In a recent cyber attack update, CDK Global has been hit hard by the BlackSuit ransomware gang, causing a significant IT outage that has disrupted operations for car dealerships across North America. Multiple sources, who requested anonymity, have confirmed the involvement of the ransomware group, according to Lawrence Abrams of BleepingComputer.

Cyber attack update: CDK is hit by BlackSuit ransomware gang

Bloomberg reported that CDK Global is currently negotiating with the BlackSuit ransomware gang to secure a decryptor and ensure that no stolen data is leaked.

The ongoing negotiations come in the wake of the ransomware attack, which compelled CDK to initially shut down its IT systems and data centers to halt the spread of the attack. Despite attempts to restore services on Wednesday, a second cyber attack by BlackSuit ransomware forced CDK to shut down all its IT systems again, impacting its car dealership platform.

CDK Global, a leading software-as-a-service (SaaS) provider, facilitates car dealerships in managing various operational aspects, including sales, financing, inventory, service, and back-office functions. Currently offline, dealerships are resorting to manual operations with pen and paper.

Additionally, two of the largest public car dealership companies, Penske Automotive Group and Sonic Automotive, revealed yesterday that they have also been affected by these outages. CDK continues to provide updates as they strive to resolve the situation promptly.

“Our Premier Truck Group business utilizes CDK’s dealer management system which has been disrupted. We immediately took precautionary containment steps to protect our systems and commenced an investigation of the incident, which efforts are ongoing. Premier Truck Group has implemented its business continuity response plans and continues to operate at all locations through manual or alternate processes developed to respond to such incidents,” Penske stated in an SEC filing.

“As a result, the Company experienced disruptions to its dealer management system (“DMS”) hosted by CDK, which supports critical dealership operations including those supporting sales, inventory and accounting functions and its customer relationship management (“CRM”) system. All of the Company’s dealerships are open and operating utilizing workaround solutions to minimize the disruption caused by this CDK outage,” said Sonic Automotive in the same SEC filing.

CDK also warns that threat actors are calling dealerships posing as CDK agents or affiliates to gain unauthorized systems access.

About BlackSuit ransomware gang

Launched in May 2023, BlackSuit is widely believed to be a rebranding of the Royal ransomware operation, which itself is considered a direct successor to the infamous Conti cybercrime syndicate. Comprising Russian and Eastern European threat actors, this organized gang has been a persistent security concern.

In June 2023, amidst discussions surrounding a potential rebrand, the Royal Ransomware group tested a new encryptor named BlackSuit, which coincided with their attack on the City of Dallas, Texas. Following these events, the Royal name ceased to be used, with the threat actors consolidating their operations under the BlackSuit moniker.

By November 2023, an advisory issued jointly by the FBI and CISA shed light on the connection between Royal and BlackSuit, noting significant similarities in tactics and coding within their encryptors. This advisory also tied the Royal ransomware gang to attacks on over 350 organizations globally since September 2022, with ransom demands surpassing $275 million.

Cybersecurity challenges faced by university networks

The transition from Royal to BlackSuit marks a strategic move by the cybercriminals to continue their illicit activities under a new guise, maintaining their dangerous presence in the digital world.

Featured image credit: Kerem Gülen/Midjourney

HCL Technologies, a stalwart in the IT sector, recently grappled with a ransomware attack targeting a specific project in its isolated cloud environment.

Prior to the ransomware incident, HCL Technologies achieved a significant milestone by crossing a market capitalization of Rs 4 trillion ($48.1b), solidifying its position as the 13th largest listed company on the Indian stock exchanges. This situation seems to have attracted the attention of hackers

Here is what you need to know about the HCL Technologies ransomware attack

HCL Technologies recently faced a ransomware attack targeting one project within an isolated cloud environment. The incident was revealed through a regulatory filing in which the company acknowledged its awareness of the ransomware occurrence. HCL Technologies emphasized that the impact of this incident had been confined to the specific project and did not extend to the overall HCLTech network.

In response to the HCL Technologies ransomware attack, the firm has initiated a comprehensive investigation to understand the root cause of the ransomware incident. The company is working in consultation with relevant stakeholders to assess the situation thoroughly. The primary goal of this investigation is to identify the factors that led to the security breach and to take necessary remedial actions to mitigate any potential damage.

