Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Breach Roundup: Royal Ransomware Group on an Extortion Tear

Also: French Museum Ransomware Attack, Cisco Smart Install and SharpRhino Malware
Breach Roundup: Royal Ransomware Group on an Extortion Tear
Image: Shutterstock

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, the Royal ransomware underwent a rebrand, a ransomware attack struck a financial system used by French museums and a putative class action over a massive background check data breach. Also, Singapore removed an app monitoring internet use on student devices, a warning about the legacy Cisco Smart Install protocol, the upstart SharpRhino criminal gang is on the move, and a researcher found an exposed Illinois voter database.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Royal Ransomware Group Demands More Than $500M

The BlackSuit ransomware group, formerly known as Royal, extorted more than $500 million from victims since its emergence in September 2022, according to a report from the U.S. Cybersecurity and Infrastructure Security Agency and the FBI. The Wednesday report details the group's operations, including ransom demands ranging from $1 million to $10 million, typically requested in bitcoin.

BlackSuit gained notoriety after high-profile attacks, including one on the city of Dallas last year, which disrupted public services.

The group uses phishing emails to gain initial access and disables antivirus software and exfiltrates data before deploying ransomware. BlackSuit's largest single ransom demand was $60 million, though the group is known to negotiate lower payments.

Ransomware Hits 40 French Museums

A ransomware attack over the weekend targeted the centralized financial system used by around 40 French museums, including notable institutions such as the Louvre, Palace of Versailles and Orsay, local media reported Monday.

The attack was first detected at the Grand Palais museum, host to Olympic fencing and martial arts events. The incident resulted in the Grand Palais servers being cut off, affecting the associated museums' 36 bookstores and boutiques, though museum operations themselves were not disrupted.

An unidentified hacker group demanded a cryptocurrency ransom and threatened to release encrypted data within 48 hours. French security agency ANSSI confirmed it received an alert about the hacking but emphasized that the hacked systems were not involved in the Paris Olympics.

Americans' Personal Information Exposed via Breach

Background-check company Jerico Pictures, which does business as National Public Data, faces a proposed class action lawsuit after a data breach that exposed personal information pertaining to numerous Americans. The BreachForums marketplace user USDoD on April 8 listed for sale a data set titled "National Public Data," which purportedly included 2.9 billion rows of data. Other members of the cybercrime forum have also posted what they said were copies of the same data.

The lawsuit, filed in the U.S. District Court for the Southern District of Florida, alleges that National Public Data failed to notify affected individuals or provide warnings as of the filing date.

The lawsuit says National Public Data collected people's personal information by scraping nonpublic sources, reportedly exposing Social Security numbers, full names, addresses and details about relatives, some of whom had been deceased for decades.

Named plaintiff Christopher Hofmann, a California resident, said he learned of the breach through his identity theft protection service. He accused National Public Data of negligence, unjust enrichment and other legal violations and seeks monetary relief, further demanding that the company purge all affected data, encrypt future collections and implement strict cybersecurity measures, including annual third party.

Mobile Guardian App Removed After Breach

The Singapore Ministry of Education removed the Mobile Guardian app from students' learning devices following a global cybersecurity breach that affected 13,000 students across 26 secondary schools. The breach, discovered on Aug. 4, allowed unauthorized access to the app, which manages device usage by restricting screen time and access to specific content. Affected devices were remotely wiped, but the ministry said no student files were accessed.

The ministry said on Aug. 5 that the app will be removed from all iPads and Chromebooks to safeguard students.

This incident follows unrelated technical issues reported since July. The issues, attributed to human error in Mobile Guardian's configuration, caused problems with device functionality. Mobile Guardian has been investigating the breach, which also affected users in the United States and Europe.

Hackers Target Cisco Smart Install

Hackers are abusing the legacy Cisco Smart Install feature, warned the U.S. Cybersecurity and Infrastructure Security Agency in a Thursday advisory that recommends disabling the protocol. Hackers exploiting SMI isn't a new problem: Cisco warned users in early 2017 that hackers use the "plug and play" configuration and image-management feature" to hack routers. "Malicious Smart Install protocol messages can allow an unauthenticated, remote attacker to change the startupconfig file, force a reload of the device, load a new IOS image on the device and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software," the National Security Agency warned in 2017. In addition to consulting the NSA guidance, CISA recommended consulting NSA guidance from October 2023 on network infrastructure security.

The cybersecurity defense agency also warned that it's continuing to spot weak password types to safeguard device passwords within a system configuration file. "The use of weak password types enables password cracking attacks. Once access is gained a threat actor would be able to access system configuration files easily," allowing the hacker to do obviously bad things on the network.

New SharpRhino Malware Targets Network Admins

Upstart criminal group Hunters International unleashed a new malware strain, SharpRhino, targeting network administrators. Disguised as the popular Angry IP Scanner tool, SharpRhino is distributed through typosquatted websites, using slightly misspelled URLs designed to trick victims into downloading malicious code.

The malware has been active since mid-June and is embedded in a fake version of the IP scanner tool named ipscan-3.9.1-setup.exe, discovered Quorum Cyber. The installer contains a password-protected archive that, when unpacked, reveals an application named Microsoft.AnyKey.exe. SharpRhino modifies the RunUpdateWindowsKey registry to execute this application, which is derived from a Microsoft Visual Studio 2019 Node JS tool.

The malware establishes communication with two command-and-control systems - one for initial payload delivery and another for ongoing access and persistence. Once installed, SharpRhino uses a Rust-based encryptor to lock files, leaving behind a ransom note directing victims to a Tor payment page.

SharpRhino is suspected to be the work of Hunters International, a ransomware-as-a-service group that emerged in October 2023.

US Voter Data Exposed Online

Nearly 4.6 million Illinois voter and election documents containing sensitive personal information - including Social Security numbers and driver's license data, were exposed on publicly accessible, non-password-protected databases, according to cybersecurity researcher Jeremiah Fowler, who shared his findings via VPNMentor.

Fowler said the exposed databases contained troves of sensitive documents - including the physical addresses and personal cellphone number of political candidates and full Social Security numbers for millions of voters - before they were eventually restricted by a third-party contractor. While some voter registration information is already easily accessible online, the exposure raises concerns about identity theft and other fraud risks.

"It is not known how long the documents were exposed or if anyone else gained access," Fowler said. "Only an internal forensic audit could identify additional access or suspicious activity."

Other Coverage From Last Week

With reporting from Information Security Media Group's Chris Riotta in Washington, D.C., and David Perera in Washington, D.C.


About the Author

Anviksha More

Anviksha More

Senior Subeditor, ISMG Global News Desk

More has seven years of experience in journalism, writing and editing. She previously worked with Janes Defense and the Bangalore Mirror.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.