FBI TLP Alert https://www.aha.org/ en FBI TLP:Green Indicators of Compromise Associated with Darkside Ransomware https://www.aha.org/fbi-tlp-alert/2021-05-10-fbi-tlpgreen-indicators-compromise-associated-darkside-ransomware <span class="title">FBI TLP:Green Indicators of Compromise Associated with Darkside Ransomware</span> <span class="uid"><span>Matthew Diener</span></span> <span class="created">May 10, 2021 - 10:32 AM</span> <div class="body"><p>The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients in order to protect against cyber threats. This data is provided to help cyber security professionals and system administrators guard against the persistent malicious actions of cyber actors. This FLASH was coordinated with DHS-CISA and the Department of Energy.</p> <p>This FLASH has been released <span style="background-color: black; color: #78be20;">TLP:GREEN:</span> Recipients may share <span style="background-color: black; color: #78be20;">TLP:GREEN</span> information with peers and partner organizations within their sector or community, but not via publicly accessible channels.</p> <h2>Indicators of Compromise Associated with Darkside</h2> <h3>Summary</h3> <p>In May 2021, the FBI received notification that the ransomware variant Darkside had infected a critical infrastructure company in the United States. The FBI has been investigating Darkside since October 2020. Darkside is a ransomware-as-a-service (RaaS) variant, in which criminal affiliates conduct the attacks and the proceeds are shared with the ransomware developer(s). Darkside has impacted numerous organizations across various sectors including manufacturing, legal, insurance, healthcare, and energy.</p> <h3>Technical Details</h3> <p>After Darkside actors gain access to a victim’s network, they not only deploy the Darkside ransomware to encrypt data, but also exfiltrate victim data and then threaten to publish the data to further pressure the victims into paying the ransom demand. This is a double extortion trend.</p> <p>Darkside actors are encouraged by the ransomware developers to use Monero<sup><a href="#fn1">1</a></sup> in their demands, as cyber actors believe that cryptocurrency provides additional anonymity and security. Darkside affiliates use an administrative panel over The Onion Router (TOR) to access communications with the victims and manage administration of the ransomware. The Darkside website includes a landing page with possible victims and descriptions of data taken, as well as a “Press Releases” tab. According to a 27 January 2021 post about rules for using Darkside, affiliates are not allowed to attack the funeral services industry, hospitals, nursing homes, and companies that distribute the COVID-19 vaccine.</p> <h3>Darkside Encryption</h3> <p>Darkside can encrypt files on fixed and removable hardware as well as network devices. Darkside encrypts files using Salsa20 encryption with an RSA-1024 public key and affiliates can use Darkside in both Windows and Linux environments.</p> <h3>Indicators of Compromise</h3> <p>The indicators of compromise that have been observed in samples of Darkside ransomware are listed in Appendix A.</p> <h3>Information Requested</h3> <p>The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks. The FBI is seeking any of the following information that you determine you can legally share, including:</p> <ul> <li>Recovered executable files</li> <li>Complete phishing email files with headers</li> <li>Live memory (RAM) capture</li> <li>Malware samples</li> <li>Network and Host Based Log files</li> <li>Email addresses of the attackers</li> <li>A copy of the ransom note</li> <li>Ransom amount and if the ransom was paid</li> <li>Virtual Currency wallets used by the attackers</li> <li>Virtual Currency wallets used to pay the ransom (if applicable)</li> <li>Tor sites used to contact the attackers</li> <li>Names of any other malware identified on your system</li> <li>Copies of any communications with attackers</li> <li>Document use of .icu domains for C2</li> <li>Identification of website or forum where data was leaked</li> </ul> <h3>Recommended Mitigations</h3> <ul> <li>Backup data regularly, keep offline backups, and verify integrity of backup process.</li> <li>Keep software updated. Install software patches so that attackers can't take advantage of known problems or vulnerabilities.</li> <li>Use two-factor authentication and strong passwords.</li> <li>Audit logs for all remote connection protocols.</li> <li>Audit logs to ensure all new accounts were intentionally created.</li> <li>Scan for open or listening ports, and disable SMBv1.</li> <li>Consider disabling RDP if it is not being used.</li> <li>Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.</li> <li>Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.</li> <li>Monitor Active Directory and local administrators group changes.</li> <li>Maintain only the most up-to-date version of PowerShell and uninstall older versions.</li> <li>Enable PowerShell logging and monitor for unusual commands, especially execution of Base64 encoded PowerShell.</li> <li>Turn off the option to automatically download attachments. To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option, and disable it.</li> </ul> <h3>Reporting Notice</h3> <p>The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at <a href="http://www.fbi.gov/contact-us/field" target="_blank">www.fbi.gov/contact-us/field-offices</a>. CyWatch can be contacted by phone at <a href="tel:1-855-292-3937">(855) 292-3937</a> or by email at <a href="mailto:CyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s National Press Office at <a href="mailto:npo@fbi.gov">npo@fbi.gov</a> or <a href="tel:1-202-324-3691">(202) 324-3691</a>.