The isolated cloud environment affected by the HCL Technologies ransomware attack is under scrutiny as part of the ongoing investigation.

It’s noteworthy that HCL Technologies prioritizes cybersecurity and data protection, underscoring its commitment to safeguarding digital assets. The proactive approach taken by the company in response to the HCL Technologies ransomware attack reflects the industry-wide recognition of the critical importance of cybersecurity in the ever-evolving landscape of the IT sector.

Despite this security challenge, the data does not indicate any observable impact on HCL Technologies’ overall network. This underscores the effectiveness of the company’s security measures in isolating and containing the incident. The proactive stance, detailed investigation, and commitment to remedial action suggest that HCL Technologies is taking the necessary steps to address and rectify the situation.

Despite the HCL Technologies ransomware attack, the firm’s shares were trading positively at Rs 1,493.5 apiece on the BSE at 10:15 am on the day of the incident, showcasing a resilient market response. However, as the investigation unfolds, stakeholders, including clients and investors, will likely be keenly interested in understanding the incident’s specific details and the measures HCL Technologies took to reinforce its cybersecurity infrastructure.

Ransomware attacks are trending

The HCL Technologies ransomware attack came just after the Insomniac hack. It was led by the Rhysida hacker group and exposed sensitive data, including details about the upcoming Wolverine PS5 game and other games, until 2030, after Sony refused to pay a 50 Bitcoins ransom. But how were these giant companies hacked? Let’s take a closer look.

Ransomware attacks are on the rise globally, targeting entities across industries and sectors. The frequency of these incidents is a cause for concern, signaling a lucrative venture for cybercriminals seeking financial gains through extortion.

We have to admit that cybercriminals are becoming increasingly sophisticated in their tactics, employing advanced techniques to breach even well-fortified digital defenses. Though contained, the HCL Technologies ransomware attack underscores the adaptability and agility of these cyber threats. However, they do not need to choose sci-fi hacker tactics always. For example, the Insomniac hackers revealed that they chose them because it is easy. The group claimed breaching the system just took 20–25 minutes.

“Yes, we knew who we were attacking. We knew that developers making games like this would be an easy target.”

Social engineering remains a key component of ransomware attacks. Cybercriminals often target the human element as the entry point for their malicious activities, whether through phishing emails or exploiting human vulnerabilities.

So, what to do? Besides your IT team’s great effort, individuals and organizations should prioritize regular software updates to patch vulnerabilities. Strong, unique passwords and multi-factor authentication add layers of protection to accounts. Vigilance in email interactions, such as avoiding suspicious links, is crucial. Regular data backups and the installation of reputable antivirus software provide defenses against ransomware attacks. Limiting user privileges and fostering cybersecurity education further strengthen resilience.

Securing Wi-Fi networks with strong passwords and encryption, implementing network segmentation, and conducting regular security audits are essential defensive strategies. Developing an incident response plan and collaborating with cybersecurity communities contribute to effective crisis management. Monitoring system logs for unusual activities aids in early threat detection. Staying informed about evolving cybersecurity trends and best practices is fundamental for adapting to emerging threats.

Adopting these measures collectively establishes a proactive and robust cybersecurity posture, reducing vulnerability to cyber threats.

Toyota Financial Services (TFS), a subsidiary of Toyota Motor Corporation, has fallen victim to a cyberattack, with the notorious Medusa ransomware gang claiming responsibility. This breach has resulted in the exposure of a substantial amount of sensitive data, leading to heightened tensions and potential threats to customer privacy. German news site Heise published details about the breach.

$8 million demand and data leak loom

Last month, unauthorized access was detected in Toyota’s systems in Europe and Africa. Following this, Medusa ransomware claimed a successful compromise of Toyota’s European division, demanding an $8,000,000 ransom and setting a 10-day deadline for response​​. The hackers eventually leaked all data on Medusa’s extortion portal on the dark web, as negotiations with Toyota seemingly did not occur​​.

