Archive for author: makoadmin

Some scammers have the morals of an alley cat. But some sink even lower.

Over the last few months, Malwarebytes Labs has discovered scammers active on Facebook that prey on bereaved people by using stolen images and phony funeral live stream links to steal money and/or credit card details.

These scammers are becoming more active and new cybercriminals are picking up the method as well, which is something we see very often. When some scheme works, more lowlifes join in.

Currently, we are aware of two different approaches. One uses fake live stream links of the funeral. It asks people to follow a link where they can watch the funeral service and to share the link among their friends and family. The other asks for donations on behalf of the family of the deceased.

We followed the flow of one such scam, but you should be aware that there are several variations.

Usually, this type of scam starts with a comment on Facebook below the notification of a funeral home.

“UPDATE POST:

If you can afford you can donate.

Please share family and friends

Watch [name] Loveing Memory & Funeral ServiceLive Stream Online

WATCH LIVE [link]”

The domain the comment links to is not unique. Malwarebytes Premium blocks at least 4 other domains involved in the same type of scam. And there were more which have been taken offline by the time you read this.

If you follow the link, you’ll end up on a landing page similar to this one.

All the buttons on this site pointed to a domain which we block for phishing.

Adding the domain to the exclusion list allowed me to follow through, and I ended up on a site that wants you to sign up for your “favorite movies” so that I could allegedly get full access. Remember, I came here following links to the live stream of a funeral—not because I wanted to watch my “favorite movies.”

After feeding the scam site a bogus email address, I was allowed to move on.

Here I am invited to activate my membership by providing my credit card details. Why do they need my credit card details for a free service?

This is the reason the site provides:

“WHY YOUR CREDIT CARD?

We have streaming licenses for our content for certain countries only. That’s why we need to verify your geographic location using a valid credit card. Your membership entitling you to all our content is only 2.00€, unless you decide to switch to premium mode at the end of the 3-day trial membership, or do not cancel your membership within the trial period.”

But the real reason can also be found if you look closely. Did you spot that tiny pre-checked line at the bottom of the left-hand pane?

I enlarged it, so you can read what the small print says.

“I consent and accept the conditions of the membership and would like a secondary membership. 2X recurring payments every 14 days, current rate (64 €). Cancel anytime.”

In March of 2024, the BBC warned that these cybercriminals sometimes respond to a posted memorial message within minutes. Using a fake profile and including the photograph and personal details of the dead person in their post.

The cybercriminals are good at making these Facebook posts look real. They often copy and paste real photographs of the deceased person taken from a funeral director’s site or a genuine tribute site. But they are fake and could turn out very costly for those that fall for them.

Protect yourself and others

Several funeral homes have started adding a note that “this funeral is not being live streamed” to their online notices to reduce the chance of people falling victim to them.

The National Association of Funeral Directors says:

“You shouldn’t have to pay to view a funeral live stream and official links will be provided via the funeral director to the bereaved family.”

Be aware of strange friend requests. They may be from scammers looking for a way to comment on your post.

When you see a comment with these links, please report them to Facebook immediately. They will be removed as soon as possible so others may be spared of falling victim.

Never provide your credit card details unless you are 100% sure who you are dealing with. And even then, filling out this type of information online always comes with a risk.

Associated domains

Fake streaming sites:

Qtvlivestreamhd[.]com

Hqonlivestream[.]xyz

Visitpageaus[.]com

Auseventstream[.]com

Phishing sites:

pbg4jptrk[.]com

paperpadpen[.]com

Whenever you shop online and enter your payment details, you could be at risk of being a victim of fraud. Digital skimmers are snippets of code that have been injected into online stores and they can steal your credit card number, expiration date and CVV/CVC as you type it in.

We recently detected a new malware campaign targeting a number of online stores running Magento, a popular e-commerce platform. Due to the compromises looking similar, we believe the threat actors likely used the same vulnerability to plant their malicious code.

