ransomware

Neptune RAT malware targeting Windows users

A highly advanced malware known as Neptune RAT is making waves in the cybersecurity world, posing a major threat to Windows PC users. Labelled by experts as the ‘most advanced RAT ever,’ it is capable of hijacking systems, stealing cryptocurrency, extracting passwords, and even launching ransomware attacks.

According to cybersecurity firm CYFIRMA, Neptune RAT is being distributed via platforms like GitHub, Telegram and YouTube, and is available as malware-as-a-service, allowing virtually anyone to deploy it for a fee.

Neptune RAT’s feature set is alarmingly broad. It includes a crypto clipper that silently redirects cryptocurrency transactions by replacing wallet addresses with those controlled by the attackers.

It also comes with a password-stealing tool that can extract credentials from over 270 applications, including popular browsers like Chrome. Beyond theft, the malware can spy on users in real-time, disable antivirus tools including Windows Defender, and encrypt files for ransom, making it a formidable threat.

Cybersecurity experts are urging users to avoid clicking on unknown links or downloading suspicious files from platforms where the malware is circulating. In extreme cases, Neptune RAT even includes a data-wiping feature, allowing attackers to destroy all data on a compromised system.

Users are advised to stay cautious online and consider identity theft protection plans that offer financial recovery and insurance should a system replacement become necessary.

For more information on these topics, visit diplomacy.edu.

NHS contractor fined after ransomware attack

The tech firm Advanced, which provides services to the NHS, has been fined over £3 million by the UK data watchdog following a major ransomware attack in 2022.

The breach disrupted NHS systems and exposed personal data from tens of thousands across the country.

Originally facing a £6 million penalty, Advanced saw the fine halved after settling with the Information Commissioner’s Office.

Regulators said the firm failed to implement multi-factor authentication, allowing hackers to access systems using stolen login details.

The LockBit attack caused widespread outages, including access to UK patient data. While Advanced acknowledged the resolution, it declined to offer further comment or name a spokesperson when contacted.

For more information on these topics, visit diplomacy.edu.

Ransomware spreads through online conversion tools

The FBI’s Denver Field Office has issued a national warning over a rising cyber threat involving fake file converter websites. These sites, posing as free tools for tasks like converting documents or media formats, are secretly distributing ransomware and malware while appearing to perform legitimate functions.

According to the FBI, users are lured by services that convert files such as ‘.doc’ to ‘.pdf’ or combine image files, but the downloaded output often contains hidden malware.

A recent case revealed that a site impersonating Convertio delivered RedLine Stealer, a dangerous strain that harvests sensitive data from browsers, crypto wallets, and applications like Telegram and Discord.

Security experts have identified multiple malicious domains involved, with active incidents reported in the US, Denver area, just weeks ago.

The FBI urges the public to avoid unknown converter sites, keep antivirus software updated, and use built-in conversion features within trusted apps.

For more information on these topics, visit diplomacy.edu.

Europol arrests four Russians in ransomware crackdown

Authorities have arrested four Russian nationals suspected of deploying Phobos ransomware to extort payments from victims across Europe and beyond. Europol announced that law enforcement agencies from 14 countries worked together to dismantle the network, taking down 27 servers linked to the cybercriminals. The individuals arrested were reportedly leaders of the 8Base ransomware group, a key player in distributing Phobos malware.

The operation follows a series of recent arrests targeting Phobos-related cybercrime. In June 2024, a key administrator of the ransomware was apprehended in South Korea and later extradited to the United States, while another major affiliate was arrested in Italy last year. Authorities have since issued warnings to over 400 companies worldwide about imminent cyberattacks.

Phobos ransomware has been particularly damaging to small and medium-sized businesses, which often lack strong cybersecurity protections. Europol’s latest Russian crackdown is a significant step in weakening the ransomware network and preventing further cyber extortion efforts.

For more information on these topics, visit diplomacy.edu

Ransomware attack locks energy contractor out of financial systems for six weeks

ENGlobal Corporation, a major contractor in the energy sector and federal government, was locked out of its financial systems for six weeks following a ransomware attack that began on 25 November 2024, the company disclosed in a filing with the US Securities and Exchange Commission (SEC).

The attack disrupted access to key business applications, affecting operational and corporate functions, including financial and reporting systems. However, ENGlobal stated that its systems have been fully restored, and the attackers no longer have access.

The Oklahoma-based company also confirmed that the breach involved unauthorised access to sensitive personal information stored on its IT systems. The company stated that affected individuals will be notified accordingly.

In an earlier SEC filing in December, ENGlobal revealed that the attackers had encrypted data files after gaining access, forcing the company to restrict IT system access and limit operations to essential functions. Despite the disruption, the company does not expect a material financial impact from the incident.

Founded in 1985, ENGlobal specialises in designing and constructing automation and instrumentation systems for commercial and government clients, including the US defence industry. The company reported $6 million in 2024 third-quarter revenue last quarter.

No ransomware group has claimed responsibility for the attack, which caused a longer-than-average outage.

US charges Russian-Israeli citizen over Lockbit ransomware

The United States has charged Rostislav Panev, a Russian-Israeli dual citizen, for his alleged role as a developer for the Lockbit ransomware group, which authorities describe as one of the world’s most destructive cybercrime operations. Panev, arrested in Israel in August, awaits extradition.