Full names, addresses, IBAN numbers are more were leaked…

Toyota Kreditbank GmbH in Germany was identified as one of the affected divisions. The data compromised in this breach includes customers’ full names, residence addresses, contract information, lease-purchase details, and IBAN numbers. This confirmation came as Toyota sent notices to its German customers regarding the breach​​.

What did Toyota do?

Upon detecting unauthorized access, Toyota took immediate action by taking some systems offline to contain the breach and minimize risks. The company began collaborating with law enforcement to address the situation. Toyota has also assured that they prioritize the security and privacy of customer data and will provide updates as appropriate​​​​.

Toyota’s website stated after a while: “Due to an attack on the systems, unauthorized persons gained access to personal data. Affected customers have now been informed. Toyota Kreditbank’s systems have been gradually restarted since December 1st.”

This data breach has far-reaching consequences, potentially leading to financial losses, regulatory penalties, and reputational damage for Toyota. It could also impact sales, consumer trust, and cause operational disruptions, delaying financial services for customers and the broader market​​.

Not the first cybersecurity issue for Toyota

This incident is not Toyota’s first encounter with cybersecurity issues. Past incidents include a potential data leak in 2022 due to source code exposure on GitHub, a cyber breach in March 2023 disrupting vehicle production, and a significant customer data leak in May 2023 affecting regions in Oceania and Asia​​.

Featured Image: Dall-E

Johnson Controls ransomware attack is the topic of the day. Johnson Controls, a global industrial control systems leader, is battling the notorious Dark Angels hackers. The digital intruders have locked up the company’s data and are demanding an astonishing $51 million for its release.

This high-stakes cyber showdown has left Johnson Controls reeling, disrupting its daily operations. Worse, sensitive Department of Homeland Security (DHS) information may be on the line, raising national security concerns. Johnson Controls has almost one hundred thousand employees amongst its several divisions and affiliates (such as ADT, Tyco, York, SimplexGrinnell, and Ruskin).

In this article, we’ll break down what happened, the impact on Johnson Controls and national security, and the shadowy world of Dark Angels, a hacking group pushing the boundaries of cyber warfare.

Johnson Controls ransomware attack may cost $51 million

In a filing with the SEC on Wednesday, Johnson Controls International revealed that the business is dealing with the fallout from a cyber event that affected parts of its internal IT infrastructure and applications.

The Johnson Controls ransomware attack is a cyber incident where the prominent industrial control systems manufacturer, Johnson Controls, fell victim to a ransomware attack directed by a group known as Dark Angels. During the attack, the hackers infiltrated Johnson Controls’ IT systems, encrypted their data, and demanded a hefty ransom of $51 million for the decryption key and the promise to delete the stolen data.

The specific details of the data stolen during the Johnson Controls ransomware attack have not been publicly disclosed in great detail. However, it has been reported that the hackers claimed to have accessed approximately 27 terabytes of data. Of particular concern was the possibility that the stolen data might include sensitive information related to the Department of Homeland Security (DHS).

The reports suggested that the stolen data could potentially encompass security information tied to third-party contracts and floor plans of certain agency facilities. However, it’s important to note that the full extent of the stolen data and its contents may not have been fully disclosed to the public, and some details may remain confidential due to the ongoing investigation and the sensitive nature of the information involved.

In ransomware attacks, cybercriminals typically steal data from the victim’s systems before encrypting it, and they may threaten to release this data if their ransom demands are not met. This “double-extortion” tactic is intended to increase the pressure on the victim to pay the ransom, and Dark Angels heavily use this tactic.

Dark Angels unveiled

Dark Angels burst onto the scene in May 2022, targeting organizations worldwide. Their modus operandi involves breaching corporate networks, stealing data, and deploying ransomware. They’ve gained notoriety for their use of double-extortion tactics, threatening to leak stolen data if ransoms aren’t paid.

While Dark Angels initially employed Windows and VMware ESXi encryptors, the Linux encryptor used in the Johnson Controls attack has been traced back to the Ragnar Locker ransomware, which has been active since 2021.

In April 2023, Dark Angels unveiled ‘Dunghill Leaks,’ a data leak site designed to exert further pressure on their victims by exposing sensitive information if ransoms remain unpaid.

