IT News

Explore the MakoLogics IT News for valuable insights and thought leadership on industry best practices in managed IT services and enterprise security updates.

Google Pay accidentally handed out free money, bug now fixed

Days ago, several Google Pay users in the US received some unexpected cashback from Google, congratulating them “for dogfooding the Google Pay Remittance experience”. Confused (and a tad happy), some looked to Twitter for answers, while others aired their experiences on the /r/googlepay/ Reddit page.

Freelance journalist Mishaal Rahman was one of the many recipients of free money. He got $46 in “rewards” from the app, while someone else got six rewards of almost $100 each.

“Open GPay, swipe to the ‘Deals’ tab, and see if you have any ‘rewards’ near the top. That’s where I’m seeing this,” Rahman tweeted. “I suspect this is an error, so that money is just gonna sit in my account for now lol.”

Not every Google Pay user received this welcome surprise, though.

Wait. Dogfooding?

Dogfooding is an IT slang that means using one’s own product. By this definition, these messages and cashback rewards seemed intended for individuals working in Google or testing partners. Yet none of the recipients were either.

“It appears to be an unintended early launch, presumably it has something to do with the new price guarantee for flights,” replied a moderator to the threat on the said Google Pay Reddit page. “Nothing to be worried about.”

The price guarantee the moderator referred to is a pilot program within Google Flights, Google’s online flight booking service. This program aims to pay back Flights users the difference, which must be greater than $5, between the flight price upon booking and the lowest ticket price via Google Pay.

This explanation sounds plausible. However, Google neither confirmed nor denied this to be the reason for the hiccup.

In a follow-up to Rahman and the many recipients of the cashback reward, the Google Pay team said the cash they received was unintended. The team also reversed the credit and reassured them no further action was required.

And, yes, if wrongfully rewarded users already transferred or spent the money they received, it’s theirs to keep, the team said.

easset upload file77782 262856 e
The email Rahman received from the Google Play team, telling him the free money he received was a mistake. (Source: Mishaal Rahman)


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware in France, April 2022–March 2023

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their dark web sites. In this report, “known attacks” are attacks where the victim opted not to pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

Between April 2022 and March 2023, France was one of the most attacked countries by ransomware gangs. During that period:

  • France was the fifth most attacked country in the world.
  • The government sector was attacked more often than in similar countries.
  • LockBit dominated the last twelve months, being used in 57% of known attacks.
  • There were almost twice as many LockBit attacks in France than either the UK or Germany.

In July 2022, La Poste Mobile, a mobile carrier owned by French postal company La Poste, suffered a LockBit ransomware attack, severely impacting its administrative and management services. After successfully reducing the ransom demand from $1.4 million to $300,000 in a five day negotiation, La Poste Mobile’s negotiator announced on July 11, “Management doesn’t want to pay anymore … it has reconsidered its decision.” LockBit published the data it had stolen on its leak site, describing it as “the private information of more than a million and a half people in France.”

easset upload file390 262663 e
The La Poste Mobile page on the LockBit leak site

In August 2022, attackers demanded $10 million after a ruthless assault on the Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital near Paris. The disruption to CHSF’s computer systems resulted in patients having to be sent elsewhere, and surgeries having to be postponed.

A few months later, in mid-November, French defense and technology group Thales confirmed a data breach affecting contracts and partnerships in Malaysia and Italy. As with so many attacks in France in the last twelve months, the perpetrators used LockBit ransomware.

France is a prime target

In the 12 months from April 2022 to March 2023, France was a globally significant target for ransomware, and the fifth most attacked country by known attacks.

Known attacks in the ten most attacked countries, April 2022 - March 2023
Known attacks in the ten most attacked countries, April 2022 – March 2023

Given the disparity between the USA and the rest of the world in terms of number of attacks it would be easy to conclude that ransomware is, first-and-foremost, a USA problem. It is not. The size and nature of the US economy means that it has many more targets for ransomware gangs than the other countries in the top ten.

We can account for the difference in the size of countries’ economies by dividing the number of known ransomware attacks by a country’s nominal GDP, which gives us an approximate rate of attacks per $1T of economic output. On that basis, the difference between France and the USA is far smaller than the total number of known attacks would suggest. And while France and Germany suffered nearly identical numbers of known attacks, France appears to suffer a much higher rate of attacks per unit of economic activity than its neighbour.

The ten most attacked countries between April 2022 - March 2023, ordered by attacks per $1T GDP, UK highlighted
The ten most attacked countries between April 2022 – March 2023, ordered by attacks per $1T GDP

The size of the countries in the top ten also vary enormously, and we can try to account for that by dividing known attacks by the size of each country’s population. On that measure, again, the differences between countries are far smaller than a simple count of known attacks suggests.

In all the variations of our top ten, English-speaking countries occupy at least three of the top five positions, which suggests that ransomware gangs have a slightly bias for English-speaking targets. France sits just below the Anglosphere in a cluster of four advanced European economies suffering nearly identical rates of attacks per capita.