Lockbit, active since 2019, targeted over 2,500 victims across 120 countries, including critical infrastructure and businesses, extorting $500 million. Recent arrests, guilty pleas, and international law enforcement efforts have significantly disrupted the group’s activities.

Experts say law enforcement actions have tarnished Lockbit’s reputation, reducing its attacks and deterring affiliates. Authorities emphasise the importance of holding cybercriminals accountable.

Global fight against ransomware: collaboration is the key to resilience

Diplo is actively reporting from the 2024 Internet Governance Forum (IGF) in Riyadh, while the forum’s day one is still, and another essential panel of international experts shed light on the relentless rise of ransomware attacks and the global efforts to counter this growing cyber threat. Moderated by Jennifer Bachus of the US State Department, the session featured cybersecurity leaders Elizabeth Vish, Daniel Onyanyai, and Nils Steinhoff, who highlighted the scale of the crisis and the collaborative response through the Counter Ransomware Initiative (CRI).

Ransomware, described as ‘cybercrime as a service,’ has evolved from simple data encryption to complex extortion schemes targeting critical infrastructure worldwide. ‘Emerging markets are now increasingly in the crosshairs,’ noted Elizabeth Vish, pointing to growing vulnerabilities in developing economies that lack robust cybersecurity resources. With over $1.1 billion in crypto payments extracted by attackers in 2023 alone, ransomware continues to prove profitable, its impacts often crippling public services like hospitals and government institutions.

Established in 2021, the CRI is a coalition of nearly 70 nations dedicated to building collective cyber resilience. Operating under four pillars—policy development, capacity development, public-private partnerships, and the International Counter-Ransomware Task Force—the CRI offers platforms for real-time threat sharing, technical support, and global cooperation. Onyanyai emphasised the initiative’s mentorship model: ‘Advanced nations can guide less-prepared countries, ensuring no one faces this threat alone.’

Public-private cooperation emerged as a cornerstone of the fight. Vish stressed that private companies, often the first to detect attacks, ‘own critical infrastructure and can contribute threat intelligence and resilience strategies.’ Additionally, the role of cyber insurance was discussed as a tool for incentivising better cybersecurity hygiene while facilitating incident recovery.

The panellists underscored the need for collective preparation, emphasising proactive measures like multi-factor authentication and data backups. Vish coined the mantra: ‘Prepare, don’t pay.’ While CRI officially advocates a ‘no ransom’ stance, some countries still grapple with policies on payments.

The session concluded with a stark reminder: no country is immune to ransomware. Whether through emerging AI capabilities or evolving tactics, ransomware remains a persistent, global threat. As Jennifer Bachus aptly summarised: ‘Only through cooperation, capacity building, and resilience will we turn the tide against these cybercriminals.

All transcripts from the Internet Governance Forum sessions can be found on dig.watch.

SEC and ICBC unit reach settlement after ransomware attack

The SEC has settled allegations against ICBC Financial Services, a US-based unit of the Industrial and Commercial Bank of China, following a ransomware attack in November 2023.

The attack disrupted the company’s operations, including its ability to maintain accurate records and notify customers of securities-related transactions for nearly four months.

Regulators cited the firm’s lack of preparation for a significant cybersecurity incident as a factor leading to the breach. Despite this, the SEC refrained from imposing a civil fine, crediting the company’s meaningful cooperation and extensive remedial efforts in addressing the situation.

ICBC Financial Services neither admitted nor denied any wrongdoing in the settlement. The agreement highlights the SEC’s focus on ensuring firms take proactive steps to strengthen their cybersecurity defences.

Russia arrests ransomware affiliate and alleged member of multiple hacking groups

Russian authorities have arrested and indicted Mikhail Pavlovich Matveev, a suspected ransomware affiliate accused of developing malware and collaborating with multiple hacking groups.

While the prosecutor’s office has not disclosed the suspect’s identity, court documents describe him as a ‘programmer.’ According to the Russian Ministry of Internal Affairs, sufficient evidence has been gathered, and the case has been referred to the Central District Court of Kaliningrad. Matveev is accused of creating ‘specialised malicious software’ designed to encrypt data from commercial organisations, demanding ransoms for decryption.

Matveev’s alleged criminal history extends beyond Russia. In May 2023, the US Department of Justice charged him for his involvement with the Hive and LockBit ransomware operations, which targeted victims across the United States. He is also suspected of playing a foundational role in the Babuk ransomware group and operating as ‘Orange,’ the creator of the Ramp hacking forum.

Ransomware disrupts Starbucks scheduling system

Starbucks is manually processing barista payroll after a ransomware attack disrupted the third-party software it uses for scheduling. Despite the outage, the company assured employees they would be paid correctly and instructed store managers on manual workarounds to keep operations running smoothly.

The attack targeted Blue Yonder, a cloud services provider whose clients include major grocery chains and Fortune 500 companies. Blue Yonder has faced backlash as its systems remain compromised, with multiple companies, including Ford, assessing potential impacts. The cybersecurity firm CrowdStrike is assisting with recovery efforts.

Ransomware attacks have surged globally, with hackers targeting critical operations, especially during high-demand periods like the holiday season. Starbucks’ new CEO Brian Niccol now faces an additional hurdle on top of three straight quarters of declining sales.