TL; DR: Early incident reporting and data leak of tens of millions of players (Week 29)

Timely reporting of the incident and subsequent cooperation led to the recovery of the ransom money, not only for the reporter, but also for other victims of the ransomware gang. The Belgian Ministry of Foreign Affairs accused Chinese state-sponsored groups of cyberattacks on ministries, fake Youtube ads were spread on Google, and the NFT platform was robbed of hundreds of millions of dollars.

Timely reporting of a ransomware incident

The US FBI was able to seize funds originating from the Maui ransomware attacks. A total of $500k in bitcoin cryptocurrency came from multiple unspecified attacks and from ransom payments to a hospital in Colorado ($120k) and a hospital in Kansas ($100k). The resources were seized based on prompt incident reporting and exemplary cooperation from the Kansas hospital.

Massive data leak

Virtual gaming platform Neopets was the target of a cyberattack that led to the data leak of 69 million of its players. A sample of the leaked data released by the vendor contained identifying information – full names, date of birth, gender, state, email and other game-related data – in addition to logins and passwords. The entire database is being offered for sale for 4 bitcoins, which amounts to almost 90 thousand euros.

Charges of cyberattacks

The Ministry of Foreign Affairs in Belgium has disclosed that several Chinese state-sponsored groups have attacked the Belgian Ministry of Defence and Ministry of the Interior. The Ministry attributed the attacks to the groups APT 27, APT 30, APT 31 and a group being monitored under the names Gallium, Softcell and UNSC 2814. The Chinese embassy denied the attacks, calling the attribution “extremely unserious and irresponsible” and pointing to the lack of evidence to support such claims.

Growing crypto-botnet

A decentralized group of cybercriminals, referred to as “8220,” has increased the capacity of its cryptocurrency-mining botnet from 2,000 to 30,000 infected devices in about a year. They exploit known vulnerabilities, remote access, brute force attacks, and poorly configured services such as Docker, Apache WebLogic, and Redis to launch attacks.

“Ransomware Samaritans” from North Korea

The H0lyGh0st ransomware campaign, which mainly targeted small and medium-sized businesses, was attributed to the North Korean group DEV-0530. Security researchers at Microsoft have disclosed that the group resembles, communicates with, and uses tools developed by the other North Korean group, Plutonium, but the targets, pace, and methods of the attacks suggest that they are two different groups. Like the ransomware group GoodWill, the H0lyGh0st cybercriminals try to make themselves look good, declaring that they want to “close the gap between the rich and the poor, help the poor and the hungry, and raise cybersecurity awareness.” 


  • A sophisticated fake YouTube ad spread on Google’s platform, which instead of going to a video platform, redirected victims to a website displaying a fake Windows Defender warning hosted by scammers,
  • the application, which was designed to carry out DDoS attacks on Russian targets, was attributed by Google security researchers to the Russian APT group Turla (FSB). The application was intentionally ineffective and the number of installations was minimal,
  • A cybercriminal accused of helping to spread the Gozi banking malware was arrested in Colombia and subsequently extradited to the US. In addition to spreading Gozi, he is also accused of distributing the Zeus and SpyEye Trojans, sending spam and DDoS attacks,
  • the Premint NFT platform was the target of a cyberattack that led to the theft of 314 NFTs with an approximate value of EUR 404,000,
  • the US FBI issued a warning about cybercriminals creating fake applications to invest in cryptocurrencies. A total of 244 victims have been identified with losses of approximately $42.7 million.

« Späť na zoznam