Within a few days, we identified over a dozen attacker-controlled websites set up to receive the stolen data. After adding those malicious sites to our security products, we were able to protect over 1.1K unique theft attempts from Malwarebytes users who happened to shop at one of a few hundred compromised stores.

Technical details

Each online store is injected with one seemingly harmless line of code, a simple script tag loading content from a remote website. Interestingly, across different hacked websites we noticed the same naming pattern:

{domain}.{shop|online)/img/

Below is an example of such an injection for the online store of a popular European beer manufacturer:

Here’s another example for a Canadian university, also compromised in a similar way. In the image, we can see the content of the remotely loaded JavaScript:

This loader contains a simple function that will retrieve information from the site it is being called from. For example, the website’s domain name is being passed as a parameter (‘s’) into another URL meant to retrieve the actual full skimmer code, which consists of a huge blob of obfuscated JavaScript:

During checkout, the payment flow is seamlessly altered such that a fake “Payment Method” frame is inserted within the store’s page. What’s interesting to note is that this particular store externalized their payment process to a company called Quickpay. However, the skimmer code takes precedent by being shown first to victims.

As you enter you credit card number, expiration data and CVC into the page, that data is being transmitted in real time and stored in a criminal’s database.

Mitigations

Digital skimmers are often impossible to recognize due to how they blend into a website. Unless you are inspecting network traffic or debugging the checkout page with Developer Tools, you simply can’t be sure that a store has not been compromised.

The critical moment happens when you need to enter your credit card number. This is when malicious code has the chance to grab that information directly from your browser.

In just a few days, our telemetry recorded 1,121 unique blocks from Malwarebytes users who had visited a compromised store. The chart below shows those blocks per malicious skimmer domain:

Malwarebytes antivirus and its browser extension (Browser Guard), both can detect and block the malicious infrastructure used by the criminals in this campaign. If you were to visit a compromised store, you would see a warning such as those below. Access to the store won’t be blocked, and while you could in theory shop safely (the skimmer code did not get a chance to be loaded), we’d still advise to refrain from making any purchases.

We contacted the stores featured in this blog post, and they have already taken action to either remove the malicious code or temporarily suspend their website. We did not reach out individually to each of the other compromised stores but we reported the malicious infrastructure to Cloudflare who already took action in flagging it as phishing.

Most credit card companies can quickly reissue a new card after it’s been stolen. However, we have seen skimmers that often collect more than just your financial data but also your email, home address and phone number, information typically required when buying anything online.

If you suspect that you recently made a purchase that resulted in your credit card company alerting you, check out our Identity Protection included in Malwarebytes Premium Security.

Indicators of Compromise

Malicious domains used by the skimmer:

codcraft[.]shop
codemingle[.]shop
datawiz[.]shop
deslgnpro[.]shop
happywave[.]shop
luckipath[.]shop
pixelsmith[.]shop
salesguru[.]online
statlstic[.]shop
statmaster[.]shop
trendset[.]website
vodog[.]shop
artvislon[.]shop
statistall[.]com
analytlx[.]shop

Google has released an update for its Chrome browser which includes a patch for a vulnerability that Google says is already being exploited, known as a zero-day vulnerability.

Google has fixed that zero-day with the release of versions 128.0.6613.84/.85 for Windows/macOS and 128.0.6613.84 for Linux that will be rolled out to all users over the coming weeks.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

Besides the zero-day, this update contains 37 other security fixes, as well as Google Lens for desktop. This means you’ll be able to search anything you see on the web without leaving your current tab.

Google Lens will be available on every open tab. Here’s how to use it:

1. Open the Chrome menu (three stacked dots).
2. Select Search with Google Lens .
3. Select anything on the page by clicking and dragging anywhere on the page.
4. Refine the answers by typing in the search box in the side panel.

Keep in mind though that Google will receive a screenshot of every Google Lens search you do.