The ten most attacked countries between April 2022 - March 2023, ordered by attacks per capita
The ten most attacked countries between April 2022 – March 2023, ordered by attacks per capita

By any measure, France is one of the most attacked countries in the world, and its organisations are prime targets for ransomware gangs. Unusually, government targets accounted for a significant proportion of those organisations in the last twelve months. It was the country’s third most attacked sector, accounting for 9% of known attacks. By comparison, over the same twelve month period, 4% of known attacks in the USA and 3% of known attacks in Germany affected their government sectors, while just 20 miles across the English channel, the UK experienced none at all.

Known ransomware attacks by industry sector in France, April 2022 - March 2023
Known ransomware attacks by industry sector in France, April 2022 – March 2023

As is often the case, the reasons for this are not obvious. It is possible that this simply reflects the larger footprint of government in France—government spending accounts for a larger proportion of the economy in France than in either the UK or Germany. However, the difference is only a few percentage points.

Ransomware gangs often operate from the safe havens of Russia and the Commonwealth of Independent states, which can make it tempting to ascribe nationalistic or geopolitical motivations to their activity. However, the truth is they are businesses that choose targets that are easy to infiltrate and likely to pay substantial ransoms.

Unfortunately, the most likely explanation for the high proportion of government sector targets among the known attacks in France is that government institutions were easier targets in France than elsewhere.

LockBit’s hunting ground

The most dangerous ransomware in the world right now, is LockBit, and LockBit loves France.

In 2022, LockBit was used in 31% of known attacks globally, 3.5 times more than its nearest competitor, ALPHV. (You can read much more about why LockBit is the number one threat to your business in our 2023 State of Malware report.) As you’d expect, given its global preeminence, LockBit was also the most widely used ransomware in France, Germany, and the UK in the last twelve months.

However, LockBit dominates in France in a way that it doesn’t in its European neighbours. Between April 2022 and March 2023, LockBit accounted for an absolutely enormous 57% of known attacks in France. Over the same period, it accounted for 20% of known attacks in the UK and about 30% in Germany.

LockBit recorded 62 known attacks in France in the last twelve months, but no other gang registered more than seven. In the same period LockBIt was responsible for 33 known attacks in the UK while six other gangs also got into double digits.

Ransomware with two or more known attacks in France, April 2022 - March 2023
Ransomware with two or more known attacks in France, April 2022 – March 2023

LockBit’s outsized contribution to France’s misery is most clearly seen by highlighting its contribution on a month-by-month basis. The number of monthly attacks in France has been highly volatile, showing far larger variation than the UK, despite its proximity and the similarity of their economies and populations. That volatility is almost entirely down to how many or how few LockBit attacks occurred each month. In the last twelve months only one other gang has registered three known attacks in a single month (Royal in March 2023), while LockBit has matched or exceeded that figure eight times, and exceeded ten attacks in a month twice.

easset upload file78747 262663 e
Monthly ransomware attacks in France with LockBit highlighted, April 2022 – March 2023

The reasons for this aren’t clear, but it may simply be that as the 800lb gorilla in the ransomware ecosystem, LockBit is best placed to exploit opportunities outside of the Anglosphere. Like a lot of ransomware, LockBit is sold as a service and attacks are carried out by independent criminal gangs, referred to as “affiliates”, which pay the LockBit gang 20% of the ransoms they extract. The French economy is large enough to provide a fertile hunting ground for cybercriminals. It is possible that some of LockBit’s 100 or so affiliates have decided to specialise there.

Conclusions

In the last 12 months, France was a globally significant hunting ground for ransomware gangs, and the country with the fifth highest total of known attacks. Within France, the government sector was over represented, suffering a higher proportion of known attacks than the government sector in the USA, Germany, and the UK. Much like the education sector in the UK, the French government sector should be alarmed that with an entire world of targets to choose from, it has attracted a disproportionate amount of attention.

France attracted enormous attention from gangs using LockBit, the most dangerous ransomware in the world. There were almost twice as many known LockBit attacks in France than in either Germany or the UK. In all, LockBit was used in 57% of known attacks in France, while the next most used ransomware, Vice Society, accounted for just 6%.

France does not so much have a ransomware problem as a LockBit problem.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Sextortion “assistance” scammers con victims further

The FBI is warning of a particular aspect of sextortion scams: Supposed organisations that offer “help” to remove stolen images, often at a significant financial cost (and no guarantee of success).

Sextortion, the act of blackmailing individuals for cash in return for not leaking sensitive imagery and videos, has been a problem for many years. Sometimes it’s done by criminals, other times it’s by people known to the target. The imagery may be stolen from online cloud storage, leaked from a server, or obtained by compromising a PC with malware. The end result is the same: blackmail, and the threat of sending the images to friends and family, or just dumping them online.

A sub-industry of sorts has grown up around the sextortion marketplace. Companies which can supposedly help you remove sextortion content or shut down blackmailers, offer to help those in need of assistance. These organisations may be contacted by the victims directly (for example, via adverts or search engine results) or they may make contact by another method.

