Computer Forensics and Security Institute (CFSI)

🚨 🚨The Caribbean has seen 5 major ransomware/ data leak listings in the past 2 months.🚨🚨 Ransomware Groups/ Threat Actors: -BianLian -BlackLock/ El Dorado -Sarcoma -Pryx -Lynx Sectors Affected: -Insurance -Retail and Distribution -Banking and Finance -Government -IT Service Provider Countries Affected: -Jamaica -Barbados -Trinidad & Tobago -Bermuda -Aruba -Bahamas #ransomwareattacks #dataleaks #darkweb #caribbean #aruba #barbabos #bermuda #bahamas #jamaica #trinidadandtobago

🚨 BlackLock (Formerly El Dorado) Ransomware group 🚨 has listed a large organization from Aruba operating in the Retail and Distribution (Food) sector has been listed on their Dark Web leak site. El Dorado Ransomware Group Additional info : -Mainly targets Windows and VMware ESXi systems but I'd also known to affect Linux systems also. -First seen: early 2024. -Type: RaaS (Ransomware-as-a-Service). -El Dorado rebranded into BlackLock in September 2024. -Possible past affiliation with MetaEncryptor and LostTrust groups. -Victims listed as at October 18th 2024: 38 -Extortion type: Double (encryption and data leak). -Industries/sectors attacked: Healthcare, Retail, Distribution, Food and Beverage, Manufacturing, Legal, Construction, Government, IT and more. #ransomwareattack #eldorado #blacklock #aruba #caribbean

🚨 New Ransomware Group Sarcoma🚨 has listed a company from Bermuda operating within the Finance and Banking sector as a victim on their Dark Web leak site. A countdown timer with approximately 7 days is currently running. Sarcoma Ransomware Group Info : -First seen: October 2024 -Victims listed as at October 18th, 2024: 33 -Extortion type: Triple (Direct extortion, encryption and data leak). -Information on the Sarcoma "About Us" page on the dark web states "Our mission is to show the world how important it is to keep data safe. If you see your company on our website, it means that security was low. We invite access brokers, interested parties, aggrieved employees of companies to co-operate. Together we can be stronger and richer." -Industries/sectors attacked: IT and Cyber security, Banking and Finance, Insurance, Construction, Retail and Wholesale and more. #ransomwareattack #caribbean #Bermuda

Here are the top 10 Ransomware attack/leak publication stats for September 2024. There were approximately 357 publications by 37 monitored groups. Ransomhub is again at the top for yet another month with increased activity. Full stats in the comments. #ransomwareattacks #ransomhub

🇧🇧Pryx Ransomware threat actor allegedly breaches Barbados Government 🇧🇧. Pryx has listed for sale, a dump titled "Tax and Tourism fees service dump (230 GB)" on it's dark web leak site. See screenshots for details. PII listed allegedly includes Passports and National ID numbers. Five sample files have also been uploaded (which have not been downloaded or viewed). Additional info about Pryx: -First seen: Between April - July 2024 -Has stated the following on their dark web leak page: "Pryx is definitely not a ransomware group. Pryx is a cybercriminal or threat actor, whatever you want to call it. Pryx might soon get into hacktivism, bcuz why not." -Victims listed as at October 1st 2024: 9 -Extortion type: Double (encryption and data leak). -Extortion amounts: up to $10 million. -Industries/sectors attacked: Government and education. #dataleak #barbados #caricom #pryx

Me waiting for updates from MoneyGram on the recent Cyberattack. Data theft? DDoS??? Ransomware????! *screams in dark web*

🚨 🚨 Ransomware Attack/ Data Leak on Caribbean Insurance Company 🚨 🚨 The BianLian Ransomware group published a post on their dark web leaksite about an alleged data leak on an insurance company operating within several Caribbean islands including Jamaica, the Bahamas and Trinidad & Tobago. The data volume is listed at 3.5 TB and the data description lists clients and employees PII (Personally Identifiable Data) and accounting and policy data. About the BianLian Ransomware group: - First dark web leak post made in August 2022. - Has leaked the data of over 450 victims in the past 2 years. - Target sectors: Health and Medical, Financial, Construction, Manufacturing, Critical Infrastructure, Robotics, Food, Aviation and more. - Known RaaS (Ransomware-as-a-Service) group. - Possible association with Makop Ransomware group. - Known for extortion without encryption meaning that they do not encrypt victim files but instead focus on extortion via data leak if ransom is not paid. - Has exfiltrated well over 8TB of data from victims in the past 2 years. - Recently discovered to have been using Microsoft Storage Explorer and AzCopy tools to exfiltrate stolen data which is transferred to Microsoft Storage Blob containers for storage. (Most likely as Microsoft services are less likely to be blocked). - Known to gain access via RDP (Remote Desktop Protocol), phishing, ProxyShell and VPN exploitation and also via Access Brokers followed by the planting of backdoors and remote access software. - Use PowerShell and Commands shell to disable and evade anti-virus and anti-malware protection (specifically Microsoft Defender) - Uses popular tools for network scanning and enumeration including Advanced Port Scanner, SharpHhares and PingCastle. - Uses PsExec with compromised credentials for Lateral Movement. #ransomwareattack #dataleak #bianlian #trinidad #jamaica #bahamas

New Ransomware Group Observed - Part 6. 🚨Lynx Ransomware Group.🚨 This group has allegedly breached a large organization which operates in several Caribbean islands (including 🇧🇧Barbados, 🇯🇲Jamaica and 🇹🇹Trinidad) and Latin American countries. (The name of the company will not be divulged publicly or privately as this post is solely for awareness purposes). Though only in operation for 2 months (under this group) they do appear to be experienced and highly-organized with a focus on larger, profitable targets. Type: Ransomware-as-a-Service (RaaS) Possible rebranding of/association with Inc Ransomware (RaaS) group. Noticeably active since July 2024 Encryption Type: AES Sectors of Interest: Engineering, Construction, Manufacturing, Technology and Finance Dark web /leak site victim count: 24. Known for double extortion. (Encryption of systems and leaking of data). Lists company income on each leak post. Victims are usually large profitable organizations with income ranging from $5 Million to $700 Million. #ransomwareattacks #newransomwaregroup

Here are the Ransomware group stats for August 2024. A significant jump in publications by new Ransomware-as-a-Sevice (RaaS) group Ransomhub which could be attracting Lockbit affiliates. I counted approximately 420 listings by 37 groups for August. Keep in mind these listings only show the companies which did Not pay the ransoms. See the full list in the comments section. #ransomwareattacks

Part 5 - New Ransomware Group Observed. Name: RansomHub (🚨 keep an eye on this group. 🚨 ) First seen: February 2024 Victims listed: Approximately 270 (listed). Extortion types: Encryption, Data Leak Extortion Industries/sectors attacked: IT, Oil & Gas, Media, Retail, Government, Banking, Healthcare and more. Additional Notes: - First observed around the same time as the February 2024 🔒LockBit takedown👮♂️. - One of the most active RaaS (Ransomware-as-a-Service) groups. - Possibly the 🚨New LockBit 🔒 as affiliated from LockBit and other groups may have joined RansomHub (this is pure speculation). - Their rise in popularity may stem from the large payout of 90% to the affiliate and 10% to the developers.  - Ransomware affects Windows. Linux, ESXi, ARM and MIPS platforms. #newransomwaregroup #RaaS #RansomHub #theNewLockbit?