Johnson Controls

With headquarters in Cork, Ireland, Johnson Controls International is a worldwide business that manufactures fire, Ventilation, and security systems for commercial and residential properties. It has 105,000 employees by the middle of 2019 spread over about 2,000 sites on six continents.

Conclusion

In the wake of the Johnson Controls ransomware attack, we find ourselves at the crossroads of cyber warfare and corporate resilience. The audacity of Dark Angels’ digital siege reminds us that even industry titans can be brought to their knees by the relentless evolution of cyber threats.

The staggering $51 million ransom demand looms like a shadow over Johnson Controls, as the company grapples not only with the immediate consequences of the attack but also the potential long-term repercussions. The very real prospect of sensitive Department of Homeland Security data falling into the wrong hands adds a layer of urgency to an already complex situation.

As the cybersecurity community watches closely, it’s important to consider the potential ramifications beyond decryption keys and data loss. In the event of a data breach involving sensitive government information, hefty fines and legal repercussions could follow. The Department of Homeland Security, like other government entities, takes data breaches seriously, and the fallout from such an incident could be extensive.

In the end, the Johnson Controls ransomware attack serves as a stark reminder that no entity is immune to the evolving tactics of cyber adversaries. It underscores the critical importance of robust cybersecurity measures and rapid response strategies in our interconnected world.

As we navigate these digital waters, one thing remains clear: the battle against cyber threats is an ongoing and ever-adaptive struggle, where vigilance, preparedness, and resilience are the keys to emerging unscathed from the shadows cast by those who seek to exploit our digital vulnerabilities.

Featured image credit: Michael Geiger/Unsplash

• In July, there were 198 reported ransomware attacks, a considerable increase from the 159 logged in July 2021 and a month-over-month and year-over-year increase.
• Additionally, the rise contradicts a generally reliable seasonal trend that witnessed a reduction in ransomware activity from May through June into July.
• This is corroborated by data from the consulting company NCC Group, whose Strategic Threat Intelligence team observed a 45% increase in ransomware attack occurrences for July over the same time last year.

This summer, ransomware operators are back with a fury as monthly assault volumes rise during a period when they usually decline.

The number of ransomware attacks increased MoM and YoY in July

This is supported by statistics from the consulting firm NCC Group, whose Strategic Threat Intelligence team noted a 45% rise in ransomware attack events for July over the same period last year. An increase from June’s 135 attacks to 198 attacks was seen by researchers.

According to NCC Group experts, some prominent ransomware gangs that had previously been hiding out have returned, which has led to an increase in attacks. Having increased their numbers and improved their tactics, those gangs reappeared in July with a vengeance.

“Following the considerable decrease from May to June (from 236 to 135), it is likely that the threat actors that were undergoing structural changes, such as the Conti operators and LockBit, have begun settling into their new modes of operating, resulting in their total compromises increasing in conjunction,” stated the NCC Group analysts.

Along with Conti and LockBit’s comeback, July saw the emergence of a few new ransomware operations. In a month where ransomware attacks increased from five in June to 23 in July, HiveLeaks ransomware operators particularly increased their efforts. With regard to monthly attacks, this was sufficient to move HiveLeaks up from seventh to second.

The most widely used ransomware variation, ahead of HiveLeaks, is still LockBit 3.0. The third-placed malware, Black Basta, was followed by Alphv and Clop, making up the top five.

“This month’s Threat Pulse has revealed some major changes within the ransomware threat scene compared to June, as ransomware attacks are once again on the up. Since Conti disbanded, we have seen two new threat actors associated with the group, Hiveleaks and BlackBasta, take top position behind LockBit 3.0. It is likely we will only see the number of ransomware attacks from these two groups continue to increase over the next couple of months,” said, Matt Hull, Global Head of Threat Intelligence at NCC Group.

The industrial sector was by far the most frequently targeted, with professional and commercial services being the most preferred victims, followed by building and engineering operations.

“Following two major cryptocurrency heists, Lazarus Group seem to be improving their crypto-theft and ransomware operations, so it is more important than ever to monitor their activity closely. Cryptocurrency organisations in the US, Japan and South Korea should remain on high alert,” he added.

The No More Ransom project rescued more than a million digital lives from ransomware gangs

Ransomware operators are driven to the vast attack surfaces that most industrial networks offer, according to NCC Group experts.