The FBI believes at least some of these entities may be involved in sextortion attacks themselves. However you stack it up, these supposed businesses have no real way to get material taken offline and kept offline. Unless the people holding on to the stolen content are somehow chased offline forever, there’s nothing stopping them from putting it back or reconnecting with their target.

The whack-a-mole technique, and how “help” can make things worse

This is somewhat similar to those mugshot sites, which scrape mugshots and place them online along with the details of the person in the photograph. They offer to take them down, for a price, but more often than not once the victim pays up the images reappear on a related site and they’re back to square one.

As the FBI notes, law enforcement assistance is free (and there’s slightly more chance of the people responsible getting into trouble for their actions). Here’s some examples provided by the FBI with regard to what bogus assistance looks like in practice, and how the “assistance” can make things worse:

  • A company solicited multiple payments totaling $5,000 from a juvenile sextortion victim after coercing the victim with threats of reputational harm, falsely indicating the victim would be unable to go to college or get a job and the victim’s parents would lose their jobs. The victim contacted the company for help after being sextorted via social media.
  • A juvenile sextortion victim contacted and hired a company for $2,000. When the victim declined to pay for additional services, the company told the victim the sextortion perpetrator asked for $5,000. At that point, the victim paid for the additional services, for which the company charged him an additional $3,200.
  • A company representative contacted the mother of a juvenile sextortion victim and offered to locate the sextortionist in exchange for $1,500. The representative also discouraged the victim’s mother from seeking assistance from law enforcement. It was not clear how the company representative knew about the sextortion or how they obtained the contact information for the victim’s mother.

Here at Malwarebytes, we’ve seen numerous examples of sextortion help advertised online which may (or more likely, may not) be of use to the person being targeted. Back in 2019 we spotted an ad making some bold claims about “keeping explicit images off the internet”. Sure, it might be legitimate, or it could just as easily be designed to suck someone in still further from a problem they can no longer escape. There’s never any real way to know for sure, and this is a primary reason why your first port of call should be law enforcement.

How to spot a sextortion assistance scam

The FBI has some recommendations when dealing with sextortion scams where anything assistance related is concerned. Supposed business entities may lean into your sense of fear, shame, and desperation to get the problem “solved”. In other words, they’ll act in a manner very similar to those performing the extortion in the first place. Signs to watch out for:

  • A company representative contacts you and offers assistance services for which the company charges fees;
  • The company advertises sextortion assistance in exchange for fees;
  • You are asked to pay the fees before the assistance services are rendered;
  • The company requires you to sign a contract for their services;
  • The company representative discourages you from contacting law enforcement or tells you contacting law enforcement is not the best way to get help;
  • The company uses high-pressure or scare tactics in an effort to secure your business; or
  • The for-profit company claims to be connected to government or law enforcement officials.

Malwarebytes tips for dealing with sextortion

We have many tips for all aspects of romance and sextortion attempts, and here’s some of the main things you can do to help yourself avoid sextortion fraud:

  • Don’t panic. If a scammer tells you they have compromising images of you and they show you no evidence of the images, they probably don’t have any. Offering “proof” such as a password or phone number of yours just means they’ve got that data from a breach, and doesn’t mean they have access to your computer or webcam.
  • Don’t engage: report. If you’re shown evidence of stolen images, report to your local authorities and the FBI as soon as you can. Never engage with the sextortionist.
  • Be cautious about what you say to someone online. When asked certain questions, be vague and never give specifics. Remember that online, people can pretend to be someone they’re not, and can even look and sound like a different person with today’s technology.
  • Personalize your security and privacy settings. Lock down your accounts as much as you can, and keep as much hidden from public view as possible.
  • Data is typically forever. Remember that once you send something to someone—whether they’re a stranger, a romantic partner, relative, or friend—you have no control over where it goes next.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: April 2023

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim didn’t pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In a surprising turn of events for the ransomware landscape, Cl0p has emerged as the most used ransomware in March 2023, dethroning the usual frontrunner, LockBit. Indeed, while LockBit was still used in 93 successful attacks last month, it couldn’t quite match the sheer force of Cl0p’s sudden resurgence.

Contributing to Cl0p’s rise to the number one spot was its extensive GoAnywhere campaign. The group successfully breached over 104 organizations by taking advantage of a zero-day vulnerability in the widely-used managed file transfer software, GoAnywhere MFT.

March has also seen some intriguing activity from other ransomware gangs like DarkPower, which appeared to be turning on and off throughout the month, as well as BianLian, which has shifted its focus from encrypting files altogether to pure data-leak extortion.

Known ransomware attacks by gang, March 2023
Known ransomware attacks by gang, March 2023
Known ransomware attacks by country, March 2023
Known ransomware attacks by country, March 2023
Known ransomware attacks by industry sector, March 2023
Known ransomware attacks by industry sector, March 2023

Fortra, the company behind GoAnywhere MFT, released an emergency patch (7.1.2) for the vulnerability in early February—but by then, Cl0p had already used it to break into a myriad of networks and deploy ransomware.

