0mega, a new ransomware operation, has been observed targeting organizations around the world. The ransomware operators are launching double-extortion attacks and demanding millions of dollars as ransom.
Breaches by 0mega
- 0mega maintains a dedicated data leak site that the attackers use to post stolen data if the demanded ransom is not paid.
- The leak site currently hosts 152 GB of data stolen from an electronics repair firm in an attack that happened in May.
- However, an additional victim has since been removed, implying that they might have paid the ransom to the 0mega group.
How does it work?
- Hackers add the .0mega extension to the encrypted file’s names and create ransom notes (DECRYPT-FILES[.]txt).
- The ransom note has a link to a Tor payment negotiation site with a support chat to reach out to the ransomware group.
- To log in to this site, the victims are asked to upload their ransom notes with a unique Base64-encoded blob identity.
Since no ransomware sample of the 0mega operation has been found, researchers aren’t sure how it encrypts files. However, researchers were able to provide additional details about its attacks based on its data leak site.
Conclusion
0mega is new ransomware on the threat landscape and more attacks are expected to be seen in the future. Thus, organizations are suggested to always protect their sensitive data with encryption. Further, subscribe to a threat intelligence service to stay updated regarding emerging threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/0845_shutterstock_1093014176.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock-497062244.jpg)
