The NoName ransomware group has claimed responsibility for a series of cyberattacks targeting key institutions in Spain and Germany. The group’s latest alleged victims include the Royal Household of Spain, Corts Valencianes, and the Government of the Principality of Asturias, as well as German entities such as Energie Baden-Württemberg AG, Leistritz AG, and Aareal Bank AG. In a message posted on a dark web forum, NoName declared, "We continue attack on the Spanish internet infrastructure and destroy the state websites of Russophobic authorities." [caption id="attachment_73295" align="aligncenter" width="528"] Source: X[/caption] [caption id="attachment_73296" align="aligncenter" width="530"] Source: X[/caption] Similarly, they stated regarding Germany, "We continue to punish Germany and destroy several websites of this Russophobic country." These statements underscore the group’s purported motive of targeting entities they deem as "Russophobic." [caption id="attachment_73298" align="aligncenter" width="527"] Source: X[/caption] [caption id="attachment_73297" align="aligncenter" width="522"] Source: X[/caption] Despite these bold claims, the NoName group has not provided concrete evidence or detailed context regarding the nature and impact of these alleged cyberattacks. The Cyber Express team attempted to verify these claims by reaching out to the allegedly implicated organizations. As of the writing of this report, no responses have been received from the officials of the alleged target companies, leaving the claims unverified. Upon accessing the official websites of the listed Spanish and German companies, no disruptions or signs of cyberattack were observed, as the websites were fully functional. This raises questions about the veracity of NoName's claims and the potential for misinformation as a tactic in their cyber operations.

Historical Context of NoName Ransomware Cyber Activities

This isn’t the first instance of NoName targeting prominent organizations. In April 2024, the group allegedly launched a cyberattack on Moldova, affecting key government websites such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry. These websites were rendered inaccessible, displaying the message, “This Site Can’t be Reached.” The attack hinted at a politically motivated agenda, though NoName did not explicitly disclose their motives. In March 2024, NoName targeted multiple websites in Denmark, including significant entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January 2024, the group attacked high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB. More recently, NoName’s cyber onslaught on Finland raised further alarms. Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, and the Agency for Regulation and Development of Transport and Communications Infrastructure, faced temporary inaccessibility due to DDoS attacks.

Implications and the Need for Vigilance

The sophistication and scale of NoName ransomware operations, combined with their apparent political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The rising frequency of cyberattacks targeting governmental institutions across Europe demands a coordinated response from both national and international cybersecurity agencies. If NoName's recent claims about targeting Spain and Germany are proven true, the implications could be far-reaching. Cyberattacks on such critical institutions could disrupt governmental functions, compromise sensitive data, and undermine public trust. However, any definitive conclusions must await official statements from the allegedly targeted companies in Spain and Germany. The alleged ongoing cyberattacks by NoName ransomware serve as a reminder of the persistent and evolving threat landscape. As the investigation continues, the cybersecurity community must remain vigilant and proactive in protecting digital infrastructure from such malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CL0P ransomware group has claimed to have added Cooperativa de Crédito y Vivienda Unicred Limitada to their growing list of victims. The group alleges they have exfiltrated various sensitive financial documents, including invoices and forms, from Unicred cyberattack. The CL0P ransomware group, known for its high-profile cyberattacks, has detailed basic information about Unicred on their leak site, including links to the cooperative's official website. Unicred, founded in 1989 by a consortium of experienced businessmen and financial professionals, specializes in various financing instruments, such as the assignment of deferred payment checks, invoice credits, electronic invoices, and work certificates. The cooperative, with a reported revenue of $15.3 million, has built a reputation for its expertise in credit administration. [caption id="attachment_73263" align="aligncenter" width="678"] Source: X[/caption] Despite the serious nature of CL0P's claims, initial investigations show no immediate signs of a cyberattack on Unicred's official website, which remains fully operational. To clarify the situation, The Cyber Express Team reached out to Unicred's officials. However, at the time of writing, no response has been received, leaving the ransomware group's assertions unverified. [caption id="attachment_73265" align="aligncenter" width="819"] Source: X[/caption] [caption id="attachment_73266" align="aligncenter" width="793"] Source: X[/caption]

