AJE Group, a prominent company in the manufacture, distribution, and sale of alcoholic and nonalcoholic beverages, has allegedly fallen victim to a MEDUSA ransomware attack. Founded in 1988 and headquartered in Lima, Peru, AJE Group employs 2,896 people. The unconfirmed ransomware attack on AJE Group has allegedly resulted in a significant data breach, putting allegedly 646.4 GB of data at risk.

Ransomware Attack on AJE Group: Ransom Demand and Countdown

The ransomware group has set an ominous countdown of eight days, 21 hours, 20 minutes, and 30 seconds for the company to comply with their demands. The attackers have placed a hefty price tag of US$1,500,000 to prevent unauthorized distribution of the compromised data. Additionally, for every day that passes without payment, the ransom amount increases by US$100,000. However, these claims remain unconfirmed as AJE Group has yet to release an official statement regarding the incident. [caption id="attachment_77719" align="aligncenter" width="1024"] Source: X[/caption] A preliminary investigation into AJE Group’s official website revealed no apparent disruptions; the site was fully operational, casting doubt on the authenticity of the ransomware group’s claims. Nevertheless, without an official statement from AJE Group, it is premature to conclude whether the ransomware attack on AJE Group has genuinely occurred. If the ransomware attack on AJE Group is confirmed, the implications for the Group could be extensive and severe. Data breaches can lead to significant financial losses, reputational damage, and operational disruptions. The compromised data may include sensitive information that, if leaked, could affect the company's competitive standing and expose its employees and customers to further risks.

MEDUSA Ransomware: A Rising Threat

Earlier, The Cyber Express (TCE) reported that Threat Actors (TAs) associated with the notorious MEDUSA ransomware have escalated their activities, allegedly targeting two institutions in the USA. The first target is Tri-Cities Preparatory High School, a public charter middle and high school located in Prescott, Arizona. The threat actors claim to have access to 1.2 GB of the school’s data and have threatened to publish it within seven to eight days. The second target is Fitzgerald, DePietro & Wojnas CPAs, P.C., an accounting firm based in Utica, New York. The attackers claim to have access to 92.5 GB of the firm’s data and have threatened to release it within eight to nine days.

History and Modus Operandi of MEDUSA

MEDUSA first emerged in June 2021 and has since launched attacks on organizations across various countries and industries, including healthcare, education, manufacturing, and retail. Despite its global reach, most victims have been based in the United States. MEDUSA operates as a Ransomware-as-a-Service (RaaS) platform, offering malicious software and infrastructure to would-be attackers. This model enables less technically skilled criminals to launch sophisticated ransomware attacks. MEDUSA's TAs often utilize a public Telegram channel to post stolen data, leveraging public exposure as an extortion tactic to pressure organizations into paying the ransom.

The Broader Impact of Ransomware Attacks

The reported MEDUSA ransomware attack on AJE Group highlights the growing threat posed by ransomware groups. Ransomware attacks have become increasingly prevalent, targeting critical sectors and causing widespread disruption. The healthcare industry, for instance, has seen hospitals forced to shut down operations, delaying critical medical procedures and compromising patient care. Educational institutions have faced similar disruptions, with students' data at risk and academic schedules thrown into disarray. The manufacturing and retail sectors, too, have not been spared. Companies in these industries have experienced production halts, supply chain disruptions, and significant financial losses due to ransomware attacks. These incidents highlight the importance of enhanced cybersecurity measures and prompt incident response protocols to mitigate the impact of such attacks. Additionally, organizations must prioritize cybersecurity awareness and preparedness to defend against ransomware attacks. Regular employee training, stringent access controls, and up-to-date security software are essential components of a robust cybersecurity strategy. Further, organizations should have a well-defined incident response plan to quickly address and contain any breaches.

Conclusion

While the authenticity of the ransomware attack on AJE Group remains unconfirmed, the potential consequences are significant. TCE will continue to monitor this ongoing situation and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious Monti ransomware has been sold to new owners. According to the actor's latest update, "This project was bought. It was bought because it suited our goals perfectly and did not have a bad reputation." The change in ownership and a shift in focus towards Western countries highlights a new approach towards ransomware. According to recent statements, the project has been acquired, with new owners expressing their intentions to revamp its infrastructure for future endeavors. In a cryptic post on their platform, the group hinted at upcoming developments, rallying for a collaborative effort to "build the future of the USA and Europe together."