Recent research by Malwarebytes highlighted the bias that ransomware gangs have for attacking English-speaking countries, and the Cl0p campaign follows the same trend. Between them, the Anglosphere countries of the USA, Canada, UK, and Australia accounted for 69% of known Cl0p attacks, with Canada and Australia suffering more attacks than countries with bigger populations and economies, like Germany and France.

Known ransomware attacks by Cl0p, March 2023
Known ransomware attacks by Cl0p, March 2023

Cl0p’s ability to exploit a zero-day to such effect is akin only in recent memory to the Kaseya VSA ransomware incident in July 2022. The Kaseya attack involved a malicious auto-update that pushed the REvil ransomware onto victims’ machines, primarily targeting Managed Service Providers (MSPs), causing widespread downtime for over 1,000 companies.

The successful use of zero-day vulnerabilities by ransomware gangs like Cl0p and REvil is, thankfully, relatively rare. However, when it happens it can be devastating. Ransomware gangs are always looking for new tactics to help them maximize the impact of their attacks and, rare or not, we should all be concerned about the example Cl0p has set for weaponizing a newly discovered vulnerability and exploiting it before a patch is released or applied.

Known Cl0p victims include Rubrik, Hatch Bank and Community Health Systems (CHS).
Known Cl0p victims include Rubrik, Hatch Bank and Community Health Systems (CHS).

Cl0p wasn’t the only gang we saw last month experiencing an unexpected surge in activity.

BlackBasta and LockBit

In January 2023, we noted a complete absence of activity from BlackBasta, a group which up to that point had usually ranked highly on our monthly charts. That trend continued into February, but in March it returned with a vengeance with over 40 known victims. It’s hard to tell why BlackBasta went underground for two months only to eventually burst back onto the scene, but it’s possible that the group was working on developing new attack techniques or evading detection. Other possibilities are a sudden change in leadership, that the group wanted to lay low to avoid the attention of law enforcement, or it simply wanted a break. This kind of thing isn’t unusual and the group’s sudden re-emergence highlights the unpredictable nature of ransomware gangs and the need for constantly monitoring the latest threat intelligence. Just because a group is gone today doesn’t mean it won’t be back tomorrow.

Meanwhile, LockBit’s activity in March was headlined by a major ransomware attack on Essendant, a US-based distributor of office products. This attack, which is said to have begun on or around March 6, created severe ramifications for the organization, disrupting freight carrier pickups, online orders, and access to customer support.

In other LockBit news, a CISA advisory on LockBit 3.0 ransomware was released on March 16, 2023. LockBit 3.0, also called LockBit Black, was discovered in June 2022. While many of LockBit 3.0’s TTPs remain consistent with previous versions, the advisory sheds light on the updated and enhanced features in LockBit 3.0. These improvements include more advanced detection evasion methods and customization options that enable affiliates to modify the ransomware’s behavior according to their requirements, making the ransomware harder to detect and counter.

Dark Power

March saw the rise of Dark Power, a new ransomware group that tallied 10 victims. Dark Power’s ransomware is interesting in that it is written in the relatively obscure Nim programming language.

Dark Power’s approach to ransomware, despite being relatively basic, manages to create unique encryption keys for each targeted machine, making it difficult to develop a generic decryption tool. The ransomware effectively stops services and terminates processes, ensuring the encryption process is unhindered. It also clears logs, making it harder for analysts to investigate an attack.

The effectiveness of Dark Power ransomware underlines the fact that attackers do not always need advanced, novel techniques to succeed. A basic approach, executed well and combined with an adaptable programming language, can prove to be just as effective.

The Dark Power dark web site

BianLian

BianLian, a ransomware gang that first appeared in July 2022 and has consistently hovered near the top of our monthly charts, has shifted its focus from encrypting files to data-leaks. The group’s shift in focus can be attributed to the release of a decryption tool by Avast, which made encrypting files less effective for BianLian. Consequently, the group now focuses on threatening to leak stolen data to extort payments from victims instead.

BianLian’s shift toward data-leak extortion demonstrates that RaaS gangs can be highly adaptable to changing circumstances, such as the emergence of decryption tools that undermine encryption-based ransomware. This strategic shift allows them to maintain a steady income stream, even as traditional methods lose their effectiveness.

As organizations face the daunting prospect of sensitive data leaks or security breach exposure, they are more likely to pay ransoms to avoid legal, financial, and reputational repercussions. Furthermore, the lingering threat of leaked data, even after recovering encrypted files, makes it harder for victims to resist paying ransoms. 

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Don’t plug your phone into a free charging station, warns FBI

In a recent tweet, the FBI office in Denver warned consumers against using free public charging stations, stating that criminals have managed to hijack public chargers with the objective of infecting devices with malware or other software that can give hackers access to your phone, tablet or computer.

“Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”

When asked, the FBI’s Denver field office said the message was meant as an advisory, and that there was no specific case that prompted it. The method the FBI is referring to is often referred to as “juice jacking.”

Imagine that the battery of your phone is dying and you’re nowhere near a power outlet, would you connect your phone to any old USB port? A juice jacking attack uses a charging port or infected cable to exfiltrate data from the connected device or upload malware onto it. The term was first used by Brian Krebs in 2011 after a proof of concept was conducted at DEF CON by Wall of Sheep. When users plugged their phones into a free charging station, a message appeared on the kiosk screen saying:

“You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”

While there are no known, recent cases of juice jacking, it’s best to be aware of potential cyberattacks—you never know what will trigger the transformation of the hypothetical to the real. To avoid inadvertently infecting your mobile device while charging your phone in public, learn more about how these attacks could happen and what you can do to prevent them.

How would juice jacking work?

As you may have noticed, when you charge your phone through the USB port of your computer or laptop, you are also able to move files back and forth between the two systems. That’s because a USB port is not simply a power socket. A regular USB connector has five pins, where only one is needed to charge the receiving end. Two of the others are used by default for data transfers.

schematics of a USB connection cable

USB connection table courtesy of Sunrom

Unless you have made changes in your settings, the data transfer mode is disabled by default, except on devices running older Android versions. The connection is only visible on the end that provides the power, which in the case of juice jacking is typically not the device owner. That means, any time a user connects to a USB port for a charge, they could also be opening up a pathway to move data between devices, with the following consequences:

  • Data theft: during the charge, data is stolen from the connected device.
  • Malware installation: as soon as the connection is established, malware is dropped on the connected device. The malware remains on the device until it is detected and removed by the user.

Data theft

In the first type of juice-jacking attack, cybercriminals could steal any and all data from mobile devices connected to charging stations through their USB ports. But there’s no hoodie-wearing hacker sitting behind the controls of the kiosk, so how would they get all your data from your phone to the charging station to their own servers? And if you charge for only a couple minutes, does that save you from losing everything?

Make no mistake, data theft can be fully automated. A cybercriminal could breach an unsecured kiosk using malware, then steal the information from connected devices. There are crawlers that can search your phone for personally identifiable information (PII), account credentials, banking-related or credit card data in seconds. There are also many malicious apps that can clone all of one phone’s data to another phone, using a Windows or Mac computer as a middleman. So, if that’s what hiding on the other end of the USB port, an attacker could get all they need to impersonate you.

Cybercriminals are not necessarily targeting specific, high-profile users for data theft, either—though a threat actor would be extremely happy (and lucky) to fool a potential executive or government target into using a rigged charging station. However, the chances of that happening are rather slim. Instead, hackers know that our mobile devices store a lot of PII, which can be sold on the dark web for profit or re-used in social engineering campaigns.

Malware installation

The second type of juice-jacking attack would involve installing malware onto a user’s device through the same USB connection. This time, data theft isn’t always the end goal, though it often takes place in the service of other criminal activities. If threat actors were to steal data through malware installed on a mobile device, it wouldn’t happen upon USB connection but instead take place over time. This way, hackers could gather more and varied data, such as GPS locations, purchases made, social media interactions, photos, call logs, and other ongoing processes.

There are many categories of malware that cybercriminals could install through juice jacking, including adware, cryptominers, ransomware, spyware, or Trojans. In fact, Android malware nowadays is as versatile as malware aimed at Windows systems. While cryptominers mine a mobile phone’s CPU/GPU for cryptocurrency and drain its battery, ransomware freezes devices or encrypts files for ransom. Spyware allows for long-term monitoring and tracking of a target, and Trojans can hide in the background and serve up any number of other infections at will.

Many of today’s malware families are designed to hide from sight, so it’s possible users could be infected for a long time and not know it. Symptoms of a mobile phone infection include a quickly-draining battery life, random icons appearing on your screen of apps you didn’t download, advertisements popping up in browsers or notification centers, or an unusually large cell phone bill. But sometimes infections leave no trace at all, which means prevention is all the more important.

How to avoid juice jacking

The first and most obvious way to avoid juice jacking is to stay away from public charging stations or portable wall chargers. Don’t let the panic of an almost drained battery get the best of you. I’m probably showing my age here, but I can keep going without my phone for hours. I’d rather not see the latest kitty meme if it means compromising the data on my phone.

If you feel going through a part of your life without a phone is crazy talk and a battery charge is necessary to get you through the next leg of your travels, using a good old-fashioned AC socket (plug and outlet) will do the trick. No data transfer can take place while you charge—though it may be hard to find an empty outlet. While traveling, make sure you have the correct adapter for the various power outlet systems along your route. Note there are 15 major types of electrical outlet plugs in use today around the globe.