Technical details on the zero-day vulnerability

A zero-day is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The zero-day vulnerability which is being fixed here is referred to as CVE-2024-7971: a type confusion in V8 in Google Chrome which allowed a remote attacker to exploit heap corruption via a crafted HTML page.

JavaScript uses dynamic typing which means the type of a variable is determined and updated at runtime, as opposed to being set at compile-time in a statically typed language.

V8 is the JavaScript engine that Chrome uses and has been a significant source of security problems.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

So, an attacker will have to convince a target to open a specially crafted HTML file, which usually means visiting a website. This will cause the unpatched browser to accept an unexpected value for a variable that will cause an overflow of the reserved memory location. The attacker is able to abuse that overflow for their own malicious purposes.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Recently, I received a letter in the mail from a company about a data breach. 

The letter said that the company had been a victim of a cyberattack back in March in which files were scrambled (what we know as ransomware). The attacker had also accessed sensitive files and customer health data. 

Sadly, this is a pretty normal occurrence these days. However, this time it wasn’t my own data that was stolen. It was my 9-year-old’s health data, stemming from a breach at the medical company that provides her wheelchair. 

She didn’t fill in her details to a phishing site. She didn’t download malware. She doesn’t even have an email account. Yet her data had already been stolen. 

The data included her name, date of birth, Social Security Number, medical documentation, insurance information, and more. 

And this isn’t the first time. She’d actually already had her data stolen three times before her 10^th birthday. 

There isn’t anything we could have done differently in this situation. If you don’t use a service anymore, you can ask the organization to delete your personal information. However, in the case of medical companies—who have access to your most sensitive data—you can’t easily change providers, and they often need to store your data for longer for compliance reasons.

However, there are things you can do to prevent identity theft happening in general, some even after your kids’ data has been taken in a breach like this. 

How to protect your kids from identity theft 

• Freeze your child’s credit report: You need to do this at all three major credit bureaus (Equifax, Experian, and Transunion), and it’s free to do. Freezing restricts access to your child’s credit report, and means fraudsters cannot use your child’s identity to get credit.  

• Use fake data wherever you can: In some places, like medical facilities, you do need to use your child’s real data. But whenever you’re signing up for something less official, try using dummy data. 

• Review privacy settings on apps your kids use: Keep things as private as you can. For example, don’t use their photo for profile pictures, remove statuses that let others know when they’re online, set as much as possible to “private,” and give the least amount of personally identifiable information (eg. home address, phone number, etc) as you can. 

• Squat on their digital assets: Buy their domain name, create emails for them, and sign up for key platforms. Then lock all these accounts down with strong, unique passwords and two-factor authentication, and set them to private or inactive. 

• Keep your devices updated and use security software: Infostealers are a type of malware that steal data from your device. This data can then be sold on the dark web to identity thieves. 

• Talk to your kids about digital safety: Make sure they know how to set strong passwords, what dangers to look out for online, and how to stay safe.  

• Set up identity monitoring: This alerts you if you or your family’s information is being traded online, and helps you recover afterwards. 

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

In the past year alone, we have reported almost five hundred unique malvertising incidents related to Google search ads. While it can be difficult to attribute each incident to a specific threat actor, we usually notice similarities between campaigns.

Some malvertisers go to great lengths to bypass security controls, while others know they will get caught and are willing to burn their accounts and infrastructure. Having said that, we have generally observed stealthier attacks and the one we are covering in this blog is one of them.

Targeting the popular communication tool Slack, a threat actor is relying on several online tools to narrow down their victims’ list and most importantly evade detection.

Context is everything

For several days we noticed a suspicious ad for Slack that appeared when you googled the search term for it. The ad actually looks quite legitimate and is listed above the organic search result for the official site. Despite its appearance, we knew it was likely malicious, even though clicking on it at the time would only result in being redirected to slack.com.

Almost every Google ad contains additional information about its advertiser and why it was displayed to you. This is accessible by clicking on the 3 dots beside the ad URL and it brings you to the Google Ads Transparency Center.

