Thanks: 
Likes: Arrests have been made of individuals involved in one of the world’s most sophisticated ransomware operations.
Egregor ransomware hit by arrests - Malwarebytes Labs | Malwarebytes Labs
Dislikes: 0
Arrests have been made of individuals involved in one of the world’s most sophisticated ransomware operations.
Egregor ransomware hit by arrests - Malwarebytes Labs | Malwarebytes Labs
Last edited by slimslob; 02-18-2021 at 02:21 AM.
It's about time some arrests were made with ransomware makers and their affiliates.
Never (knock on my headOriginally Posted by slimslob
) had ransomwear buti know a few that did on personal computers, cost them between 300 to 650 usd to get them unlocked.
Sent from my SM-G960U using Tapatalk
About 5 years ago one of my customers got hit with it.
No idea what it cost them, but it was quite the sore subject.
I’m just happy it happened before I got involved with them.
“I think you should treat good friends like a fine wine. That’s why I keep mine locked up in the basement.” - Tim Hawkins
I had a dispensing optician get hit once. The only thing they had on their computers was their optical software package that gets backed up daily plus did bnot have any of the file types that it affected and Quickbooks which she backed after doing any entries. So the only thing lost were the various word documents that Quickbooks includes which she didn't use any way.Never (knock on my head
Sent from my SM-G960U using Tapatalk
Posted: January 27, 2021 by Malwarebytes Labs
Last updated: January 28, 2021
In a coordinated action, multiple law enforcement agencies have seized control of the Emotet botnet. Agencies from eight countries worked together to deliver what they hope will be a decisive blow against one of the world’s most dangerous and sophisticated computer security threats.
The Emotet threat
In a statement announcing the action, Europol described Emotet as “one of the most significant botnets of the past decade” and the world’s “most dangerous” malware.
The malware has been a significant thorn in the side of victims, malware researchers and law enforcement since it first emerged in 2014. Originally designed as a banking Trojan, the software became notorious for its frequent shapeshifting and its ability to cause problems for people trying to detect it. This lead to it being used as a gateway for other kinds of malware. Emotet’s criminal operators succeeded in infiltrating millions of Windows machines, and then sold access to those machines to other malware operators.
Taking down Emotet’s infrastructure not only hobbles Emotet, it also disrupts an important pillar of the malware delivery ecosystem.
The takedown
Successful botnets are typically highly distributed and very resilient to takedown attempts. Effective law enforcement cooperation is therefore vital, so that all parts of the system are tackled at the same time, ensuring the botnet can’t reemerge from any remnants that go untouched.
In this case, that meant tackling hundreds of servers simultaneously. Describing the level of cooperation required, Malwarebytes’ Director of Threat Intelligence, Jerome Segura said:
Going after any botnet is always a challenging task, but the stakes were even higher with Emotet. Law Enforcement agencies had to neutralize Emotet’s three different botnets and their respective controllers.Although it gives few details, the Europol press release hints that a novel and sophisticated approach was used in the action, stating that the Emotet botnet was compromised “from the inside”. According to the agency, “This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”
Segura added:Unlike the recent and short-lived attempt to take down TrickBot, authorities have made actual arrests in Ukraine and have also identified several other individuals that were customers of the Emotet botnet. This is a very impactful action that likely will result in the prolonged success of this global takedown.It remains to be seen if this is the final chapter of the Emotet story, but even if it is, we aren’t at the end of the story just yet.
This action removes the threat posed by Emotet, by preventing it from contacting the infrastructure it uses to update itself and deliver malware. However, the infections remain, albeit in an inert state. To complete the eradication of Emotet, those infections will need to be cleaned up too.
The knockout?
In a highly unusual step, it looks as if the clean up isn’t going to be left to chance. A few hours after the takedown was announced, ZDNet broke the news that law enforcement in the Netherlands are in the process of deploying an Emotet update, and that will remove any remaining infections on March 25th, 2021.
Malwarebyes Threat Intelligence has since pointed out that the actual removal date is April 25th, 2021, because, as any programmer can tell you, the first item in an array is zero, not one.
I have had two cities, one municipal gov't and two retirement care homes who are customer's of mine attacked by ransomware in the last 12 months.
Fonix ransomware gives up life of crime, apologizes
Posted: February 1, 2021 by Malwarebytes Labs
Ransomware gangs deciding to pack their bags and leave their life of crime is not new, but it is a rare thing to see indeed.
And the Fonix ransomware (also known as FonixCrypter and Xinof), one of those ransomware-as-a-service (RaaS) offerings, is the latest to join the club.
Fonix was first observed in mid-2020, but it only started turning heads around September-October of that year. Believed to be of Iranian origin, it is known to use four methods of encryption—AES, Salsa20, ChaCha, and RSA—but because it encrypts all non-critical system files, it’s slower compared to other RaaS offerings.
This isn’t the first time a ransomware group has displayed a conscience—that is assuming we take their word they will continue to “use our abilities in positive ways”. In 2018, developers of the GandCrab ransomware, another RaaS that also made a public announcement of shutting down its operations in mid-2019, made a U-turn and released decryption keys for all its victims in Syria after a Syrian father took to Twitter to plead with them. GandCrab had infected his system and encrypted photos of his two sons who had been taken by the war.
In 2016, when TeslaCrypt made an exit from the RaaS scene, a security researcher reached out to its developers and asked if they would release the encryption keys. They did release the master key that helps decrypt affected systems for free.
It remains to be seen if the Fonix gang will keep their word. If some or all of them change their minds and go back to a life of crime, they wouldn’t be the first ransomware gang to do so. Any ransomware group packing up and leaving is good news. However, while Fonix appears to have left the building, it was only one small player in a vast criminal ecosystem. The threat of ransomware remains.
Posting Permissions
Reply With Quote
Bookmarks