</p> <h3>Administrative Note</h3> <p>This product is marked <span style="background-color: black; color: #78be20;">TLP:GREEN</span>. Recipients may share <span style="background-color: black; color: #78be20;">TLP:GREEN</span> information with peers and partner organizations within their sector or community, but not via publicly accessible channels.</p> <hr /> <ol> <li id="fn1">Monero cryptocurrency was released in 2014 and uses various privacy-enhancing technologies to provide users with greater anonymity compared to more traditional cryptocurrencies such as Bitcoin.</li> </ol> </div> <div class="field_topics"> <div><a href="/topics/cybersecurity" class="topic" hreflang="en">Cybersecurity</a></div> </div> <div class="field_type"> <div>Type</div> <div><a href="/type/fbi-tlp-alert" hreflang="en">FBI TLP Alert</a></div> </div> <div class="field_access_level"> <div>Access Level</div> <div><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div> <div class="field_lead"><p>10 MAY 2021</p> <p>Alert Number: MU-000146-MW</p> </div> <div class="field_search_promotion"> <div>Search Promotion</div> <div>Not Promoted</div> </div> <div class="field_archived"> <div>Archived</div> <div>Off</div> </div> Mon, 10 May 2021 15:32:02 +0000 Matthew Diener 677245 at https://www.aha.org FBI TLP White PIN: FBI Disrupts Cyber Actors’ Exploitation of Microsoft Exchange Server Vulnerabilities April 13, 2021 https://www.aha.org/fbi-tlp-alert/2021-04-13-fbi-tlp-white-pin-fbi-disrupts-cyber-actors-exploitation-microsoft <span class="title">FBI TLP White PIN: FBI Disrupts Cyber Actors’ Exploitation of Microsoft Exchange Server Vulnerabilities April 13, 2021</span> <span class="uid"><span>dsamuels_drupal</span></span> <span class="created">Apr 13, 2021 - 11:43 AM</span> <div class="body"><div class="container row"> <div class="row"> <div class="col-md-8"> <p>On 13 April 2021, the Federal Bureau of Investigation (FBI) conducted a court-authorized operation to remove hundreds of malicious web shells from vulnerable servers in the United States in response to the widespread exploitation of critical Microsoft Exchange Server (MES) vulnerabilities by malicious cyber actors. The servers ran on-premises versions of MES, a software used to provide enterprise-level e-mail service. This is unrelated to Microsoft’s 13 April announcement of security updates for additional MES vulnerabilities. View the entire report below.&nbsp;</p> </div> <div class="col-md-4"> <div style="border: solid 2pt #9d2235; padding: 10px;"> <p style="color: #9d2235;"><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <h4>(M) <a href="tel:1-202-640-9159">+1 202 640 9159</a></h4> <center> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </center> </div> <hr /> <div class="panel module-typeC"> <div class="panel-heading"> <h3 class="panel-title">Latest Cybersecurity Alerts</h3> </div> <div class="panel-body" style="padding-top: 0px;"><div class="views-element-container"> <section class="top-level-view js-view-dom-id-d7162ebf3abd5babe8ae5731bcd3f112b3d9635975f653975c8bf723d3274bf0 resource-block"> <div class="resource-wrapper"> <div class="resource-view"> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-may-2021-health-isac-cyber-threat-level-remains-blue-guarded" hreflang="en">May 2021: Health-ISAC Cyber Threat Level remains Blue (GUARDED)</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/2021-05-10-h-isac-tlp-green-coronavirus-daily-update-may-10-2021" hreflang="en">H-ISAC TLP Green Coronavirus Daily Update, May 10, 2021</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/news/headline/2021-05-10-field-alerted-new-ransomware-threat-latest-russian-cyber-tactics" hreflang="en">Field alerted to new ransomware threat, latest Russian cyber tactics</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/fbi-tlp-alert/2021-05-10-fbi-tlpgreen-indicators-compromise-associated-darkside-ransomware" hreflang="en">FBI TLP:Green Indicators of Compromise Associated with Darkside Ransomware</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-advisory-further-ttps-associated-svr-cyber-actors" hreflang="en">Advisory: Further TTPs Associated with SVR Cyber Actors</a></span></div></div> </div> </div> <div class="more-link"><a href="/topics/cybersecurity">See all Cybersecurity Alerts</a></div> </section> </div> </div> </div> </div> </div> </div> </div> <div class="field_topics"> <div><a href="/topics/cybersecurity" class="topic" hreflang="en">Cybersecurity</a></div> </div> <div class="field_type"> <div>Type</div> <div><a href="/type/fbi-tlp-alert" hreflang="en">FBI TLP Alert</a></div> </div> <div class="field_access_level"> <div>Access Level</div> <div><a href="/taxonomy/term/278" hreflang="en">Public</a></div> </div> <div class="field_paragraphs_text_with_heade"> <div> <div class="paragraph paragraph--type--paragraphs-text-with-headers- paragraph--view-mode--default"> </div> </div> </div> <div class="field_lead"><p>April 13, 2021<br /> <br /> PIN Number<br /> 20210413-002</p> </div> <div class="field_search_promotion"> <div>Search Promotion</div> <div>Not Promoted</div> </div> <h4 class="page-header">Key Resources</h4> <div class="field_related_files file file--mime-application-pdf file--application-pdf"> <div> <article> <div class="field_media_file"><span class="file file--mime-application-pdf file--application-pdf"><a href="https://www.aha.org/system/files/media/file/2021/04/fbi-tlp-white-pin-fbi-disrupts-cyber-actors-exploitation-of-microsoft-exchange-server-vulnerabilities-4-13-2021.pdf" type="application/pdf; length=664941" title="FBI