Monti Ransomware Group and Change in Ownership

[caption id="attachment_76870" align="alignnone" width="938"] Source: Dark Web[/caption] This announcement follows a string of cyberattacks perpetrated by the Monti ransomware gang. Notably, a recent incident in the South of France targeted three prominent institutions simultaneously: the Pau-Pyrénées airport, the Pau business school, and the city's digital campus. These attacks, occurring overnight from May 12 to May 13, 2024, disrupted operations and raised concerns regarding cybersecurity vulnerabilities in critical sectors. While the affected institutions scrambled to mitigate the fallout, journalists uncovered insights from the Chamber of Commerce and Industry (CCI) shedding light on the situation. Despite assurances of minimal disruption to activities, the compromised digital infrastructure left a trail of compromised data, including sensitive documents and personal information of employees and students. The modus operandi of the Monti ransomware group draws parallels to its predecessors, notably the Conti ransomware, which ceased operations in May 2022. The emergence of Monti, with its similar tactics and techniques, suggests a strategic emulation aimed at exploiting the void left by Conti's absence.

A Deeper Dive into Monti Ransomware Group

A deeper dive into the Monti ransomware incident reveals a sophisticated operation orchestrated through the exploitation of vulnerabilities like the notorious Log4Shell. The attackers infiltrated networks, encrypted user desktops, and disrupted critical server clusters, leaving organizations grappling with the aftermath. Despite its relative obscurity, the Monti ransomware group has garnered attention within the cybersecurity community. Analysts speculate that the group's emulation of Conti's strategies may stem from the leaked trove of Conti's internal data, providing a blueprint for nefarious activities. As cybersecurity threats evolve, it becomes imperative for organizations to fortify their defenses and stay vigilant against threat actors like the Monti ransomware. Collaborative efforts between cybersecurity experts and stakeholders are essential to mitigate risks and safeguard critical infrastructures from malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ukraine National Police have arrested a man they say helped disguise ransomware used by Russia-based threat groups. The 28-year-old cryptor developer was unnamed in Ukraine and Netherlands announcements of the arrest, but the Dutch statement said he was arrested on April 18, 2024 in a lead-up to May’s massive “Operation Endgame” botnet takedown.

Cryptor Developer Worked with Conti, LockBit

Ukraine cyber ​​police and National Police investigators say they established that the man was involved in the LockBit and Conti ransomware groups. The Kyiv man infected a company in the Netherlands with Conti ransomware in 2021, demanded a ransom and threatened to release confidential company information if payment wasn’t made, according to the Dutch announcement, which cited work by the Netherlands’ High Tech Crime Team of the National Operations and Interventions Unit and the National Public Prosecution Service. They requested Ukraine’s assistance in the case as part of their investigation. As part of the arrest, Ukrainian police conducted house searches in the city of Kyiv and the Kharkiv region on April 18 and seized computer equipment, mobile phones and documents for further investigation (pictured below). [caption id="attachment_76895" align="alignnone" width="300"] Items seized in Ukraine ransomware arrest[/caption] The Ukraine cyber police said the man “specialized in the development of cryptors,” or “special software for masking computer viruses under the guise of safe files” (quotes translated from the Ukraine statement). “Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses,” the Ukraine statement added.

LockBit Remains Active Despite Repeated Enforcement Activities

The Conti ransomware group reportedly dissolved in 2022 after a Ukrainian researcher leaked the group's source code in retaliation for the group's support of Russia's invasion of Ukraine, but LockBit has remained persistent. Despite the Ukraine arrest and law enforcement successes like Operation Endgame, Operation Cronos, and the unmasking of formerly anonymous LockBit leader Dmitry Khoroshev, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the city of Wichita is finally recovering from. Ukraine officials said the investigation is ongoing. The suspect is being charged under part 5 of Article 361, Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks, of the Criminal Code of Ukraine. The article provides for publishment of up to 15 years of imprisonment, and additional charges are possible. Netherlands officials thanked the Ukrainian investigators for their assistance and said they “are very pleased with the arrest in Ukraine and are grateful for the space that the Ukrainian police have found for this in times of war.”