Potential Impact of the Alleged Unicred Cyberattack

Should the CL0P ransomware group's claim of a Unicred cyberattack be validated, the repercussions could be substantial for both Unicred and its customers. Ransomware attacks typically involve not only the exfiltration of sensitive data but also the potential for that data to be publicly released or sold, leading to severe privacy breaches and financial loss. Given Unicred's role in handling significant financial transactions and sensitive customer information, a confirmed Unicred cyberattack could undermine customer trust, disrupt business operations, and result in regulatory scrutiny and potential fines. The exposure of financial documents and personal data could also lead to identity theft and financial fraud, posing a serious threat to the affected individuals.

CL0P Ransomware Notorious Track Record

The CL0P ransomware group has a well-documented history of targeting high-profile organizations. Earlier this month, the group listed three new victims on its leak site: McKinley Packing, Pilot, and Pinnacle Engineering Group. In January 2024, CL0P claimed responsibility for compromising S&A Law Offices, a prominent India-based firm specializing in litigation services and intellectual property rights. The cybercriminals posted sensitive employee details, including phone numbers, addresses, vehicle numbers, PAN card details, internal communications, and other personally identifiable information (PII) as proof of the breach. In 2023, the CL0P group was behind a series of significant data breaches exploiting the MOVEit vulnerability. This widespread campaign led the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to issue a joint cybersecurity advisory. The advisory disseminated Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with CL0P's operations, emphasizing the group's threat to organizations across various sectors.

Conclusion

The alleged cyberattack on Cooperativa de Crédito y Vivienda Unicred Limitada by the CL0P ransomware group highlights the ongoing and evolving threat landscape in the digital age. While the claims remain unverified, the potential impact on Unicred and its customers is a reminder of the importance of cybersecurity vigilance. As CL0P continues to target high-profile entities, organizations must prioritize cybersecurity to protect their data, maintain customer trust, and ensure business continuity. As this situation develops, further verification and responses from Unicred will be crucial in determining the full extent of the impact and the measures needed to address it. Meanwhile, the cybersecurity community must remain vigilant and proactive in countering the ever-present threat of ransomware attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A 25-year-old man from Kawasaki, Japan was arrested this week for allegedly using generative AI tools to create ransomware in an AI jailbreaking case that may be the first of its kind in Japan. The arrest of Ryuki Hayashi, widely reported in Japan, is the latest example of an attacker defeating AI guardrails, which has become something of an obsession for hackers and cybersecurity researchers alike. Just this week, researchers from Germany’s CISPA Helmholtz Center for Information Security reported on their efforts to jailbreak GPT-4o, the latest multimodal large language model (MLLM) released by OpenAI a little more than two weeks ago. Concerns raised by those researchers and others led OpenAI to establish a safety and security committee this week to try to address AI risks.

AI Jailbreak Tools and Methods Unclear

News reports on Hayashi’s arrest have been lacking in details on the tools and methods he used to create the ransomware. The Japan Times reported that Hayashi, a former factory worker, “is not an expert on malware. He allegedly learned online how to ask AI tools questions that would elicit information on how to create malware.” Hayashi came under suspicion after police arrested him in March “for allegedly using fake identification to obtain a SIM card registered under someone else's name,” the paper reported. The Japan News, which reported that Hayashi is unemployed, said police found “a homemade virus on a computer” following the March arrest. The News said police suspect he “used his home computer and smartphone to combine information about creating malware programs obtained after giving instructions to several generative AI systems in March last year.” Hayashi “allegedly gave instructions to the AI systems while concealing his purpose of creating the virus to obtain design information necessary for encrypting files and demanding ransom,” the News reported. “He is said to have searched online for ways to illegally obtain information.” Hayashi reportedly admitted to charges during questioning, and told police, “I wanted to make money through ransomware. I thought I could do anything if I asked AI.” There have been no reports of damage from the ransomware he created, the News said.