TLP White PIN: FBI Disrupts Cyber Actors’ Exploitation of Microsoft Exchange Server Vulnerabilities April 13, 2021">FBI TLP White PIN: FBI Disrupts Cyber Actors’ Exploitation of Microsoft Exchange Server Vulnerabilities April 13, 2021</a></span> </div> </article> </div> </div> <div class="field_archived"> <div>Archived</div> <div>Off</div> </div> Tue, 13 Apr 2021 16:43:45 +0000 dsamuels_drupal 676791 at https://www.aha.org Joint Cyber Advisory TLP White: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks https://www.aha.org/fbi-tlp-alert/2021-04-02-joint-cyber-advisory-tlp-white-apt-actors-exploit-vulnerabilities-gain <span class="title">Joint Cyber Advisory TLP White: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks </span> <span class="uid"><span>dsamuels_drupal</span></span> <span class="created">Apr 02, 2021 - 08:53 AM</span> <div class="body"><p>In March 2021 the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) observed Advanced Persistent Threat (APT) actors scanning devices on ports 4443, 8443, and 10443 for <strong>CVE-2018-13379</strong>, and enumerated devices for <strong>CVE-2020-12812</strong> and <strong>CVE-2019-5591</strong>. It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks. APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns. View the entire report under Key Resources.&nbsp;</p> </div> <div class="field_topics"> <div><a href="/topics/cybersecurity" class="topic" hreflang="en">Cybersecurity</a></div> </div> <div class="field_type"> <div>Type</div> <div><a href="/type/fbi-tlp-alert" hreflang="en">FBI TLP Alert</a></div> </div> <div class="field_access_level"> <div>Access Level</div> <div><a href="/taxonomy/term/278" hreflang="en">Public</a></div> </div> <div class="field_paragraphs_text_with_heade"> <div> <div class="paragraph paragraph--type--paragraphs-text-with-headers- paragraph--view-mode--default"> </div> </div> </div> <div class="field_lead"><p>April 2, 2021</p> </div> <div class="field_search_promotion"> <div>Search Promotion</div> <div>Not Promoted</div> </div> <h4 class="page-header">Key Resources</h4> <div class="field_related_files file file--mime-application-pdf file--application-pdf"> <div> <article> <div class="field_media_file"><span class="file file--mime-application-pdf file--application-pdf"><a href="https://www.aha.org/system/files/media/file/2021/04/joint-cyber-advisory-tlp-white-apt-actors-exploit-vulnerabilities-gain-initial-access-future-attacks-4-2-21.pdf" type="application/pdf; length=310657" title="Joint Cyber Advisory TLP White: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks April 2, 2021">Joint Cyber Advisory TLP White: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks April 2, 2021</a></span> </div> </article> </div> </div> <div class="field_archived"> <div>Archived</div> <div>Off</div> </div> Fri, 02 Apr 2021 13:53:27 +0000 dsamuels_drupal 676619 at https://www.aha.org FBI Cyber TLP Green Report Indicators of Compromise Associated with Nefilim Ransomware https://www.aha.org/fbi-tlp-alert/2021-04-01-fbi-cyber-tlp-green-report-indicators-compromise-associated-nefilim <span class="title">FBI Cyber TLP Green Report Indicators of Compromise Associated with Nefilim Ransomware</span> <span class="uid"><span>dsamuels_drupal</span></span> <span class="created">Mar 31, 2021 - 11:36 PM</span> <div class="body"><div class="container row"> <div class="row"> <div class="col-md-8"> <h2>At a Glance</h2> <p>On 14 April 2020, the Nemty ransomware actors announced a shutdown of Nemty’s Ransomware-as-a-Service operations. At the same time, Nefilim, which first appeared in March 2020, launched a public leaking website called corpleaks.net. Due to the commonalities in underlying code, encryption methods, and timing of events, the FBI assessed the two variants are related, which is in line with assessments made by private sector cyber security and cyber threat intelligence companies. Since its launch, Nefilim has extorted victims for decryption keys, threatened to and released stolen data, and re-infected victims to extort them a second time. The FBI is providing the following technical indicators based on its investigation to combat the Nefilim ransomware strain. View the entire report under Key Resources.</p> </div> <div class="col-md-4"> <div style="border: solid 2pt #9d2235; padding: 10px;"> <p style="color: #9d2235;"><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <h4>(M) <a href="tel:1-202-640-9159">+1 202 640 9159</a></h4> <center> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </center> </div> </div> </div> </div> </div> <div class="field_topics"> <div><a href="/topics/cybersecurity" class="topic" hreflang="en">Cybersecurity</a></div> </div> <div class="field_type"> <div>Type</div> <div><a href="/type/fbi-tlp-alert" hreflang="en">FBI TLP Alert</a></div> </div> <div class="field_access_level"> <div>Access Level</div> <div><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div> <div class="field_lead"><p>Alert Number<br /> MU-000144-MW</p> <p>March 31, 2021</p> </div> <div class="field_search_promotion"> <div>Search Promotion</div> <div>Not Promoted</div> </div> <div class="field_archived"> <div>Archived</div> <div>Off</div> </div> Thu, 01 Apr 2021 04:36:20 +0000 dsamuels_drupal 676541 at https://www.aha.org FBI TLP White Report: Mamba Ransomware Weaponizing DiskCryptor March 23, 2021 https://www.aha.org/fbi-tlp-alert/2021-03-26-fbi-tlp-white-report-mamba-ransomware-weaponizing-diskcryptor-march-23-0 <span class="title">FBI TLP White Report: Mamba Ransomware Weaponizing DiskCryptor March 23, 2021</span> <span class="uid"><span>dsamuels_drupal</span></span> <span class="created">Mar 26, 2021 - 02:54 PM</span> <div class="body"><div class="container row"> <div class="row"> <div class="col-md-8"> <p>Mamba ransomware has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses. Mamba ransomware weaponizes DiskCryptor—an open source full disk encryption software— to restrict victim access by encrypting an entire drive, including the operating system. DiskCryptor is not inherently malicious but has been weaponized. Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key. Victims are instructed to contact the actor’s email address to pay the ransom in exchange for the decryption key.</p> </div> <div class="col-md-4"> <div style="border: solid 2pt #9d2235; padding: 10px;"> <p style="color: #9d2235;"><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <h4>(M) <a href="tel:1-202-640-9159">+1 202 640 9159</a></h4> <center> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </center> </div> <hr /> <div class="panel module-typeC"> <div class="panel-heading"> <h3 class="panel-title">Latest Cybersecurity Alerts</h3> </div> <div class="panel-body" style="padding-top: 0px;"><div class="views-element-container"> <section class="top-level-view js-view-dom-id-64b9ffa946d99b8c6faa672d615576a32853d887788f7c3a6661eb094a9ce2f5 resource-block"> <div class="resource-wrapper"> <div class="resource-view"> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-may-2021-health-isac-cyber-threat-level-remains-blue-guarded" hreflang="en">May 2021: Health-ISAC Cyber Threat Level remains Blue (GUARDED)</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/2021-05-10-h-isac-tlp-green-coronavirus-daily-update-may-10-2021" hreflang="en">H-ISAC TLP Green Coronavirus Daily Update, May 10, 2021</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/news/headline/2021-05-10-field-alerted-new-ransomware-threat-latest-russian-cyber-tactics" hreflang="en">Field alerted to new ransomware threat, latest Russian cyber tactics</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/fbi-tlp-alert/2021-05-10-fbi-tlpgreen-indicators-compromise-associated-darkside-ransomware" hreflang="en">FBI TLP:Green Indicators of Compromise Associated with Darkside Ransomware</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-advisory-further-ttps-associated-svr-cyber-actors" hreflang="en">Advisory: Further TTPs Associated with SVR Cyber Actors</a></span></div></div> </div> </div> <div class="more-link"><a href="/topics/cybersecurity">See all Cybersecurity Alerts</a></div> </section> </div> </div> </div> </div> </div> </div> </div> <div class="field_topics"> <div><a href="/topics/cybersecurity" class="topic" hreflang="en">Cybersecurity</a></div> </div> <div class="field_type"> <div>Type</div> <div><a href="/type/fbi-tlp-alert" hreflang="en">FBI TLP Alert</a></div> </div> <div class="field_paragraphs_text_with_heade"> <div> <div class="paragraph paragraph--type--paragraphs-text-with-headers- paragraph--view-mode--default"> </div> </div> </div> <div class="field_search_promotion"> <div>Search Promotion</div> <div>Not Promoted</div> </div> <div class="field_archived"> <div>Archived</div> <div>Off</div> </div> Fri, 26 Mar 2021 19:54:19 +0000 dsamuels_drupal 676398 at https://www.aha.org FBI TLP White Report: Mamba Ransomware Weaponizing DiskCryptor March 23, 2021 https://www.aha.org/fbi-tlp-alert/2021-03-26-fbi-tlp-white-report-mamba-ransomware-weaponizing-diskcryptor-march-23 <span class="title">FBI TLP White Report: Mamba Ransomware Weaponizing DiskCryptor March 23, 2021</span> <span class="uid"><span>dsamuels_drupal</span></span> <span class="created">Mar 26, 2021 - 02:54 PM</span> <div class="body"><div class="container row"> <div class="row"> <div class="col-md-8"> <p>Mamba ransomware has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses. Mamba ransomware weaponizes DiskCryptor—an open source full disk encryption software— to restrict victim access by encrypting an entire drive, including the operating system. DiskCryptor is not inherently malicious but has been weaponized. Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key. Victims are instructed to contact the actor’s email address to pay the ransom in exchange for the decryption key.</p> </div> <div class="col-md-4"> <div style="border: solid 2pt #9d2235; padding: 10px;"> <p style="color: #9d2235;"><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <h4>(M) <a href="tel:1-202-640-9159">+1 202 640 9159</a></h4> <center> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </center> </div> <hr /> <div class="panel module-typeC"> <div class="panel-heading"> <h3 class="panel-title">Latest Cybersecurity Alerts</h3> <div class="views-element-container"> <section class="top-level-view js-view-dom-id-d7baa8fa1608a72fd2f3cbbe780463ff237d2da5c92c4691e0d5120d007457e5 resource-block"> <div class="resource-wrapper"> <div class="resource-view"> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-may-2021-health-isac-cyber-threat-level-remains-blue-guarded" hreflang="en">May 2021: Health-ISAC Cyber Threat Level remains Blue (GUARDED)</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/2021-05-10-h-isac-tlp-green-coronavirus-daily-update-may-10-2021" hreflang="en">H-ISAC TLP Green Coronavirus Daily Update, May 10, 2021</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/news/headline/2021-05-10-field-alerted-new-ransomware-threat-latest-russian-cyber-tactics" hreflang="en">Field alerted to new ransomware threat, latest Russian cyber tactics</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/fbi-tlp-alert/2021-05-10-fbi-tlpgreen-indicators-compromise-associated-darkside-ransomware" hreflang="en">FBI