Other non-USB options include external batteries, wireless charging stations, and power banks, which are devices that can be charged to hold enough power for several recharges of your phone. Depending on the type and brand of power bank, they can hold between two and eight full charges. Power banks with a high capacity are known to cost more than US$100, but offer the option to charge multiple devices without having to look for a suitable power outlet.

If you still want the option to connect via USB, USB condoms are adaptors that allow the power transfer but don’t connect the data transfer pins. You can attach them to your charging cable as an “always on” protection. Using such a USB data blocker or “juice-jack defender” as they are sometimes called will always prevent accidental data exchange when your device is plugged into another device with a USB cable. This makes it a welcome travel companion, and will only set you back US$10–$20.

Checking your phones’ USB preference settings may help, but it’s not a foolproof solution. There have been cases where data transfers took place despite the “no data transfer” setting.

Finally, avoid using any charging cables and power banks that seem to be left behind. You can compare this trick to the “lost USB stick” in the parking lot. You know you shouldn’t connect those to your computer, right? Consider any random technology left behind as suspect. Your phone will thank you for it.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

KFC, Pizza Hut owner employee data stolen in ransomware attack

Upon learning that attackers accessed and siphoned data in January, Yum! Brands, the fast-food chain operator behind The Habit Burger Grill, KFC, Pizza Hut, and Taco Bell, has begun sending Notice of Security Breach letters to employees whose data were potentially affected.

“We are writing to provide you with information about a cybersecurity incident involving your personal information that occurred mid-January 2023,” says the breach notice. While the company finds “no evidence of identity theft or fraud” involving the stolen data, it says it is contacting employees “out of an abundance of caution” to provide support and resources they might need.

The notice revealed that employee names, driver’s license numbers, and other ID card numbers are among the data that ransomware attackers took.

According to BleepingComputer, Yum! Brands has yet to provide the number of employees whose data threat actors stole during the attack.

The January ransomware attack

Over three months ago, Yum! Brands said it had experienced a ransomware attack that affected its IT systems, forcing it to close less than 300 restaurant chains in the UK for a day.

“Promptly upon detection of the incident, the Company initiated response protocols, including deploying containment measures such as taking certain systems offline and implementing enhanced monitoring technology,” the company said in a statement. “The Company also initiated an investigation, engaged the services of industry-leading cybersecurity and forensics professionals, and notified Federal law enforcement.”

In its filing with the Securities and Exchange Commission (SEC) in January, Yum! Brands assured investors that although the attack caused a temporary disruption, there would be no negative financial impact.

“While this incident caused temporary disruption, the Company is aware of no other restaurant disruptions and does not expect this event to have a material adverse impact on its business, operations or financial results,” the Form 8-K mentioned.

“…no material adverse effect…”

Yum! Brands continues to believe the ransomware incident would not cause adverse operational or financial effects in the long run.

“While the Company’s response to this incident is ongoing, at this time we do not believe such impact of the incident will ultimately have a material adverse effect on our business, results of operations or financial condition,” the company says in its 2022 annual report to the SEC which it filed on Friday.

The firm has yet to disclose the ransomware group behind the attack.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware in the UK: April 2022–March 2023

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their dark web sites. In this report, “known attacks” are attacks where the victim opted not to pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

Between April 2022 and March 2023, the UK was a prime target for ransomware gangs. During that period:

  • The UK was the second most attacked country in the world.
  • Royal Mail was hit with the largest known ransom demand ever: $80 million.
  • The education sector was hit far harder than in other countries.
  • The UK was a prime target for Vice Society, which targets education.

In August 2022, a ransomware attack on IT supplier Advanced caused widespread outages across the UK’s National Health Service (NHS), the biggest employer in Europe and the seventh largest in the world. The attack affected services including patient referrals, ambulance dispatch, out-of-hours appointment bookings, mental health services and emergency prescriptions.

Later that year, British newspaper The Guardian experienced a major ransomware attack that shut down part of its IT infrastructure. The Guardian, which operates one of the most visited websites in the world, described the incident as a “highly sophisticated cyberattack involving unauthorised third-party access to parts of our network”, most likely triggered by a successful phishing attempt.

In January 2023, Britain’s multinational postal service, Royal Mail, was attacked by LockBit, arguably the world’s most dangerous ransomware, which demanded the biggest ransom we have ever seen anywhere, in any country: $80 million. Royal Mail rejected the demand, calling it ‘absurd’, and LockBit consequently published the files stolen from the company alongside an illuminating transcript of the negotiation between the two parties.

The UK: Just like the USA

In the 12 months from April 2022 to March 2023, the UK suffered more known ransomware attacks than any country other than the USA. However, the sheer number of ransomware attacks in the USA dwarfs all other countries. Given the disparity between the USA and the UK it would be easy to conclude that ransomware is, first-and-foremost, a USA problem.

It is not.

Known attacks in the ten most attacked countries, April 2022-March 2023

Known attacks in the ten most attacked countries, April 2022 – March 2023

The USA suffered a little over seven times more attacks in the last twelve months than the UK and it is perhaps not a coincidence that the USA’s economic output, measured by gross domestic product (GDP), was also about seven times larger than the UK.

