8 million for decryption but emphasised that the government would not comply. The attack targeted the Surabaya branch of the national data centre, not the Jakarta location.
The breach risks exposing data from state institutions and local governments. The cyberattack, which began last Thursday, disrupted services such as visa and residence permit processing, passport services, and immigration document management, according to Hinsa Siburian, head of the national cyber agency. The ransomware also impacted online enrollment for schools and universities, prompting an extension of the registration period, as local media reported. Overall, at least 210 local services were disrupted.
Although LockBit ransomware was used, it may have been deployed by a different group, as many use the leaked LockBit 3.0 builder, noted SANS Institute instructor Will Thomas. LockBit was a prolific ransomware operation until its extortion site was shut down in February, but it resurfaced three months later. Cybersecurity analyst Dominic Alvieri also pointed out that the Indonesian government hasn’t been listed on LockBit’s leak site, likely due to typical delays during negotiations. Previously, Indonesia’s data centre has been targeted by hackers, and in 2023, ThreatSec claimed to have breached its systems, stealing sensitive data, including criminal records.
Dubai, known for its ultra-luxurious lifestyle and wealthy population, has reportedly fallen victim to a ransomware attack by the Daixin Team. The cybercriminal group claimed on their dark blog to have exfiltrated 60-80GB of sensitive data from the Government of Dubai’s network systems, including ID cards, passports, and other personally identifiable information (PII).
The stolen data, which has not yet been fully analysed or released, reportedly includes many personal and business records. Among the sensitive information are details about the residents of this city in the UAE, many of whom are expatriates and high-net-worth individuals. Due to the city’s high concentration of wealthy residents, this data breach poses significant risks, such as identity theft and targeted phishing attacks.
The Daixin Team, a Russian-speaking ransomware group active since at least June 2022, is known for targeting various sectors, including healthcare and utilities. They typically gain access through compromised VPN servers or phishing attacks and often publish stolen data if ransom demands are not met. The Government of Dubai has been contacted for comment but has not yet responded.
The Qilin ransomware group has claimed responsibility for a cyberattack on Synnovis labs, a key partner of the National Health Service (NHS) in England. The attack, which began on Monday, has severely disrupted services at five major hospitals in London, including King’s College Hospital and Guy’s and St Thomas’ NHS Foundation Trust. The NHS declared the situation a ‘critical incident,’ noting that the full extent and impact of the attack on patient data remain unclear.
Synnovis, a prominent pathology service provider, runs over 100 specialised labs offering diagnostics for various conditions. Due to the ransomware attack, several critical services, such as blood testing and certain operations, have been postponed, prioritising only the most urgent cases. NHS England has deployed a cyber incident response team to assist Synnovis and minimise patient care disruption, though longer wait times for emergency services are expected.
The Qilin group, operating a ransomware-as-a-service model, typically targets victims via phishing emails. The attack on Synnovis has raised significant concerns about the security of healthcare systems and the reliance on third-party providers. Kevin Kirkwood from LogRhythm emphasised that the attack causes operational disruptions and undermines public trust in healthcare institutions. He called for robust security measures, including continuous monitoring and comprehensive incident response plans, to protect healthcare infrastructure better and ensure patient safety.
A ransomware attack on Synnovis, a pathology services provider, has severely disrupted major hospitals in London, including King’s College Hospital, Guy’s and St Thomas’, and the Royal Brompton. This incident has led to the cancellation and redirection of numerous medical procedures. The hospitals have declared a ‘critical incident’ due to the significant impact on services, notably affecting blood transfusions. Synnovis’ CEO, Mark Dollar, expressed deep regret for the inconvenience caused and assured efforts to minimise the disruption while maintaining communication with local NHS services.
Patients in various London boroughs, including Bexley, Greenwich, and Southwark, have been affected. Oliver Dowson, a 70-year-old patient at Royal Brompton, experienced a cancelled surgery and expressed frustration over repeated delays. NHS England’s London region acknowledged the significant impact on services and emphasised the importance of attending emergency care and appointments unless instructed otherwise. They are working with the National Cyber Security Centre to investigate the attack and keep the public informed.
Synnovis, a collaboration between SYNLAB UK & Ireland and several NHS trusts, prides itself on advanced pathology services but has fallen victim to this attack despite stringent cybersecurity measures. Deryck Mitchelson from Check Point highlighted the healthcare sector’s vulnerability to such attacks, given its vast repository of sensitive data. Recent cyber incidents in the UK, including a similar attack on NHS Dumfries and Galloway, underscore the persistent threat to healthcare services. Government agencies actively mitigate the current situation and support affected NHS organisations.
ABB, a Swiss multinational company specialising in electrification and automation technology, has been targeted by a Black Basta ransomware attack, resulting in significant disruptions to its business operations.
On 7 May, ABB fell victim to a ransomware attack which specifically targeted ABB’s Windows Active Directory, affecting a considerable number of devices within the company’s infrastructure.
In response to the breach, ABB took immediate action by severing VPN connections with its customers to prevent the ransomware from spreading to external networks. Nevertheless, the attack has significantly disrupted ABB’s operations, resulting in project delays and impacting its manufacturing facilities.
The company has since stated that ‘The vast majority of its systems and factories are now up and running and ABB continues to serve its customers in a secure manner.’
The Costa Rican Social Security Fund (CCSS), i.e. Costa Rica’s public health service was hit by Hive ransomware and forced to shut its systems down. The ransomware was deployed on at least 30 out of 1,500 government servers, CCSS told local media.
Cybersecurity experts suggested that Hive might be working with Conti to help Conti rebrand.