TLP:Green Indicators of Compromise Associated with Darkside Ransomware</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-advisory-further-ttps-associated-svr-cyber-actors" hreflang="en">Advisory: Further TTPs Associated with SVR Cyber Actors</a></span></div></div> </div> </div> <div class="more-link"><a href="/topics/cybersecurity">See all Cybersecurity Alerts</a></div> </section> </div> </div> </div> </div> </div> </div> <style type="text/css">.meta.custom-lock-position { position: relative; top: 0px; right: inherit; display: block; float: right; } </style> </div> <div class="field_topics"> <div><a href="/topics/cybersecurity" class="topic" hreflang="en">Cybersecurity</a></div> </div> <div class="field_type"> <div>Type</div> <div><a href="/type/fbi-tlp-alert" hreflang="en">FBI TLP Alert</a></div> </div> <div class="field_access_level"> <div>Access Level</div> <div><a href="/taxonomy/term/278" hreflang="en">Public</a></div> </div> <div class="field_paragraphs_text_with_heade"> <div> <div class="paragraph paragraph--type--paragraphs-text-with-headers- paragraph--view-mode--default"> </div> </div> </div> <div class="field_search_promotion"> <div>Search Promotion</div> <div>Not Promoted</div> </div> <h4 class="page-header">Key Resources</h4> <div class="field_related_files file file--mime-application-pdf file--application-pdf"> <div> <article> <div class="field_media_file"><span class="file file--mime-application-pdf file--application-pdf"><a href="https://www.aha.org/system/files/media/file/2021/03/fbi-tlp-white-report-mamba-ransomware-weaponizing-diskcryptor-3-23-21.pdf" type="application/pdf; length=1028088" title="FBI TLP White Report: Mamba Ransomware Weaponizing DiskCryptor March 23, 2021">FBI TLP White Report: Mamba Ransomware Weaponizing DiskCryptor March 23, 2021</a></span> </div> </article> </div> </div> <div class="field_archived"> <div>Archived</div> <div>Off</div> </div> Fri, 26 Mar 2021 19:54:19 +0000 dsamuels_drupal 676397 at https://www.aha.org FBI TLP White Report: Mamba Ransomware Weaponizing DiskCryptor March 23, 2021 https://www.aha.org/fbi-tlp-alert/2021-03-23-fbi-tlp-white-report-mamba-ransomware-weaponizing-diskcryptor-march-23 <span class="title">FBI TLP White Report: Mamba Ransomware Weaponizing DiskCryptor March 23, 2021</span> <span class="uid"><span>dsamuels_drupal</span></span> <span class="created">Mar 23, 2021 - 05:14 PM</span> <div class="body"><div class="container row"> <div class="row"> <div class="col-md-8"> <p>Mamba ransomware has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses. Mamba ransomware weaponizes DiskCryptor—an open source full disk encryption software— to restrict victim access by encrypting an entire drive, including the operating system. DiskCryptor is not inherently malicious but has been weaponized. Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key. Victims are instructed to contact the actor’s email address to pay the ransom in exchange for the decryption key. View the entire report under Key Resources.</p> </div> <div class="col-md-4"> <div style="border: solid 2pt #9d2235; padding: 10px;"> <p style="color: #9d2235;"><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <h4>(M) <a href="tel:1-202-640-9159">+1 202 640 9159</a></h4> <center> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </center> </div> <hr /> <div class="panel module-typeC"> <div class="panel-heading"> <h3 class="panel-title">Latest Cybersecurity Alerts</h3> </div> <div class="panel-body" style="padding-top: 0px;"><div class="views-element-container"> <section class="top-level-view js-view-dom-id-8093c21ce07dc296b9032801dccfd1fa348e6897f8de9de6ce3193bff51ff1fb resource-block"> <div class="resource-wrapper"> <div class="resource-view"> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-may-2021-health-isac-cyber-threat-level-remains-blue-guarded" hreflang="en">May 2021: Health-ISAC Cyber Threat Level remains Blue (GUARDED)</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/2021-05-10-h-isac-tlp-green-coronavirus-daily-update-may-10-2021" hreflang="en">H-ISAC TLP Green Coronavirus Daily Update, May 10, 2021</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/news/headline/2021-05-10-field-alerted-new-ransomware-threat-latest-russian-cyber-tactics" hreflang="en">Field alerted to new ransomware threat, latest Russian cyber tactics</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/fbi-tlp-alert/2021-05-10-fbi-tlpgreen-indicators-compromise-associated-darkside-ransomware" hreflang="en">FBI TLP:Green Indicators of Compromise Associated with Darkside Ransomware</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-advisory-further-ttps-associated-svr-cyber-actors" hreflang="en">Advisory: Further TTPs Associated with SVR Cyber Actors</a></span></div></div> </div> </div> <div class="more-link"><a href="/topics/cybersecurity">See all Cybersecurity Alerts</a></div> </section> </div> </div> </div> </div> </div> </div> </div> <div class="field_topics"> <div><a href="/topics/cybersecurity" class="topic" hreflang="en">Cybersecurity</a></div> </div> <div class="field_type"> <div>Type</div> <div><a href="/type/fbi-tlp-alert" hreflang="en">FBI TLP Alert</a></div> </div> <div class="field_access_level"> <div>Access Level</div> <div><a href="/taxonomy/term/278" hreflang="en">Public</a></div> </div> <div class="field_paragraphs_text_with_heade"> <div> <div class="paragraph paragraph--type--paragraphs-text-with-headers- paragraph--view-mode--default"> </div> </div> </div> <div class="field_lead"><p>Alert Number<br /> CU-000143-MW</p> </div> <div