BlackCat Ransomware Operation Disrupted! ๐Ÿ›‘ Decryptor Released! ๐Ÿšจ

Dec 20 2023

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that all it wants for Christmas (cough cough hackers) is the #EpsteinClientList ๐Ÿ‘€๐Ÿ˜ฌ๐Ÿ’€

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ‘ฎ FBI skins BlackCat ransomware, releases free encryption tool ๐Ÿฑ

  • ๐Ÿช Marty, itโ€™s the Iranians! MuddyC2Go is a go, goโ€ฆ Oh no, no! ๐Ÿ’ฉ

  • ๐Ÿ‘€ PikaBot is scraping the bottom of the barrel in terms of malware ๐Ÿ‘

FBI says right BlackCat you scumbags ๐Ÿ‘ฎ๐Ÿ”ซ๐Ÿš“

๐Ÿšจ BlackCat Ransomware Operation Disrupted! ๐Ÿ›‘ Decryptor Released! ๐Ÿšจ

In a major victory against cybercrime, the U.S. Justice Department has officially dismantled the BlackCat ransomware operation, providing victims with a decryption tool to unlock their files. ๐Ÿฆ ๐Ÿ” Court documents reveal the FBI's strategic move, enlisting a confidential human source to hack the hackers by gaining access to BlackCat's web panel.

๐ŸŒ BlackCat, also known as ALPHV and Noberus, emerged in December 2021, becoming the second most prolific ransomware-as-a-service after LockBit. Notably, it's the first ransomware using the Rust language.

๐Ÿ’ฐ The FBI's efforts saved victims from $68 million in ransom demands, working closely with victims to implement the decryptor. The operation exposed the inner workings of BlackCat, collecting 946 key pairs used in TOR sites, leading to the group's dismantlement.

๐ŸŒ BlackCat, employing a ransomware-as-a-service model, compromised over 1,000 global victims, earning illicit revenues in the hundreds of millions. Its double extortion scheme pressured victims by exfiltrating sensitive data before encryption.

๐Ÿ” What's Next?

With BlackCat out of the picture, rival groups like LockBit are seizing the opportunity, actively recruiting displaced affiliates and resuming victim negotiations on their data leak site.

๐Ÿ‘ Kudos to the FBI for taking down BlackCat and safeguarding countless victims! ๐ŸŒ๐Ÿ’ป

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

MuddyC2Go before you go, go ๐ŸŽถ๐Ÿ•บ๐Ÿ˜‚

๐Ÿ” Cyber Threat Alert: MuddyWater Strikes Telecom Sectors with MuddyC2Go! ๐Ÿ”

The notorious Iranian nation-state actor, MuddyWater, has unleashed a new command-and-control (C2) framework called MuddyC2Go in targeted attacks on the telecommunications sectors in Egypt, Sudan, and Tanzania. ๐ŸŒ

๐Ÿ’ฉ Muddying the Waters ๐Ÿ’ฉ

Symantec's Threat Hunter Team, tracking this activity under the alias Seedworm, reveals MuddyWater's affiliation with Iran's Ministry of Intelligence and Security (MOIS) since 2017, focusing on entities in the Middle East. ๐Ÿ•ต๏ธโ€โ™‚๏ธ๐Ÿ’ผ

MuddyC2Go, a Golang-based successor to PhonyC2, grants remote access to victim systems via a PowerShell script, eliminating the need for manual execution. Recent intrusions in November 2023 employed SimpleHelp, Venom Proxy, a custom keylogger, and other publicly available tools.

The attack methodology includes weaponized phishing emails and exploiting unpatched application vulnerabilities for initial access, followed by reconnaissance, lateral movement, and data collection. Symantec details incidents targeting telecom organisations, utilising AnyDesk, SimpleHelp, and MuddyC2Go launchers.

Notably, MuddyWater adapts and evolves its toolset, emphasising the persistent use of PowerShell-related tools, urging organisations to monitor suspicious PowerShell activity.

๐ŸŒ Global Cyber Landscape Update ๐ŸŒ

Meanwhile, an Israel-linked group, Gonjeshke Darande, claims responsibility for disrupting Iran's gas pumps in response to regional aggression. The group, associated with the Israeli Military Intelligence Directorate, resurfaced in October 2023 after a year of silence, conducting destructive attacks on Iranian facilities.

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

๐Ÿƒย The Motley Fool: โ€œFool me once, shame on โ€” shame on you. Fool me โ€” you can't get fooled again.โ€ Good olโ€™ George Dubya ๐Ÿ˜‚ Let us tell whoโ€™s not fooling around though; thatโ€™s the Crรผe ๐Ÿ‘€ at Motley Fool. Youโ€™d be a fool (alright, enough already! ๐Ÿ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ๐Ÿ› Kidding aside, if you check out their website theyโ€™ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ๐Ÿค‘ย (LINK)

๐Ÿšตย Wander: Find your happy place. Cue Happy Gilmore flashback ๐ŸŒ๏ธโ›ณ๐ŸŒˆ๐Ÿ•Š๏ธ Mmmm Happy Placeโ€ฆ ๐Ÿ˜‡ So, weโ€™ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, itโ€™s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ๐Ÿž๏ธ๐Ÿ˜ย (LINK)

๐ŸŒŠย Digital Ocean: If you build it they will come. Nope, weโ€™re not talking about a baseball field for ghosts โšพ๐Ÿ‘ป๐Ÿฟ (Great movie, to be fair ๐Ÿ™ˆ). This is the Digital Ocean whoโ€™ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website youโ€™ll find yourself catching the buzz even if you canโ€™t code (guilty ๐Ÿ˜‘). But if you can and youโ€™re looking for somewhere to test things out or launch something new or simply enhance what youโ€™ve got, weโ€™d recommend checking out their services foโ€™ sho ๐Ÿ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ๐ŸŒฟย (LINK)

My plumberโ€™s here and I think I can PikaBot ๐Ÿ‘

๐Ÿšจ Malware Alert: PikaBot Strikes in Malvertising Campaign! ๐Ÿฆ ๐Ÿ”

Beware, tech enthusiasts! The PikaBot malware loader is on the prowl, infiltrating systems through a cunning malvertising campaign that targets users searching for legit software like AnyDesk. ๐Ÿ–ฅ๏ธ๐Ÿ›‘

Discovered by Malwarebytes, PikaBot, previously distributed via malspam campaigns, has become the preferred payload for the notorious threat actor TA577 since early 2023. This malware family operates as a backdoor and payload distributor, granting unauthorised remote access to compromised systems.

TA577, a cybercrime heavyweight, utilises PikaBot to execute various malicious tools, including Cobalt Strike. The latest twist involves a malicious Google ad for AnyDesk leading victims to a fake website with a sneaky MSI installer hosted on Dropbox.

What's alarming is the sophistication of the malvertising chain, involving fingerprinting, redirection, and a second round of checks to avoid virtual environments. ๐Ÿ˜ฑ๐Ÿ”„

๐ŸŒ Malvertising on the Rise ๐ŸŒ

Malwarebytes reports a surge in malicious ads on Google searches for popular software like Zoom, Advanced IP Scanner, and WinSCP. This wave introduces a new loader called HiroshimaNukes and FakeBat, both adept at bypassing detection mechanisms. ๐Ÿ“ˆ๐Ÿ•ต๏ธโ€โ™‚๏ธ

As if that's not enough, a Chrome extension framework named ParaSiteSnatcher is making waves, designed to compromise users in Latin America. It manipulates web sessions and intercepts sensitive information.

Stay vigilant and ensure your cybersecurity measures are up to the challenge! ๐Ÿ”’๐Ÿ‘€

๐Ÿ—ž๏ธ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Libby Copa:ย The Rebel Newsletter helps writers strengthen their writing and creative practice, navigate the publishing world, and turn their art into an act of rebellion.

  • Techspresso:ย Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles