Thursday, September 8, 2022

Los Angeles School District Claimed by Vice Society

 Ransomware Roundup 


By Dominic Alvieri
9/9/22

Ransomware group logos.



We all know DDoS attacks are illegal. The rules seemed to have changed, entrust me.
Earlier this week several ransomware gangs leak sites including LV, Everest and Ragnar Locker appeared to be under the same "high load" stress that caused LockBit and ALPHV Black Cat ransomware to make some adjustments.

Everest v Brazil?


The Everest Ransomware Team leak site has been unavailable since leaking access to the Brazilian Government and still offline as of this article. It is still offline now.


Everest Ransom Team.
photo courtesy @darktracer_int  Twitter

Ragnar v Air Portugal?


Ragnar Locker has been wrestling with TAP Air Portugal regaining site control after an alleged DDoS attack. Raagnar Locker teased Air Portugal and the site neatly went unavailable again. The site is currently back online as of 7:45pm EST but no new posts or leaks were added.

TAP Air Portugal logo.

Ragnar Locker has been offline again since after their post. 






Ragnar Locker Air Portugal alleged customer data.
Alleged TAP Air Portugal customer leak.


Going Backwards, the LockBit Tattoo


LockBit is back in the news besides the obsessive post rate to offer $1,000 to anyone who gets a LockBit tattoo. 



ALPHV Black Cat ransomware has removed the Italian Energy Agency, GSE-Gestore Servizi Energetici from its leak site. When a ransomware group flashed a victim like ALPHV did with Unisys several weeks back for an hour or so that is a message or a taunt. WHen a post is deleted after nearly a week that usually indicates a payment. Black Cat like most ransomware groupsd does not do charity work.

The only other reasonable reason for removal could be the fear of NATO action due to the cyber attacks on Albania and Montenegro. Creos of Luxembourg remains on their leak site so that theory doesn't hold up well either.

Vice Society

New Logo, Same Lowlife Double Extortion Group.


New Vice Society ransomware group logo.

New Vice Society alt logo.
New Vice Society alternate logo. You're welcome.

Vice Society has just claimed the Los Angeles School District via Jeremy Kirk at 7:50pm EST while I am still waiting for a response this is from Vice.

The last 6 posts for Vice Society are:

The Los Angeles School District, California
Elmbrook School, Wisconsin
Moon Area School Distric, Pennsylvania 
The Francis King School of English, United Kingdom
Lampton School, United Kingdom
BSV Hospice

Vice Society is believed to be an English speaking group.

Vice Society has also added a timer on most of their new posts.




Yanluowang is thought to be a Chinese group.

Is Cl0P Brazilian? Cl0P is thought to be Russian but for some reason Brazil and Portuguese keeps coming up. More to come.

Cl0P


Cl0P added a captcha again to help against those high loads after an attack on a British water utility.



Dominic Alvieri, @AlvieriD Twitter


Thursday, September 1, 2022

Is This Email Phishing You Off?

How to Immediately Tell if This Email is from MetaMask or Phishing You

By Dominic Alvieri @AlvieriD

August 31st, 2022


MetaMask phishing attempt.

Is this a phishing attempt?

Yes.

Here is how to find out immediately. 

Most people don't remember but MetaMask did not collect your email when you created your account. MetaMask does not send emails. If you receive an email from "MetaMask" it is a phishing attempt.

The cover photo is from a current phishing campaign using a sense of urgency and fear of terminated access.

This phishing attempt obviously did not come from MetaMask. Official support @MetaMaskSupport Twitter

New redirected verification landing page and QR code linking to the phish.





This fake MetaMask email has a convoluted journey with websites hosted in Denmark and redirected to China with an Alibaba registered domain hosting the actual phish. I will post an update to this blog post or my Twitter when I close this file as the campaign is still active and a new dated email circulating.

Not another QR code...


MetaMask QR code phishing.



Remember MetaMask Does Not Send You Emails


What if this tip doesn't work with others?


This sounds easy enough and it is, whenever a question arises about whether an account has been hacked, suspended or restricted in any way is to go directly to the account in question, not through any courtesy link, notice or email.






Are You Trollin Me?

 Did Black Suit Ransomware just try to troll me? by Dominic Alvieri July 3rd, 2024 @AlvieriD The story goes a little something like this... ...