class="field_search_promotion"> <div>Search Promotion</div> <div>Not Promoted</div> </div> <h4 class="page-header">Key Resources</h4> <div class="field_related_files file file--mime-application-pdf file--application-pdf"> <div> <article> <div class="field_media_file"><span class="file file--mime-application-pdf file--application-pdf"><a href="https://www.aha.org/system/files/media/file/2021/03/fbi-tlp-white-report-mamba-ransomware-weaponizing-diskcryptor-3-23-21.pdf" type="application/pdf; length=1028088" title="FBI TLP White Report: Mamba Ransomware Weaponizing DiskCryptor March 23, 2021">FBI TLP White Report: Mamba Ransomware Weaponizing DiskCryptor March 23, 2021</a></span> </div> </article> </div> </div> <div class="field_archived"> <div>Archived</div> <div>Off</div> </div> Tue, 23 Mar 2021 22:14:05 +0000 dsamuels_drupal 676312 at https://www.aha.org FBI TLP White PIN: Business Email Compromise Actors Targeting State, Local, Tribal, and Territorial Governments https://www.aha.org/fbi-tlp-alert/2021-03-17-fbi-tlp-white-pin-business-email-compromise-actors-targeting-state-local <span class="title"> FBI TLP White PIN: Business Email Compromise Actors Targeting State, Local, Tribal, and Territorial Governments</span> <span class="uid"><span>dsamuels_drupal</span></span> <span class="created">Mar 17, 2021 - 10:14 PM</span> <div class="body"><div class="container row"> <div class="row"> <div class="col-md-8"> <h2>At a Glance</h2> <p>From 2018 through 2020, the FBI observed increases in business email compromise (BEC) actors targeting state, local, tribal, and territorial (SLTT) government entities for financial gain due to vulnerability exploitation and transparency requirements. The COVID-19 pandemic exacerbated these cybersecurity challenges as SLTTs shifted a significant portion of their workforce to remote work. These actors target SLTT victims with spoofed emails, phishing attacks, compromised vendor accounts, and credential harvesting to alter payment instructions for services rendered by vendors or employee payroll direct deposit information. From November 2018 to September 2020, the FBI observed losses ranging from $10,000 to $4 million, which have significantly impaired operational capabilities and imposed considerable resource strain on SLTT governments.</p> </div> <div class="col-md-4"> <div style="border: solid 2pt #9d2235; padding: 10px;"> <p style="color: #9d2235;"><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <h4>(M) <a href="tel:1-202-640-9159">+1 202 640 9159</a></h4> <center> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </center> </div> <hr /> <div class="panel module-typeC"> <div class="panel-heading"> <h3 class="panel-title">Latest Cybersecurity Alerts</h3> </div> <div class="panel-body" style="padding-top: 0px;"><div class="views-element-container"> <section class="top-level-view js-view-dom-id-5bfaba389f342c6a1ff7c725d3377fedffeb71db3082ad3cbef428776aa009ce resource-block"> <div class="resource-wrapper"> <div class="resource-view"> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-may-2021-health-isac-cyber-threat-level-remains-blue-guarded" hreflang="en">May 2021: Health-ISAC Cyber Threat Level remains Blue (GUARDED)</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/2021-05-10-h-isac-tlp-green-coronavirus-daily-update-may-10-2021" hreflang="en">H-ISAC TLP Green Coronavirus Daily Update, May 10, 2021</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/news/headline/2021-05-10-field-alerted-new-ransomware-threat-latest-russian-cyber-tactics" hreflang="en">Field alerted to new ransomware threat, latest Russian cyber tactics</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/fbi-tlp-alert/2021-05-10-fbi-tlpgreen-indicators-compromise-associated-darkside-ransomware" hreflang="en">FBI TLP:Green Indicators of Compromise Associated with Darkside Ransomware</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-advisory-further-ttps-associated-svr-cyber-actors" hreflang="en">Advisory: Further TTPs Associated with SVR Cyber Actors</a></span></div></div> </div> </div> <div class="more-link"><a href="/topics/cybersecurity">See all Cybersecurity Alerts</a></div> </section> </div> </div> </div> </div> </div> </div> </div> <div class="field_topics"> <div><a href="/topics/cybersecurity" class="topic" hreflang="en">Cybersecurity</a></div> </div> <div class="field_type"> <div>Type</div> <div><a href="/type/fbi-tlp-alert" hreflang="en">FBI TLP Alert</a></div> </div> <div class="field_access_level"> <div>Access Level</div> <div><a href="/taxonomy/term/278" hreflang="en">Public</a></div> </div> <div class="field_paragraphs_text_with_heade"> <div> <div class="paragraph paragraph--type--paragraphs-text-with-headers- paragraph--view-mode--default"> </div> </div> </div> <div class="field_lead"><p>FBI TLP White Business Email Compromise Actors Targeting State, Local, Tribal, and Territorial Governments, Straining Resources&nbsp;</p> <p>17 March 2021</p> <p>PIN Number<br /> 20210317-001</p> </div> <div class="field_search_promotion"> <div>Search Promotion</div> <div>Not Promoted</div> </div> <h4 class="page-header">Key Resources</h4> <div class="field_related_files file file--mime-application-pdf file--application-pdf"> <div> <article> <div class="field_media_file"><span class="file file--mime-application-pdf file--application-pdf"><a href="https://www.aha.org/system/files/media/file/2021/03/fbi-tlp-white-pin-business-email-compromise-actors-targeting-state-local-tribal-and-territorial-governments-straining-resources-3-17-21.pdf" type="application/pdf; length=784522" title=" FBI TLP White Business