Weekly Cyber News Roundup

Ransomware gangs are hitting the headlines again this week with perhaps the biggest story being that of a suspected ransomware attack against video surveillance company, Ring. Speculation as to whether the company has been attacked is high after the ransomware gang ALPHV listed Ring as one of its victims on its website. Ring however, has not revealed whether it has been targeted. 

Companies shouldn’t panic when they are targeted by ransomware gangs in such a way as until evidence to the contrary is produced is just one word against the other. Companies don’t need to disclose anything at any time and responding to pressure from threat actors or the press might make things worse so it’s good to maintain a long-term strategy for public engagement and disclosure. 

UK crypto startup Euler Labs has $199 million stolen in cyber attack 

UK-based crypto startup Euler Labs has experienced a catastrophic cyber-attack, resulting in the theft of nearly $199 million from its DeFi lending platform. 

Euler Labs offers a DeFi protocol on Ethereum, enabling users to lend and borrow a wide range of cryptocurrencies. Unfortunately, hackers exploited a weakness in the platform's code, allowing them to abscond with roughly $199 million in various digital currencies, including USDC ($34.1m), Dai ($8.8m), Wrapped Bitcoin ($18.9m), and Staked Ether ($137.1m), as per blockchain analytics firm Elliptic. 

Elliptic further explained that the heist involved "flash loan attacks," which entail obtaining substantial, short-term, unsecured crypto loans from a DeFi service and utilising the borrowed funds to manipulate the market and other DeFi services for personal gain. The stolen proceeds are reportedly being laundered through Tornado Cash, a decentralized mixer previously sanctioned by the US government. 

According to Elliptic, the funds employed in the attack originated from a Monero wallet. Although Monero is a private coin lacking a public transaction ledger, Elliptic's investigative tools can track these funds. The company also cooperated with UK and US law enforcement agencies and attempted to communicate with the perpetrators to explore potential options. 

Euler Labs highlighted that previous audits of its lending protocol failed to detect the exploited vulnerability. 

Prestigious Norfolk school  hit by cyber attack 

Students at a renowned Norfolk educational institution are grappling with interruptions following a complex cyber-attack on the school. 

Wymondham College warned that the disturbance could persist until the Easter break due to the assault on its IT infrastructure. 

According to local media reports the school is currently collaborating with the Department of Education and the National Cyber Security Centre to address the issue. 

Schools, colleges, and universities are often targeted by hackers and cybercriminals due to these institutions typically storing a wealth of sensitive information, including personal data, financial records, and intellectual property, making them attractive targets for data theft and extortion. 

Unfortunately, educational institutions typically have less robust security measures in place compared to other organisations, given the open nature of their networks and the need to accommodate a diverse range of users and devices. Underfunded IT departments and insufficient cybersecurity training for staff and students also contributes to vulnerabilities.  

Warning as Medusa Ransomware Gang increases its activities 

The Medusa ransomware campaign, known for demanding million-dollar ransoms from corporate targets worldwide, has gained momentum in 2023. 

Although the operation commenced in June 2021, it initially experienced limited activity and impacted few victims. Nevertheless, in 2023, the Medusa gang intensified their efforts, launching the "Medusa Blog" to publicise data from victims who declined to meet ransom demands. The group hit the headlines this week after claiming responsibility for an attack on the Minneapolis Public Schools (MPS) district and releasing a video showcasing the stolen information. 

Multiple malware are named Medusa, such as a Mirai-based botnet with ransomware capabilities, Medusa Android malware, and the well-known MedusaLocker ransomware operation. This shared name has led to confusion in reporting, as some mistakenly believe that the current Medusa campaign is the same as MedusaLocker. However, these are different operations. The Medusa ransomware campaign began in June 2021, utilising a ransom note titled !!!READ_ME_MEDUSA!!!.txt and a consistent encrypted file extension of .MEDUSA. 

Moreover, the Medusa operation employs a Tor website to facilitate ransom negotiations. As with many ransomware campaigns targeting enterprises, Medusa operates a data leak site called "Medusa Blog." This platform serves as a component of the gang's double-extortion strategy, disclosing data from victims who refuse to pay ransoms. 

Currently there are no known weaknesses in the Medusa Ransomware encryption that allow victims to recover their files for free.  

ALPHV Ransomware gang claims to have hacked Ring 

A well-known ransomware group has issued threats to disclose data allegedly associated  with Ring, the Amazon-owned video surveillance firm. 

On Monday, the ALPHV ransomware collective listed Ring as a target on its dark web site. The Russia-affiliated group stated, "There's always an option to let us leak your data.” 

The specific data ALPHV possesses remains unclear, and the gang has not provided any proof of data exfiltration. Employing tactics similar to other ransomware groups, ALPHV not only encrypts the victim's data but also exfiltrates it beforehand, aiming to extort the victim by threatening to expose the pilfered information.