What we notice is that this advertiser is promoting products that look targeted at the Asian market, and then there’s this Slack ad that appears in the middle of nowhere.

We’ve mentioned before how contextualized detection could be a good way to identify an advertiser account that has been compromised. We don’t know whether Google’s algorithms are trained on this or not, but it has certainly helped us many times in the past to find new malicious ad campaigns.

Slow cooking

For days, clicking on this Slack ad would only redirect to a price page on Slack’s official website. Ads aren’t always weaponized right away; in fact it is a common practice for threat actors to let their ad ‘cook’ such that it does not immediately become detected.

Eventually, we saw a change in behavior. Rather than redirecting to slack.com, now the ad first started redirecting to a click tracker. This is one of the weaknesses in the Google ad ecosystem as such services can be abused to filter clicks and essentially send traffic to a domain of anyone’s choosing. Tracking templates as they are known, are a built-in feature that has become synonym with fraud for us.

Playing games of hide and seek

Now the ad’s final URL had become slack-windows-download[.]com an interesting choice for a domain name created less than a week ago. While it is obvious that this page was automatically generated, perhaps using AI, there is nothing malicious on it. For whatever reason, the server side checks determined that we should only be seeing this decoy page at the time:

After tweaking various settings, we finally saw the malicious page, meant to impersonate Slack and offer a download link to unsuspecting victims. It is the same domain as the one above, but the content is completely different. That type of behavior is known as cloaking, where different users are shown different content:

Below is a network traffic capture showing what was required to get to this page. There are a few things worth noting:

• The Google ad URL redirects to a click fraud detection tool, followed by a click tracker. There is no way for Google to know where users are going at this point.
• The click trackers themselves are blinded on what happens next, thanks to a singular link/tracking link followed by one more cloaking domain.

This deep layering makes it incredibly difficult to evaluate an ad without resorting to specific tooling and knowledge of the threat actors’ TTPs.

Malware payload

The download button triggers a file download from another domain that may hint at a parallel campaign targeting Zoom. A key is passed to the server to request the malware binary to users who went through the delivery chain.

Dynamic analysis in a sandbox shows a remote connection to 45.141.87[.]218, a server previously used by SecTopRAT, a remote access Trojan with stealer capabilities. This payload was previously dropped in other malvertising chains, one of them impersonating NordVPN.

Conclusion

Malwarebytes was already blocking that command and control server and we’ve improved our detection coverage by adding the supporting and delivery infrastructure used in this campaign. In addition, we’ve reported the malicious ad to Google and Cloudflare has now flagged the decoy domains that were abusing its services, as phishing.

We expect malvertisers to continue to exploit free and paid platforms to help them avoid detection, but we also should be aware that they may be more patient and wait for the right moment to unleash a new campaign.

Indicators of Compromise

Link redirect

slacklink[.]sng[.]link

Cloaking

haiersi[.]com

Decoy sites

slack-windows-download[.]com
slack-download-for-windows[.]com

Payload download

zoom2024[.]online

Payload SHA256

59e5e07ffa53ad721bc6b4c2ef435e08ae5b1286cda51415303978da474032d2

A 39-year-old man has been sentenced to 81 months in jail after hacking governments systems to fake his own death to dodge paying child support.

Yes, you read that right. The press release by the US Attorney’s Office, Eastern District of Kentucky, paints a detailed picture of what went down.

In January of 2023, Jesse Kipf used several stolen identities to create a case for his own death, one of which was a doctor living in another state. He used the stolen username and password of this doctor to log in to the Hawaii Death Registry System and certify his own death, using the digital signature of the doctor.

Kipf admitted that one of the reasons he did this was to avoid having to pay child support. Reportedly, Kipf got a divorce in 2008 in California and owed more than $116,000 in child support obligations to his daughter and her mother, according to court documents.

This was not the only time that Kipf infiltrated other states’ death registry systems, private business networks, and governmental and corporate networks. Each time by using stolen credentials.

