American authorities are accusing Iranian government linked ransomware threat actors of not just conducting attacks themselves, but coordinating and partnering with other digital criminals to boost their extortion abilities.
While the Iranian threat actors refer to themselves as "Br0k3r" and "xplfinder", security vendors call them "Pioneer Kitten", "Fox Kitten", UNC757 (UNC stands for "uncategorised"), "Parisite" [sic], RUBIDIUM and amazingly enough, "Lemon Sandstorm".
They've been hacking away at high volume since 2017 and are active today, CISA said. Their targets are schools in the United States, councils, financial institutions, and the healthcare sector. (CISA is the FBI's Cybersecurity and Infrastructure Security Agency).
Apart from the US, the ransomware gangs have gone after targets in Azerbaijan, the United Arab Emirates and Israel.
Some of the ransomware affiliates the Iranians have partnered with include the NoEscape, Ransomhouse and AlphV (BlackCat) operations.
What makes the attacks potentially worse is that the threat actors aim to maintain access to victim networks. This is to enable future attacks, either by the threat actors themselves, or by affiliates that have bought network access.
It's not just ransomware attacks that are taking place, but network intrusion attempts as data stealing side missions, CISA noted. A company in Iran, Danesh Novin Sahand, is used as cover for the attacks which target vulnerable Internet-facing devices.
High time to check security advisories and to patch anything connected to the Internet then. The ransomware threat this year is worse than ever, despite police and intelligence agencies having a decent amount of success in breaking up the criminals' operations.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.