We can account for the difference in the size of countries’ economies by dividing the number of known ransomware attacks by a country’s nominal GDP, which gives us an approximate rate of attacks per $1T of economic output. On that basis, the USA and the UK suffered nearly identical rates of attack, at around 50 known attacks per $1T.

Measured this way, the UK is third, almost a mirror of its Atlantic cousin and quite different from its geographic and economic near neighbours, France and Germany. In other words, on this measure, ransomware gangs appear to make no distinction between the UK and the USA.

The ten most attacked countries between April 2022 - March 2023, ordered by attacks per $1T GDP, UK highlighted
The ten most attacked countries between April 2022 – March 2023, ordered by attacks per $1T GDP

Another way to account for the vast difference in size in countries in the top ten is to divide known attacks by each country’s population. On that measure, the UK ranks fourth, and again suffers a far higher rate of attacks than either France or Germany.

The ten most attacked countries between April 2022 - March 2023, ordered by attacks per capita

The ten most attacked countries between April 2022 – March 2023, ordered by attacks per capita

The most likely explanation for the difference between the UK, France and Germany is language. To make serious money, ransomware gangs have to be able to attack businesses in the USA. They have to be able to operate inside company networks where things are written in English, understand the value of the English-language data they’ve stolen, and negotiate in English.

However you rank the top ten, English-speaking countries occupy at least three of the top five positions. In the per-capita list they occupy four. It seems that when it comes to ransomware, speaking English may be a serious drawback, which helps ensure the UK is a prime target.

Education, education, education

Over the last 12 months, the education sector in the UK suffered far more than in other countries. Education was the target in 16% of known attacks in the UK, but only 4% in France and Germany, and 7% in the USA.

Known ransomware attacks by industry sector in the UK, April 2022 - March 2023
Known ransomware attacks by industry sector in the UK, April 2022 – March 2023

Our data shows that one of the main reasons for this is Vice Society, an extremely dangerous ransomware group with an appetite for the education sector.

In 2022, LockBit was used in 31% of known attacks globally, 3.5 times more than its nearest competitor, ALPHV. (You can read much more about why LockBit is the number one threat to your business in our 2023 State of Malware report.) As you’d expect, given its global preeminence, LockBit was also the most widely used ransomware in the UK in the last twelve months.

However, in the UK, Vice Society was second, not ALPHV.

Known ransomware attacks by the ten most used ransomware in the UK, April 2022 - March 2023
Known attacks by the ten most used ransomware in the UK, April 2022 – March 2023

In fact, the UK is one of Vice Society’s favourite targets, accounting for 21% of the group’s known attacks in the last 12 months, a close second to the USA which accounted for 23%, and vastly more than the next country, Spain, which accounted for 8%.

Sadly, Vice Society’s disproportionate interest in the UK lands squarely on the education sector.

76% of Vice Society’s known attacks in the UK over the last 12 months hit the education sector, and Vice Society was responsible for 70% of known attacks on UK education institutions.

Known ransomware attacks by month on the UK education sector, by gang, April 2022 - March 2023
Known ransomware attacks by month on the UK education sector, by gang, April 2022 – March 2023

It is worth remembering that our numbers only reflect attacks where a ransom wasn’t paid, and the true number of attacks is far larger.

In 2023, the BBC reported on 14 schools in the UK that were attacked by Vice Society including Carmel College, St Helens, Durham Johnston Comprehensive School (hacked in 2021, documents posted online in January 2022), and Frances King School of English, London/Dublin.

Vice Society doesn’t reinvent the wheel in terms of how it breaks in to its victim’s networks. It uses familiar techniques such as phishing, compromised credentials, and exploits to establish a foothold.

Vice Society is also known to use legitimate software in its attacks, to avoid detection by security tools. This technique, known as “living off the land”, allows the gang to hide in plain sight on victim’s networks. One of the tools it favours is Windows Management Instrumentation (WMI), which is designed for administrators to manage and monitor computers from a remote location. The only effective way to spot attackers who are living off the land is with EDR software operated by trained security staff, or with a service like MDR.

We can only speculate about why Vice Society has such an appetite for UK schools, colleges, and universities, but we know the sector is not exactly awash with money. Education in the UK has suffered a significant drop in funding in the last decade, according to the non-partisan Education Policy Institute, which says that “between 2009–10 and 2019–20, spending per pupil in England fell by 9 percent in real terms.”

Following a spike in inflation in 2022, the UK’s largest teaching union voted to strike for better pay for its members. The strikes themselves are not the cause of education’s susceptibility to ransomware, but they are indicative of the deteriorating financial situation in UK education.

In 2021, this author interviewed a number of people involved in providing cyberprotection for UK schools. The picture in each was the same: Cybersecurity was one responsibility among many being carried by very small numbers of IT staff who were under tremendous pressure, and ill-equipped to fight off the attentions of a ransomware gang like Vice Society.