The access he gained to the systems and networks was subsequently sold on dark web forums.

The case was investigated by the FBI in Louisville. FBI Special Agent Michael E. Stansbury said:

“Working in collaboration with our law enforcement partners, this defendant who hacked a variety of computer systems and maliciously stole the identity of others for his own personal gain, will now pay the price.”

In an arrangement with prosecutors, Mr. Kipf pleaded guilty in April to one count of computer fraud and one count of aggravated identity theft. Under the deal, other charges against him were dropped.

Under federal law, Kipf must serve 85 percent of his prison sentence.  Upon his release from prison, he will be under the supervision of the US Probation Office for three years.  The damage to governmental and corporate computer systems and his failure to pay his child support obligations amounted to a total of $195,758,65.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Earlier this month, a huge trove of data from scraping service National Public Data was posted online. The dump made international headlines because it included data on hundreds of millions of people, and included Social Security Numbers.

As if that wasn’t bad enough, KrebsOnSecurity is now reporting on another National Public Data company found hosting a file online that included the usernames and passwords for the back-end of its website, including for the site’s administrator.

The website of this company, Records Check, is hosted at recordscheck.net, and is very similar to nationalpublicdata.com with identical login pages. The publicly-accessible file, which has now been taken offline, showed that all RecordsCheck users were given the same 6-character password with instructions to change that password. Which many failed to do.

National Public Data’s founder, Salvatore “Sal” Verini told Krebs that the exposed file has been removed from the company’s website, and that the entire site will cease operations “in the next week or so.”

But that’s a bit too little too late. As bad as we feel about companies like these scraping our data, it’s even worse to see how carelessly they handle our personal information.

Different

Back to the original NPD data dump, we now know a lot more now about this database.

Allegedly, the 277 GB set of data contained Social Security numbers and other sensitive data of about 2.9 billion people. That seems a stretch, so we looked into that.

The estimates from our researchers say that it contains 272 million unique social security numbers. That could mean that the majority of US citizens could be affected, although numerous people confirmed to BleepingComputer that it also included information about deceased relatives.

There are a few aspects in this case that make it very different from other data breaches.

For one, the data was “scraped,” meaning it was pulled from various sources and combined in a large database. So that means the data was already “out there.” Combining data sets often leads to duplicate records, for example, the same person but living at a different address will be listed twice.

However, combining the data in such a large database does allows those with access to amass a huge amount of data about each person.

Second, because of the scraping, there is no direct link between the breached entity and the people whose data is in the leaked database. Normally, businesses will inform their affected customers about what happened, offer credit monitoring services, and let them know what exactly was stolen.

Depending on the outcome of a complaint filed in the US District Court for the Southern District of Florida some of this might still happen, but it’s unlikely that it will be anywhere near what a company worried about it’s customers might be willing to do.

National Public Data has set up a website (only accessible with a US IP address, so from outside the US you may need to use a VPN) about the breach. According to that website:

“The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

Last week, a cybercriminal using the handle ZeroSevenGroup dumped 240GB of data on the infamous stolen data site BreachForums, that they said came from a hack on the US branch of car manufacturer Toyota.

ZeroSevenGroup claims the dump includes customer and employee data.

“We have hacked a branch in United State to one of the biggest automotive manufacturer in the world (TOYOTA).
We are really glad to share the files with you here for free.
Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data.
We also offer you AD-Recon for all the target network with passwords
We’re not kidding, we have been on the network for a long time..”

Toyota told BleepingComputer that a breach at a third party had led to the data theft. After they looked at the files, BleepingComputer concluded that they had been stolen or at least created on December 25, 2022.

The car vendor has already notified impacted individuals, but it did not provide technical details about the incident. According to Toyota:

“We are aware of the situation. The issue is limited in scope and is not a system wide issue. We have engaged with those who are impacted and will provide assistance if needed.”