LLM Jailbreak Research Heats Up

The news comes as research on AI jailbreaking and attack techniques has grown, with a number of recent reports on risks and possible solutions. In a paper posted to arXiv this week, the CISPA researchers said they were able to more than double their attack success rate (ASR) on GPT-4o’s voice mode with an attack they dubbed VOICEJAILBREAK, “a novel voice jailbreak attack that humanizes GPT-4o and attempts to persuade it through fictional storytelling (setting, character, and plot).” Another arXiv paper, posted in February by researchers at the University of California at Berkeley, looked at a range of risks associated with GenAI tools such as Microsoft Copilot and ChatGPT, along with possible solutions, such as development of an “AI firewall” to monitor and change LLM inputs and outputs if necessary. And earlier this month, OT and IoT security company SCADAfence outlined a wide range of AI tools, threat actors and attack techniques. In addition to general use case chatbots like ChatGPT and Google Gemini, the report looked at “dark LLMs” created for malicious purposes, such as WormGPT, FraudGPT, DarkBERT and DarkBART. SCADAfence recommended that OT and SCADA organizations follow best practices such as limiting network exposure for control systems, patching, access control and up to date offline backups. GenAI uses and misuses is also expected to be the topic of a number of presentations at Gartner’s Security and Risk Management Summit next week in National Harbor, Maryland, just outside the U.S. capital.

A threat actor known as "phant0m" is promoting a new Ransomware-as-a-Service (RaaS) on OnniForums, a notorious dark web forum. The new ransomware, named "SpiderX," is designed for Windows systems and boasts a suite of advanced features that make it a formidable successor to the previously infamous Diablo ransomware. Phant0m introduced SpiderX in a detailed post titled "Introduction to the SpiderX Ransomware," claiming that after months of development, this new ransomware is ready to take the place of Diablo. The post highlighted SpiderX's ransomware-enhanced capabilities and the improvements over its predecessor. Phant0m described SpiderX as incorporating all the features of Diablo, with additional functionalities designed to make it more effective and harder to detect and remove. After a few months of hard work, | would like to announce the release of my brand new Spiderx Ransomware. It will be the successor of my Diablo which served its purpose really well but itis finally time to upgrade things to a whole new level," reads the threat actor post.

Key Features and Capabilities of SpiderX Ransomware

SpiderX is written in C++, a choice that phant0m claims offers faster execution compared to other languages like C# and Python. This language choice, combined with the ransomware's small payload size (500-600 KB, including an embedded custom wallpaper), ensures quick and efficient deployment.

ChaCha20-256 Encryption Algorithm:

One of the standout features of SpiderX is its use of the ChaCha20-256 encryption algorithm. Known for its speed, this algorithm allows SpiderX to encrypt files much faster than the commonly used AES-256, thereby reducing the time it takes for the ransomware to render a victim's files inaccessible.

Offline Functionality:

Like Diablo, SpiderX does not require an internet connection to execute its primary functions. Once initiated, it can encrypt files on the victim’s computer and connect external devices (such as USB drives) without needing to communicate with a remote server. This makes SpiderX particularly stealthy and difficult to detect during its initial attack phase.

Comprehensive Targeting:

SpiderX extends its reach beyond the main user folders on the Windows drive. It targets all external partitions and drives connected to the system, ensuring comprehensive encryption. This includes USB drives and other external storage devices that may be connected post-attack, which will also be encrypted, amplifying the attack's impact.

Built-in Information Stealer:

A new feature in SpiderX is its built-in information stealer. Once the ransomware is executed, this component exfiltrates data from the target system, compresses it into a zip file, and uploads it to MegaNz, a file transfer and cloud storage platform. This stolen data can include sensitive information, which the attacker can then exploit or sell. The process is designed to leave no traces, covering its tracks to avoid detection.