Conclusions

In the last 12 months there was no hiding place for organisations in the UK. Our analysis of total known attacks, known attacks per $1T of GDP, and known attacks per capita, shows that ransomware gangs treated the entire Anglosphere, not just the USA, as their prime hunting ground. As part of that group, the UK was on the front line against ransomware, and will almost certainly remain there.

Within the UK, the education sector was disproportionately affected. It suffered far more known attacks than education in France or Germany, and accounted for a much higher proportion of known attacks than education did in the USA. The vulnerability of the education sector was exposed by Vice Society, a ruthless ransomware gang with an outsized appetite for education targets. In the last 12 months, Vice Society was as active in the UK as it was in the USA. While LockBit remains the most dangerous ransomware in the world for almost all sectors in almost all countries, in the cash-strapped UK education sector Vice Society is the most dangerous predator.

The education sector in the UK should be alarmed that with an entire world of targets to choose from, ransomware gangs have singled it out for disproportionate attention. More than any other sector, it will need to rethink, reskill and retool its approach to ransomware to fend off the determined attentions of attackers who smell an opportunity.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Update now! April’s Patch Tuesday includes a fix for one zero-day

It’s Patch Tuesday again. Microsoft and other vendors have released their monthly updates. Among a total of 97 patched vulnerabilities there is one actively exploited zero-day.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited zero day is listed as CVE-2023-28252.

CVE-2023-28252 is an elevation of privilege (EoP) vulnerability in the Windows Common Log File System (CLFS) driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges, which is the highest level of privilege on Windows systems. This is the type of vulnerability that we can expect to see chained with other vulnerabilities. Once an attacker has access, EoP vulnerabilities allow them to exploit that access to the fullest.

CISA has already added the CVE-2023-28252 Windows zero-day to its catalog of Known Exploited Vulnerabilities, which means federal (FCEB) agencies have until May 2, 2023 to patch against it.

Given the reach and simplicity of exploitation, this vulnerability is bound to be very popular among cybercriminals, and so it should be patched as soon as possible. CLFS is present in all Windows versions and so is the vulnerability. Exploitation does not require any user interaction and the vulnerability is already in use by at least one ransomware gang.

Another vulnerability to keep an eye on is CVE-2023-28231, a DHCP Server Service remote code execution (RCE) vulnerability. It is rated as critical with a CVSS score of 8.8 out of 10. Even though the attacker would need access to the network to successfully exploit this vulnerability, Microsoft has it listed as “Exploitation more likely.”

Another one that Microsoft deems more likely to be exploited is CVE-2023-21554, an RCE vulnerability in Microsoft Message Queuing (MSMQ) with a CVSS score of 9.8 out of 10. To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side.

A few others we can expect to see, especially in the form of email attachments, are several RCE vulnerabilities in Microsoft Office, Word, and Publisher [2]. All these vulnerabilities require the user to open a malicious file. So this is something we can typically expect to see a lot in phishing campaigns.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates for several products:

Apple released emergency updates for two known-to-be-exploited vulnerabilities.

Cisco released security updates for multiple products.

Google has released updates for the Chrome browser and for Android.

Mozilla has released security advisories for vulnerabilities affecting multiple Mozilla products:

SAP has released its April 2023 updates.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Apple releases emergency updates for two known-to-be-exploited vulnerabilities

On Friday April 7, 2023, Apple released iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the iPhone, iPad, and Mac, respectively, and our advice is to install them as soon as possible because all three updates include important security fixes.

The Cybersecurity and Infrastructure Security Agency (CISA) has already ordered federal agencies to patch these two security vulnerabilities before May 1st, 2023.

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The vulnerabilities

The security content of iOS 16.4.1 and iPadOS 16.4.1 contains information about two vulnerabilities that Apple has been made aware of reports that these issue may have been actively exploited.

CVE-2023-28206: an out-of-bounds write issue in IOSurfaceAccelerator was addressed with improved input validation. The issue that could allow an app to execute arbitrary code with kernel privileges is fixed in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Big Sur 11.7.6, macOS Ventura 13.3.1.

IOSurfaceAccelerator is an object that manages hardware accelerated transfers/scales between IOSurfaces in the IOSurface framework. The IOSurface framework provides a framebuffer object suitable for sharing across process boundaries. It is commonly used to allow applications to move complex image decompression and draw logic into a separate process to enhance security.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data written is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written. In this case an attacker can use it to elevate the privileges of a malicious app. For those interested, a proof-of-concept (PoC) has been published for this vulnerability.

CVE-2023-28205: a use after free (UAF) issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, processing maliciously crafted web content may lead to arbitrary code execution.

WebKit is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps.

The security content of macOS Ventura 13.3.1 covers the same two vulnerabilities and Apple has also released a new Safari 16.4.1 update for macOS Monterey and macOS Big Sur, which likely addresses the WebKit vulnerability.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A week in security (April 3 – 9)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW