US agency pays $1M ransom after month-long negotiations | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


Generally, public institutions always refuse to pay ransoms for ransomware attacks demanded by threat actors, understanding that this does not guarantee obtaining the encrypted data or that the copies will be destroyed, and knowing that it is a way to help finance these groups.

However, there are exceptions. Certain agencies, desperate or concerned about the consequences for citizens, end up giving in to the cybercriminals’ blackmail. That is what happened with a U.S. public agency that fell victim to the extortion group Kairós. After a long period of 28 days of negotiations, the institution ended up disbursing a ransom of one million dollars.

According to the Ransom-ISAC report, the criminals initially demanded 3 million dollars, while the affected organization tried to lower that amount with several offers, ranging from 100,000 to 430,000 dollars.

However, the attackers maintained the pressure and issued an ultimatum: pay one million dollars before a deadline or publish all the stolen information.

Interestingly, during this process, Kairos did not resort to encrypting the systems, as happens in many ransomware attacks. Instead, it based its entire strategy on threatening to release the data it claimed to have stolen. To increase the pressure, it even referenced particularly sensitive folders, such as one related to the prosecutor’s office, warning that their publication could have a significant impact.

As explained by Ransom-ISAC, the timelines managed by the agency were due to the usual internal consultations required to make the payment. “The responses of the affected entity are consistent with those of an organization buying time while coordinating legal, leadership, financial, and communication decisions,” the report states.

Once the money was received, Kairos sent a file that supposedly demonstrated that it had deleted the stolen information. However, investigators warn that this proof does not allow verification that the data was permanently deleted.

“The ‘proof’ provided was not technically verifiable and should not be considered as evidence that the stolen data was destroyed,” the report concludes. Thus, and as often happens, although the victim loosened the purse strings to avoid a possible leak, they could never be certain that the cybercriminals had kept their word.

Which agency are we talking about?

The Ransom-ISAC report conceals the victim’s identity for privacy reasons. However, from the transcript of the negotiation and other clues, investigators believe it could be Union County (Ohio), although they do not confirm it definitively. Clues include file names like Union.xlsx and union.rar, and the victim is described as “a small county with limited resources.”

The article’s author adds that he conducted his own research and found that Union County publicly acknowledged last year having suffered a cyberattack in which data from tens of thousands of residents was stolen. However, neither the county nor Kairos has acknowledged that it is the same incident.

Generally, public institutions always refuse to pay ransoms for ransomware attacks demanded by threat actors, understanding that this does not guarantee obtaining the encrypted data or that the copies will be destroyed, and knowing that it is a way to help finance these groups.

However, there are exceptions. Certain agencies, desperate or concerned about the consequences for citizens, end up giving in to the cybercriminals’ blackmail. That is what happened with a U.S. public agency that fell victim to the extortion group Kairós. After a long period of 28 days of negotiations, the institution ended up disbursing a ransom of one million dollars.

According to the Ransom-ISAC report, the criminals initially demanded 3 million dollars, while the affected organization tried to lower that amount with several offers, ranging from 100,000 to 430,000 dollars.

However, the attackers maintained the pressure and issued an ultimatum: pay one million dollars before a deadline or publish all the stolen information.

Interestingly, during this process, Kairos did not resort to encrypting the systems, as happens in many ransomware attacks. Instead, it based its entire strategy on threatening to release the data it claimed to have stolen. To increase the pressure, it even referenced particularly sensitive folders, such as one related to the prosecutor’s office, warning that their publication could have a significant impact.

As explained by Ransom-ISAC, the timelines managed by the agency were due to the usual internal consultations required to make the payment. “The responses of the affected entity are consistent with those of an organization buying time while coordinating legal, leadership, financial, and communication decisions,” the report states.

Once the money was received, Kairos sent a file that supposedly demonstrated that it had deleted the stolen information. However, investigators warn that this proof does not allow verification that the data was permanently deleted.

“The ‘proof’ provided was not technically verifiable and should not be considered as evidence that the stolen data was destroyed,” the report concludes. Thus, and as often happens, although the victim loosened the purse strings to avoid a possible leak, they could never be certain that the cybercriminals had kept their word.

Which agency are we talking about?

The Ransom-ISAC report conceals the victim’s identity for privacy reasons. However, from the transcript of the negotiation and other clues, investigators believe it could be Union County (Ohio), although they do not confirm it definitively. Clues include file names like Union.xlsx and union.rar, and the victim is described as “a small county with limited resources.”

The article’s author adds that he conducted his own research and found that Union County publicly acknowledged last year having suffered a cyberattack in which data from tens of thousands of residents was stolen. However, neither the county nor Kairos has acknowledged that it is the same incident.


——————————————————–


Click Here For The Original Source.

.........................

National Cyber Security

FREE
VIEW