The MEDUSA ransomware group has reared its ugly head again and this time it has claimed to have targeted three new victims: GEMCO Constructors, Dynamo Electric and Farnell Packaging. The ransomware group’s dark web portal highlighted these additions, adding to their growing list of victims. Like many of its earlier attacks, the group has not disclosed crucial details, such as the type of compromised data. It has, however, demanded a bounty of US $900,000 from GEMCO and $100,000 each from Dynamo and Farnell Packaging to stop leaking its internal data.

MEDUSA Ransomware Attack: The Latest Victims

GEMCO Constructors is headquartered in Indianapolis, Indiana, USA. The ransomware actors have claimed to have access to 1.0 TB of the organization's data and has threatened to publish it within 6-7 days. The second company that the group has claimed to have targeted is Dynamo, which is based in Saskatchewan, Canada. Data of the company, which specializes in electrical and electronic manufacturing, has allegedly been compromised. MEDUSA has claimed to have exfiltrated 149.6 GB of the organization's data and plans to publish it within 6-7 days. Farnell Packaging, a Canadian company in the packaging and container industry, has also allegedly been attacked. The attackers claimed to have accessed 193.9 GB of the organization's data and warned the data would be published within 8–9 days. Despite the gigantic claims made by the ransomware group, the official websites of the targeted companies seem to be fully operational, with no signs of foul play. The organizations, however, have not yet responded to the alleged cyberattack, leaving the claims made by the ransomware group unverified.  The article would be updated once the respective organizations respond to the claims. The absence of confirmation raises the question of the authenticity of the ransomware claim. It remains to be seen whether it is a tactic employed by MEDUSA to garner attention or if there are ulterior motives attached to their actions. Only an official statement by the affected companies can shed light on the true nature of the situation. However, if the claims made by the MEDUSA ransomware group do turn out to be true, then the consequences could be far-reaching. The potential leak of sensitive data could pose a significant threat to the affected organizations and their employees.

Background of MEDUSA Ransomware Group

MEDUSA first burst onto the scene in June 2021 and has since targeted organizations in various countries across multiple industries, including healthcare, education, manufacturing, and retail. Most of the companies, though, have been established in the United States of America. MEDUSA functions as a Ransomware-as-a-Service (RaaS) platform. It provides would-be attackers with malicious software and infrastructure required to carry out disruptive ransomware attacks. The ransomware group also has a public Telegram channel that threat actors use to post data that might be stolen, which could be an attempt to extort organizations and demand payment.

Previous Ransomware Attacks

Less than three weeks ago, MEDUSA ransomware group claimed a cyberattack on Comwave, a Canadian communications giant renowned for providing internet, network security solutions, and customer support services.  In January 2024, a prominent non-profit organization, Water For People, was targeted by the group. The organization faced the pressure of a deadline to comply with the demands of the ransomware group. MEDUSA also targeted four organizations across different countries, including France, Italy, and Spain. The group’s modus operandi remains uniform, with announcements being made on their dark web forum accompanied by deadlines and ransom demands. As organizations deal with the fallout of cyberattacks by groups like MEDUSA, it becomes crucial to remain vigilant and implement stringent security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Akira ransomware group claims on its dark web leak site to have compromised data from Panasonic Australia. Shortly after that announcement, Singapore authorities issued an advisory advising affected companies to not heed the ransomware group's demands, in response to local law firm Shook Lin & Bok confirming that it had been struck by the group. Panasonic Australia is a regional subsidiary of Panasonic Holdings Corporation headquartered in Japan. It manufactures electronic equipment and devices such as cameras, home equipment, sound equipment, personal care devices, power tools, and air conditioning. The Akira ransomware group has previously targeted several high-profile organizations while netting millions in ransom payments from affected victims.

Akira Ransomware Group Attack on Panasonic Australia

The ransomware group alleged that it had exfiltrated sensitive project information and business agreements from the electronics manufacturer Panasonic Australia. No sample documents were posted to verify the authenticity of the breach claims. The potential impact of the breach on Panasonic Australia is unknown but could present a serious liability for the confidentiality of the company's stolen documents.