Email Compromise Actors Targeting State, Local, Tribal, and Territorial Governments, Straining Resources March 17, 2021"> FBI TLP White Business Email Compromise Actors Targeting State, Local, Tribal, and Territorial Governments, Straining Resources</a></span> </div> </article> </div> </div> <div class="field_archived"> <div>Archived</div> <div>Off</div> </div> Thu, 18 Mar 2021 03:14:15 +0000 dsamuels_drupal 676253 at https://www.aha.org FBI TLP White Report: Increase in PYSA Ransomware Targeting Education Institutions – March 16, 2021 https://www.aha.org/fbi-tlp-alert/2021-03-16-fbi-tlp-white-report-increase-pysa-ransomware-targeting-education <span class="title">FBI TLP White Report: Increase in PYSA Ransomware Targeting Education Institutions – March 16, 2021</span> <span class="uid"><span>dsamuels_drupal</span></span> <span class="created">Mar 16, 2021 - 12:20 PM</span> <div class="body"><div class="container row"> <div class="row"> <div class="col-md-8"> <p>FBI reporting has indicated a recent increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. PYSA, also known as Mespinoza, is a malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries. These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.</p> <p>View the entire report under Key Resources.</p> </div> <div class="col-md-4"> <div style="border: solid 2pt #9d2235; padding: 10px;"> <p style="color: #9d2235;"><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <h4>(M) <a href="tel:1-202-640-9159">+1 202 640 9159</a></h4> <center> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </center> </div> <hr /> <div class="panel module-typeC"> <div class="panel-heading"> <h3 class="panel-title">Latest Cybersecurity Alerts</h3> </div> <div class="panel-body" style="padding-top: 0px;"><div class="views-element-container"> <section class="top-level-view js-view-dom-id-125125864d9969b80686ad32eeb555873ea55307312a79b59272695ff58af977 resource-block"> <div class="resource-wrapper"> <div class="resource-view"> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-may-2021-health-isac-cyber-threat-level-remains-blue-guarded" hreflang="en">May 2021: Health-ISAC Cyber Threat Level remains Blue (GUARDED)</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/2021-05-10-h-isac-tlp-green-coronavirus-daily-update-may-10-2021" hreflang="en">H-ISAC TLP Green Coronavirus Daily Update, May 10, 2021</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/news/headline/2021-05-10-field-alerted-new-ransomware-threat-latest-russian-cyber-tactics" hreflang="en">Field alerted to new ransomware threat, latest Russian cyber tactics</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/fbi-tlp-alert/2021-05-10-fbi-tlpgreen-indicators-compromise-associated-darkside-ransomware" hreflang="en">FBI TLP:Green Indicators of Compromise Associated with Darkside Ransomware</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-advisory-further-ttps-associated-svr-cyber-actors" hreflang="en">Advisory: Further TTPs Associated with SVR Cyber Actors</a></span></div></div> </div> </div> <div class="more-link"><a href="/topics/cybersecurity">See all Cybersecurity Alerts</a></div> </section> </div> </div> </div> </div> </div> </div> </div> <div class="field_topics"> <div><a href="/topics/cybersecurity" class="topic" hreflang="en">Cybersecurity</a></div> </div> <div class="field_type"> <div>Type</div> <div><a href="/type/fbi-tlp-alert" hreflang="en">FBI TLP Alert</a></div> </div> <div class="field_access_level"> <div>Access Level</div> <div><a href="/taxonomy/term/278" hreflang="en">Public</a></div> </div> <div class="field_paragraphs_text_with_heade"> <div> <div class="paragraph paragraph--type--paragraphs-text-with-headers- paragraph--view-mode--default"> </div> </div> </div> <div class="field_lead"><p>Alert Number<br /> CP-000142-MW</p> </div> <div class="field_search_promotion"> <div>Search Promotion</div> <div>Not Promoted</div> </div> <h4 class="page-header">Key Resources</h4> <div class="field_related_files file file--mime-application-pdf file--application-pdf"> <div> <article> <div class="field_media_file"><span class="file file--mime-application-pdf file--application-pdf"><a href="https://www.aha.org/system/files/media/file/2021/03/fbi-tlp-white-report-increase-pysa-ransomware-targeting-education-institutions-march-16-2021.pdf" type="application/pdf; length=999592" title="FBI TLP White Report: Increase in PYSA Ransomware Targeting Education Institutions – March 16, 2021">FBI TLP White Report: Increase in PYSA Ransomware Targeting Education Institutions </a></span> </div> </article> </div> </div> <div class="field_archived"> <div>Archived</div> <div>Off</div> </div> Tue, 16 Mar 2021 17:20:41 +0000 dsamuels_drupal 676181 at https://www.aha.org FBI TLP Green PIN: Foreign Adversaries Engage in Persistent Cyber Targeting of US COVID-19 Biotechnology Industry to Enhance Programs https://www.aha.org/fbi-tlp-alert/2021-03-15-fbi-tlp-green-pin-foreign-adversaries-engage-persistent-cyber-targeting-us <span class="title">FBI TLP Green PIN: Foreign Adversaries Engage in Persistent Cyber Targeting of US COVID-19 Biotechnology Industry to Enhance Programs </span> <span class="uid"><span>dsamuels_drupal</span></span> <span class="created">Mar 15, 2021 - 09:33 PM</span> <div class="body"><div class="container row"> <div class="row"> <div class="col-md-8"> <h2>At A Glance</h2> <p>The FBI prepared this Private Industry Notification (PIN) as a follow up to PIN 20200521-001, “Criminals and Nation-State Cyber Actors Conducting Widespread Pursuit of US Biological and COVID-19 Research,” released in May 2020. Nation-state adversaries have engaged in, and will likely maintain persistent cyber targeting efforts against, the US biotechnology industry to enhance their own vaccine development and distribution programs and improve their competitive advantage compared to the US. Public announcement of long-term vaccine efficacy, including against new strains of COVID-19, is likely to prompt further aggressive targeting of those vaccine developers.