“Industrials is a sector that continues to be heavily targeted and successfully compromised due to its broad range of industries within, the costliness of operational disruption, and its vast distribution of operational technology and legacy systems,” said NCC Group.

The number of ransomware attacks increased month over month and year over year in July, with 198 documented ransomware attacks representing a significant rise from the 159 logged in July 2021.

The increase also breaks with a fairly consistent seasonal pattern that saw ransomware levels decline from May and June into July. The analysts pointed out that the development might not have been an isolated anomaly.

Crypto-enabled cybercrimes are on the rise

“As July’s increase takes place just after Conti’s integration into alternative ransomware groups (such as Black Basta) and LockBit’s third metamorphosis, it is likely that this year-on-year disparity is as a result of this,” explained NCC Group analysts. “No such activity was taking place in 2021, and as a result, June-July of 2021’s figures were possibly representative of general seasonal changes in activity,” they added.

The No More Ransom project has announced that six years after its establishment, it has assisted more than 1.5 million individuals in successfully decrypting their locked devices and regaining access to their data without paying a ransom.

No More Ransom was launched 6 years ago

No More Ransom was launched in 2016 as a joint effort by the European Cybercrime Centre at Europol, the National High Tech Crime Unit of the Dutch Police, and cybercriminal heavyweights Kaspersky and McAfee. The project’s main objective is to provide victims with free ransomware decryptors.

The No More Ransom project now has more than 180 participants. In addition to straightforward decryption tools, it offers general ransomware information to increase awareness, suggestions for handling ransomware occurrences, and directions for reporting cybercrime in more than 30 countries, including the UK. Before it is too late, you can learn how to choose a cyber security monitoring tool in 2022 by visiting our guide to protecting your own personal data.

“Ransomware is an effective way to get money from victims and remains one of the biggest cyber security concerns. In just the first three months of 2022, more than 74,000 unique users were found to have been exposed to this type of threat – and all of these attacks were successfully detected,” stated a security researcher at Kaspersky, Jornt van der Weil.

“This has led to an increase in the tendency to help these initiatives, and I’m extremely happy that we can assist people and companies in restoring their digital assets without paying the attackers. This way, we hit the criminals where it hurts—their business model—as users are no longer forced to pay to decrypt their data. We will keep on fighting ransomware with our existing and future partners,” he added.

The impact of ransomware is, of course, determined by various sources. Quarterly reports favored by huge cyber security organizations are not always taken at face value because they invariably rely on information gleaned from confidential corporate databases.

The recent statistics show that the risk is not going away

However, many recent publications have claimed that although ransomware is still a real threat, there are some indications that the “market” may be cooling off.

In Europe, there was a tiny year-over-year reduction, with only one in 66 organizations hit, according to statistics released this week by Check Point, which shows that the number of ransomware attacks has climbed and now affects one in 40 organizations weekly globally.

Meanwhile, ransomware no longer dominates the threat landscape, according to Cisco Talos’ Incident Response unit, whose data covering Q2 was recently made public. Instead, commodity malware, which made up 20% of all threats compared to ransomware’s 15%, was the top threat seen in its data between April 1 and June 30. The company’s researchers hypothesized that internal rifts in ransomware gangs and law enforcement takedowns may have contributed to this.

According to SonicWall, which also released a half-yearly threat report this week, June 2022 saw the lowest monthly ransomware volumes globally in two years. This is because ransomware gangs’ lives have become much more difficult due to government sanctions, supply chain issues, plummeting cryptocurrency prices, and a lack of infrastructure.

SonicWall’s data, in contrast to Check Point, recorded a 63 percent increase in ransomware assaults in Europe, indicating a geographical shift in the cybercrime environment is underway, at least partly because of variables related to the situation in Ukraine.

While it is impossible to draw an accurate picture, defenders should be aware that the threat posed by ransomware is not going away. Instead of dealing with it after the fact, the best course of action when dealing with this kind of criminality is to try to avoid it in the first place. That is why initiatives like No More Ransom are vital. We recommend that everyone check out the best cybersecurity practices to stay safe against today’s digital perils.