Toyota and Toyota Financial Services have suffered several breaches in the past, so it’s hard to tell where and when the information was obtained more precisely.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Last month, a strange thing happened in cybersecurity: a type of cyberthreat typically reserved for large businesses and critical services appeared on the computers of everyday people.

Starting on July 20, hundreds of individuals across the globe began reporting problems with ransomware. Ransomware is an existential threat to businesses everywhere, but for years, it has been understood as primarily that—a business threat.

By focusing their attacks on multimillion-dollar organizations and essential government and health services, ransomware gangs hope to force a payment from their victims who cannot risk shutting down. For some victims, like hospitals, such an impact to their services could be a matter of life and death.

But for the ransomware campaign in July, which involved a variant called Magniber, cybercriminals focused not at all on businesses, but on people. After victims had their computers infected, they received a ransom note and a demand for $1,000 in exchange for having their devices and files cleaned. If victims waited for more than three days to pay up, the demand shot up to $5,000.

The campaign lands during a devastating period of ransomware attacks against businesses, in which the frequency of attacks has steadily climbed up and up, annually, for several years. This increase in attacks is recorded and analyzed in the latest 2024 ThreatDown State of Ransomware report by Malwarebytes, which can be viewed below.

With a global increase in ransomware attacks against businesses, and with no decryption key in sight for victims of Magniber, it’s more clear than ever that ransomware is a must-know cybersecurity risk for people at home.

Why you need to know about ransomware

The most important services in your life are also the most attractive targets for ransomware gangs around the world, which is why your banks, grocery stores, hospitals, schools, government resources, and more could, without any fault of your own, suddenly grind to a halt. Because of ransomware attacks in the past, surgeries have been delayed, classes have been cancelled, and, more recently, a credit union’s customers had their direct deposit payments thrown into disarray.

In ransomware attacks, the pressure is the point.

For years, cybercriminals have focused their ransomware attacks against the types of organizations that are essential for everyday life, including hospitals, schools, critical infrastructure, and entire city governments. Once these organizations are infected with ransomware, their systems and devices become useless, as a ransomware attack will grab all files stored within reach and “encrypt” them—making them inaccessible to their own users without a related “decryption key.”

It is at this critical moment when the clock starts ticking for ransomware victims.

Organizations without reliable backups, unable to work or provide vital services, are pressured into a dreadful decision: Do they pay the cybercriminals a ransom to receive the decryption key (and trust that it works), or do they try to start from scratch, rebuild their technology operations, and refuse to fund the efforts of cybercriminals?

For businesses around the world, it’s a question that is happening more frequently, Malwarebytes found.

Between July 2023 and July 2024, ransomware attacks against organizations increased by 33% across the world, year-over-year, according to the 2024 ThreatDown State of Ransomware report. The US and the United Kingdom suffered the greatest uptick in attacks during the same time period, of 63% and 67% respectively.

But it wasn’t just the frequency that increased. It was also the ransom payments.

While the attacks that deployed Magniber against everyday people requested just thousands of dollars, ransomware attacks against businesses and organizations can include demands of millions upon millions of dollars.

In fact, in 2023, the total sum of all ransomware payments made—meaning actual money transferred to cybercriminals by their victims—surpassed $1 billion. The average ransom payment during the same time period was $620,000, and the cost of recovering from a ransomware attack was an astonishing $4.7 million.

In its investigation, Malwarebytes also revealed that ransomware attacks against organizations were becoming faster, happening more frequently at night (so as to avoid detection), and relied increasingly on an attack method in which cybercriminals would use a breached computer’s own software to help carry out the attack.

But most intriguing to everyday users is the discovery that the US is unique in suffering attacks on healthcare facilities and schools and colleges. While the US accounts for a shocking 48% of all ransomware attacks worldwide, it accounts for 60% of all education attacks and 71% of all healthcare attacks.

Your role in this threat landscape is complex. While there is not much you can do to protect hospitals, schools, banks, and city governments, there also is not much you should do. These are separate entities that are responsible for their own cybersecurity and the public cannot be expected to manage the operations of every service they need.