Cyber Security Agency of Singapore Issues Advisory

Singapore's Cyber Security Agency (CSA) along with the country's Personal Data Protection Commission (PDPC) issued an advisory to organizations instructing them to report Akira ransomware attacks to respective authorities rather than paying ransom demands. The advisory was released shortly after an Akira ransomware group attack on the Shook Lin & Bok law firm. While the firm still continued to operate as normal, it had reportedly paid a ransom of US$1.4 million in Bitcoin to the group. The Akira ransomware group had demanded a ransom of US$2 million from the law firm earlier, which was then negotiated down after a week, according to the SuspectFile article. The Cyber Security Agency of Singapore (CSA) stated that it was aware of the incident and offered assistance to the law firm. However, it cautioned against similar payments from other affected victims. "Paying the ransom does not guarantee that the data will be decrypted or that threat actors will not publish your data," the agency stated. "Furthermore, threat actors may see your organisation as a soft target and strike again in the future. This may also encourage them to continue their criminal activities and target more victims." The Singaporean authorities offered a number of recommendations to organizations:

• Enforce strong password policies with at least 12 characters, using a mix of upper and lower case letters, numbers, and special characters.
• Implement multi-factor authentication for all internet-facing services, such as VPNs and critical system accounts.
• Use reputable antivirus or anti-malware software to detect ransomware through real-time monitoring of system processes, network traffic, and file activity. Configure the software to block suspicious files, prevent unauthorized remote connections, and restrict access to sensitive files.
• Periodically scan systems and networks for vulnerabilities and apply the latest security patches promptly, especially for critical functions.
• Migrate from unsupported applications to newer alternatives.
• Segregate networks to control traffic flow between sub-networks to limit ransomware spread. Monitor logs for suspicious activities and carry out remediation measures as needed.
• Conduct routine backups following the 3-2-1 rule: keep three copies of backups, store them in two different media formats, and store one set off-site.
• Conduct incident response exercises and develop business continuity plans to improve readiness for ransomware attacks.
• Retain only essential data and minimize the collection of personal data to reduce the impact of data breaches.

"Organisations should periodically scan their systems and networks for vulnerabilities and regularly update all operating systems, applications, and software by applying the latest security patches promptly, especially for functions critical to the business," the police, CSA and PDPC said in a joint statement. The criminal group had previously also come under the attention of various other governments and security agencies, with the FBI and CISA releasing a joint cybersecurity advisory as part of the #StopRansomware effort. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Akira ransomware group allegedly targeted E-T-A Elektrotechnische Apparate GmbH, an organization located in Germany. The ransomware group claims to have stolen 24 gigabytes of sensitive material, including customer information, non-disclosure agreements (NDAs), financial records, and employee personal information. To substantiate these claims, the threat actor has attached a screenshot with all this information. E-T-A Elektrotechnische Apparate GmbH operates six production facilities and has a presence in 60 countries worldwide. The company’s product range includes a variety of electrical protection solutions essential to numerous industries. The company is renowned for manufacturing circuit breakers, electronic circuit protectors, and various other electronic components. Despite the ransomware group's claims, the company's official website appeared to be fully functional, and there were no signs of foul play. Further to verify Akira's cyberattack on E-T-A claims, The Cyber Express Team reached out to E-T-A Elektrotechnische Apparate GmbH for an official statement. As of the time of writing, no response has been received from the company. This leaves the ransomware claims unverified, with no confirmation or denial from E-T-A's officials.

Akira Ransomware: Previous Track Record

The Akira ransomware gang has arisen as a danger to small and medium-sized organizations (SMBs), mostly in Europe, North America, and Australia. The group uses advanced tactics to infiltrate systems, frequently acquiring illegal access to a company's virtual private networks (VPNs). Sophos X-Ops research shows that Akira often uses compromised login credentials or exploits weaknesses in VPN technologies such as Cisco ASA SSL VPN or Cisco AnyConnect. Recently, in May 2024, Akira targeted Western Dovetail, a well-known woodworking shop. In April 2024, Akira was identified as the gang responsible for a series of cyberattacks against businesses and key infrastructure in North America, Europe, and Australia. According to the US Federal Bureau of Investigation (FBI), Akira has hacked over 250 firms since March 2023, collecting roughly $42 million in ransom payments. Initially, Akira's attacks targeted Windows systems. However, the gang has since broadened its tactics to include Linux computers, causing anxiety among international cybersecurity agencies. These cyberattacks show Akira's strategy of targeting a wide range of industries and businesses of all sizes, frequently resulting in major operational interruptions and financial losses. As it stands, the Akira ransomware group's claims against E-T-A Cyberattack are unsubstantiated. The lack of an official response from the company creates a vacuum in the confirmation of these claims. While the company's website is still operational, signaling no immediate disruption, a data breach might have serious consequences, compromising client confidentiality, financial integrity, and employee privacy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.