Persistence and Silent Operation:

SpiderX is designed to be fully persistent, running silently in the background to continue encrypting any new files added to the system. This persistence ensures that the ransomware remains active even if the victim tries to use the system normally after the initial attack. [caption id="attachment_72924" align="aligncenter" width="1263"] Source: Dark Web[/caption]

Marketed to Cybercriminals

Phant0m is marketing SpiderX to other cybercriminals at a price of US$150, accepting payments in Bitcoin and Monero, which are favored for their anonymity. The affordable price and powerful features make SpiderX an attractive tool for malicious actors looking to carry out ransomware attacks with minimal effort.

Implications and Threat Assessment

The introduction of SpiderX on the dark web marks a significant escalation in the capabilities of ransomware available as a service. Its advanced features, such as the ChaCha20-256 encryption algorithm and built-in information stealer, coupled with its ability to operate offline, make it a highly effective and dangerous tool. The persistent nature of the ransomware and its comprehensive targeting of connected devices further increase its potential impact. As ransomware continues to evolve, tools like SpiderX represent a growing threat to cybersecurity. What is most concerning is the potential widespread use of SpiderX due to its low cost and high efficiency. The capabilities and ease of deployment of SpiderX ransomware highlight the need for vigilance and advanced security measures to protect against increasingly sophisticated cyber threats. Organizations and individuals are advised to enhance their cybersecurity measures, including regular data backups, updating software and systems, and employing enhanced security protocols to mitigate the risk of such attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Amid the setbacks from the SPL cyberattack, the Seattle Public Library has managed to restore some digital services. Patrons can now access the event calendar and online versions of major newspapers like the New York Times, Wall Street Journal, and Washington Post. Additionally, Hoopla, a digital media borrowing service, is operational, though users may need to log out and back in or reinstall the app if they encounter issues. However, access to e-books remains disrupted. Patrons can choose to delay the delivery of their Libby holds, which offers a workaround to maintain access to held items when the service resumes fully. The Seattle Public Library (SPL) faced a ransomware attack that crippled its computer systems this week. On May 28, libraries across South Seattle were noticeably quiet, with signs informing patrons that all computer services were down. This included not only the physical computer terminals and printing services but also the in-building Wi-Fi, crucial for many library users.

The SPL Cyberattack and Immediate Response

The ransomware attack was detected early in the morning of Saturday, May 25, just one day before planned maintenance on a server over the Memorial Day weekend. The SPL cyberattack impacted several critical services, including staff and public computers, the online catalog and loaning system, e-books and e-audiobooks, and the library’s website. Upon discovering the attack, SPL quickly engaged third-party forensic specialists and contacted law enforcement. The library took all its systems offline to prevent further damage and assess the situation. “We are working as quickly and diligently as we can to confirm the extent of the impacts and restore full functionality to our systems,” library officials said. Ensuring the privacy and security of patron and employee information remains a top priority, and systems will stay offline until their security can be guaranteed. SPL officials have been transparent about the ongoing nature of the investigation and restoration efforts. Although they have not provided an estimated time for when all services will be fully restored, they have promised regular updates. “Securing and restoring our systems is where we are focused,” they emphasized, expressing regret for the inconvenience and thanking the community for its patience and understanding.

The Broader Impact of Library Cyberattacks

Ransomware attacks on public libraries have become increasingly common, posing severe operational challenges. The London Public Library's December attack forced the closure of three branches—Carpenter, Lambeth, and Glanworth—until January 2. This incident highlighted the vulnerability of public institutions to cyber threats and the significant disruption such attacks can cause to community services. Similarly, the National British Library faced a major outage in October 2023 that initially seemed like a technical glitch but rapidly escalated into a widespread disruption. This affected online systems, including the website and onsite services such as public Wi-Fi and phone lines. The library’s operational challenges were compounded by the extent of the services impacted, which underscored the critical nature of cybersecurity for public knowledge institutions.