That said, there are steps you can take to protect yourself from ransomware attacks.

How home users can prevent ransomware

There are some rules that can help you avoid falling victim to this type of ransomware:

• Make sure your system and software, including your browser, are on the latest version. Criminals will exploit known holes that have been patched by the vendors but not updated everywhere.
• Run a trusted anti-malware solution.
• Never download illegal software, cracks, and key generators.
• Use a malicious content blocker to stop your browser from visiting bad sites.
• Don’t open unexpected email attachments.
• Don’t click on links before checking where they will take you.

If you do accidentally get caught by ransomware, we recommend you don’t pay. There’s no guarantee you’ll get your files back, and you’ll be helping to line the pockets of criminals.

You can also read the full 2024 ThreatDown State of Ransomware report below.

Texas Attorney General Ken Paxton has sued General Motors (GM) for the unlawful collection and sale of over 1.5 million Texans’ private driving data to insurance companies without their knowledge or consent.

In June, the Attorney General (AG) announced he had opened an investigation into several car manufacturers over allegations that the companies had improperly collected mass amounts of data about drivers directly from the vehicles and then sold the information to third parties.

Following that investigation, the AG explained in a press release, he decided to sue General Motors:

 “Our investigation revealed that General Motors has engaged in egregious business practices that violated Texans’ privacy and broke the law. We will hold them accountable.”

The court filing provides some more detail. It reasons that when consumers buy a vehicle, they want a mode of transportation to get them from one point to another, but with GM (and its subsidiary OnStar) they unwittingly opt-in to an all-seeing surveillance system.

GM collected scores of data points from consumers about their driving habits and monetized that data by selling it on to other commercial parties. The AG accuses GM of installing technology that allegedly improves the safety, functionality, and operability of its vehicles, but at the same time this technology gathers driving data about the vehicle’s usage.

The driving data collected and sold by GM included trip details like speed, seatbelt status, and driven distance. On top of that, GM gathered data through other products like its mobile apps.

GM had agreements with various companies which allowed them to the driving data to calculate a driving score based on risk analysis. After buying a license from GM, an insurer could access the driving scores of over 16 million customers. Based on those scores the insurer could and did increase monthly premiums, drop coverage, or deny coverage.

GM claimed to have consent, but according to the AG it “engaged in a series of misleading and deceptive acts” to obtain that consent.

Among others, the onboarding process was treated as a mandatory pre-requisite to take ownership of the car. But it was nothing short of a deceptive flow to ensure customers would agree to sign up for GM’s products and get enrolled in the driving data collection scheme. Customers were presented electronically with some fifty pages of disclosures about its OnStar products, which consisted of product descriptions and a confusing series of applicable user terms and privacy notices.

At no point did GM disclose that it would sell any of their data, much less their driving data, nor did it disclose that it had contracts in place to make driving scores available to other companies or permit companies to re-sell driving scores to insurance companies.

Last year on the Malwarebytes Lock and Code podcast, David Ruiz spoke to a team of researchers at Mozilla who had reviewed the privacy and data collection policies of various product categories over several years. They reported that classified cars were the worst product category they ever reviewed for privacy.

A modern car hasn’t solely been a transportation vehicle for a long time. With multiple digital systems, they are increasingly plugged into web applications and digital processes—both of which are vulnerable to security flaws.

But at least those flaws are not intentional; some of the privacy issues apparently are. So it’s good to see a raised awareness among consumers about these issues, and investigations conducted.

As we noted, an ongoing US Senate investigation indicated that connected car makers violate consumer privacy by sharing and selling drivers’ data, including their location, on a vast scale, and that the same car makers often obtain consumer consent through deception.

Based on this investigation, senators have urged the Federal Trade Commission (FTC) to investigate automakers’ disclosure of millions of Americans’ driving data to data brokers, and to share new-found details about the practice.

As always, we will keep an eye on the developments in this field.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.