</p> <p class="text-align-center">&nbsp;</p> <p class="text-align-center"><strong><a class="btn btn-primary btn-wide" href="https://www.aha.org/system/files/media/file/2021/03/fbi-tlp-green-foreign-adversaries-engage-persistent-cyber-targeting-us-covid-19-biotechnology-industry-to-enhance-programs-competitiveness-3-15-21.pdf">AHA Members sign in to view the full&nbsp;report.</a></strong></p> <p><strong>&nbsp;</strong></p> </div> <div class="col-md-4"> <div style="border: solid 2pt #9d2235; padding: 10px;"> <p style="color: #9d2235;"><strong><strong><strong><a class="btn btn-primary btn-wide" href="https://www.aha.org/system/files/media/file/2020/09/inpatient-pps-final-rule-fy-bulletin-2021.pdf"><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></a></strong></strong></strong></p> <h3><strong><strong><strong><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></strong></strong></strong></h3> <h4><strong><strong><strong>Senior Advisor for Cybersecurity and Risk, AHA</strong></strong></strong></h4> <h4><strong><strong><strong><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></strong></strong></strong></h4> <h4><strong><strong><strong>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></strong></strong></strong></h4> <h4><strong><strong><strong>(M) <a href="tel:1-202-640-9159">+1 202 640 9159</a></strong></strong></strong></h4> <center> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><strong><strong><strong><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></strong></strong></strong></div> <div class="external-link spacer" style="margin-right: 25px; padding-top: 20px; padding-bottom: 0px;"><strong><strong><strong><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></strong></strong></strong></div> </center> </div> <hr /> <div class="panel module-typeC"> <div class="panel-heading"> <h3 class="panel-title"><strong><strong><strong>Latest Cybersecurity Alerts</strong></strong></strong></h3> </div> <div class="panel-body" style="padding-top: 0px;"><strong><strong><strong><div class="views-element-container"> <section class="top-level-view js-view-dom-id-fcbceae6454c3addb651b78698e49bb96b2e7d027ef165120b1843f4e86c1edd resource-block"> <div class="resource-wrapper"> <div class="resource-view"> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-may-2021-health-isac-cyber-threat-level-remains-blue-guarded" hreflang="en">May 2021: Health-ISAC Cyber Threat Level remains Blue (GUARDED)</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/2021-05-10-h-isac-tlp-green-coronavirus-daily-update-may-10-2021" hreflang="en">H-ISAC TLP Green Coronavirus Daily Update, May 10, 2021</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/news/headline/2021-05-10-field-alerted-new-ransomware-threat-latest-russian-cyber-tactics" hreflang="en">Field alerted to new ransomware threat, latest Russian cyber tactics</a></span></div></div> <div class="article views-row"><div class="views-field views-field-field-access-level"><div class="field-content"> <div class="meta custom-lock-position"> <div class="views-field-access-level access-type-member" data-toggle="tooltip" data-placement="bottom" title="Members only"><a href="/taxonomy/term/279" hreflang="en">Member</a></div> </div></div></div><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/fbi-tlp-alert/2021-05-10-fbi-tlpgreen-indicators-compromise-associated-darkside-ransomware" hreflang="en">FBI TLP:Green Indicators of Compromise Associated with Darkside Ransomware</a></span></div></div> <div class="article views-row"><div class="views-field views-field-created"><span class="field-content">May 10, 2021</span></div><div class="views-field views-field-title"><span class="field-content"><a href="/other-cybersecurity-reports/2021-05-10-advisory-further-ttps-associated-svr-cyber-actors" hreflang="en">Advisory: Further TTPs Associated with SVR Cyber Actors</a></span></div></div> </div> </div> <div class="more-link"><a href="/topics/cybersecurity">See all Cybersecurity Alerts</a></div> </section> </div> </strong></strong></strong></div> </div> </div> </div> </div> </div> <div class="field_topics"> <div><a href="/topics/cybersecurity" class="topic" hreflang="en">Cybersecurity</a></div> <div><a href="/topics/novel-coronavirus-sars-cov-2covid-19" hreflang="en">Novel Coronavirus (SARS-CoV-2/COVID-19)</a></div> </div> <div class="field_type"> <div>Type</div> <div><a href="/type/fbi-tlp-alert" hreflang="en">FBI TLP Alert</a></div> </div> <div class="field_access_level"> <div>Access Level</div> <div><a href="/taxonomy/term/278" hreflang="en">Public</a></div> </div> <div class="field_paragraphs_text_with_heade"> <div> <div class="paragraph paragraph--type--paragraphs-text-with-headers- paragraph--view-mode--default"> </div> </div> </div> <div class="field_lead"><p>FBI TLP Green PIN: Foreign Adversaries Engage in Persistent Cyber Targeting of US COVID-19 Biotechnology Industry to Enhance Programs and Competitiveness</p> <p>March 15, 2021</p> </div> <div class="field_search_promotion"> <div>Search Promotion</div> <div>Not Promoted</div> </div> <div class="field_archived"> <div>Archived</div> <div>Off</div> </div> Tue, 16 Mar 2021 02:33:28 +0000 dsamuels_drupal 676252 at https://www.aha.org