Moving Forward

As SPL works to recover from the ransomware attack, the incident highlights the importance of enhanced cybersecurity measures for public libraries. These institutions are pivotal in providing access to information and services to the community, and disruptions can have far-reaching consequences. Library officials continue to prioritize restoring full functionality and ensuring the security of their systems. The community awaits further updates, hopeful for a swift resolution to regain full access to the valuable resources the Seattle Public Library offers. In the meantime, patrons are encouraged to use the limited digital services available and to stay informed through the library’s updates on their website and social media channels.

Microsoft has uncovered a new “FakePenny” ransomware variant being deployed by a North Korean threat actor to target organizations in the software, information technology, education and defense industrial base sectors for both espionage and monetary gains. The threat actor, which Microsoft tracks as Moonstone Sleet, was first observed delivering a new custom ransomware variant in April, to an undisclosed company whose networks it compromised a couple of months earlier. The ransomware is straightforward and contains a loader and an encryptor module. North Korean threat actor groups have previously developed such custom ransomware, but “this is the first time we have observed this threat actor deploying ransomware,” the tech giant said.

“Microsoft assesses that Moonstone Sleet’s objective in deploying the ransomware is financial gain, suggesting the actor conducts cyber operations for both intelligence collection and revenue generation.”

FakePenny ransomware demands exorbitant ransoms, with recent demands reaching $6.6 million in Bitcoin. “This is in stark contrast to the lower ransom demands of previous North Korea ransomware attacks, like WannaCry 2.0 and H0lyGh0st,” Microsoft said. Notably, the ransom note used by FakePenny ransomware closely resembles the one employed in the infamous NotPetya ransomware attack, which is attributed to the North Korean group Seashell Blizzard. This continuity in tactics highlights the interconnected nature of North Korean cyber operations.

Moonstone Sleet’s Strategy and Tradecraft

Moonstone Sleet has a diverse set of operations supporting its financial and espionage objectives. This group has been observed creating fake companies, employing trojanized versions of legitimate tools, and even developing malicious games to infiltrate targets. Their ability to conduct concurrent operations and quickly evolve and adapt their techniques is notable. The threat actor, as noted earlier, has several different tradecrafts under its belt. In early August 2023, Moonstone Sleet delivered a compromised version of PuTTY, an open-source terminal emulator, through platforms like LinkedIn, Telegram, and freelancing websites. The trojanized software decrypted and executed the embedded malware when the user provided an IP and password mentioned in a text document contained in the malicious Zip file that the threat actor sent. The same technique was used by another North Korean actor Diamond Sleet. Moonstone Sleet has also targeted victims using malicious “npm” packages distributed through freelancing sites and social media. These packages often masqueraded as technical assessments, lead to additional malware downloads when executed. Since February 2024, Moonstone Sleet has also taken a different approach by using a malicious game called DeTankWar to infect devices. The group approached targets posing as a game developer or fake company, presenting the game as a blockchain project. Upon launching the game, additional malicious DLLs were loaded, executing a custom malware loader known as “YouieLoad.” This loader performs network and user discovery and browser data collection.

Fake Companies and Work-for-Hire Schemes

Since January 2024, Moonstone Sleet has created several fake companies, including StarGlow Ventures and C.C. Waterfall, to deceive targets. These companies posed as software development and IT service firms, often related to blockchain and AI, to establish trust and gain access to organizations. Moonstone Sleet has also pursued employment opportunities in legitimate companies, which is consistent with reports of North Korea using remote IT workers to generate revenue. Recently, U.S. charged North Korean job fraud nexus that was amassing funds to support its nuclear program. The nexus scammed more than 300 U.S. companies and accumulated at least $6.8 million. This employment tactic could also provide another avenue for gaining unauthorized access to organizations. Moonstone Sleet’s notable attacks include compromising a defense technology company to steal credentials and intellectual property and deploying ransomware against a drone technology firm.

“Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime.”

Defending Against Moonstone Sleet

To defend against Moonstone Sleet, Microsoft recommends endpoint detection and response (EDR), implementing attack surface reduction rules to block executable content from email clients and webmail, preventing executable files from running unless they meet specific criteria, use advanced protection against ransomware, and block credential stealing from LSASS. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Boeing confirmed that the LockBit ransomware gang attack in October 2023, which impacted certain parts and distribution operations of the company, carried a staggering $200 million cyber extortion demand from the cybercriminals, to not publish leaked data. Boeing on Wednesday acknowledged that it is the unnamed “multinational aeronautical and defense corporation headquartered in Virginia,” which is referenced in an unsealed indictment from the U.S. Department of Justice that unmasked the LockBitSupp administrator. Boeing did not provide an immediate response to The Cyber Express' inquiry seeking confirmation of this news, which was initially reported by Cyberscoop. The indictment in question singled out Dmitry Yuryevich Khoroshev as the principal administrator and developer behind the LockBit ransomware operation, as part of a coordinated international effort that included sanctions from the U.S., the U.K., and Australia. Boeing has not provided confirmation on the negotiations and if the company paid any ransom in exchange of the massive $200 million cyber extortion demand.

Boeing Cyber Extortion Saga

LockBit first listed Boeing as its victim on October 27 and set a ransom payment deadline for November 2. Boeing had chosen not to provide any comments or statements regarding the incident, at that time, leaving the LockBit claims unverified. Three days later LockBit took down Boeing’s name from the victims’ list fueling further speculations that it was a hoax or the company likely paid ransom. Following this incident, Boeing eventually confirmed falling victim to LockBit’s cyberattack. But as ransom negotiations reportedly failed, LockBit re-listed Boeing on its leak site and threatened to publish 4 gigabytes of sample data as proof of the Boeing data breach. The post also warned that, “All available data will be published!” in coming days. Following on the threat, LockBit published more than 40GB of data on November 10, as the company likely did not agree to pay the ransom demand. Boeing is yet to address the stolen data publicly.

Ransom Demands Getting Exorbitant

The indictment's reference to the unnamed company highlights the exorbitant ransom demands made by Khoroshev and his cohorts, totaling over $500 million in ransoms extorted from victims since late 2019. Of this, he got nearly $100 million from a 20% share on the ransom payments, which was further “used to continue funding the LockBit operation and its infrastructure.” Ransomware analysts are now calling the Boeing cyber extortion as one of the largest ransom demands from a ransomware gang till date. Researchers suspects LockBit likely made an inflated demand, without realistic expectations of receiving the full amount, merely to test the waters. Between September 2019 and February 2024, Khoroshev grew LockBit into a massive global criminal operation in which along with his affiliates he attacked approximately 2,500 victims, which included nearly 1,800 in the U.S. alone, the indictment said. Apart from Boeing LockBit’s victim list also contains law enforcement agencies, security firms, municipalities, schools, financial institutions and even multinational fast-food chains.

Who is LockBit Ransomware Gang?

The LockBit ransomware gang emerged in 2019, primarily targeting thousands of global companies, with a focus on those headquartered in the United States. Linked to Russian entities, LockBit has amassed tens of millions of dollars in ransom payments since its inception. According to the Cybersecurity and Infrastructure Security Agency (CISA), LockBit has executed over 1700 attacks in the United States, often by compromising and threatening to release sensitive data for financial gain. The recent Boeing data breach highlights the persistent threat posed by cyberattacks to major corporations. LockBit's aggressive tactics and specific targeting of Boeing, a key player in aerospace and defense, highlight the urgent need for robust cybersecurity measures. The ransomware group's imposed deadline heightens the urgency, highlighting the severe consequences of data breaches and the critical importance of safeguarding sensitive information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.