An unidentified group of mysterious hackers, identified as the Nevada Group by security researchers, is rapidly storming small and medium organizations with encryption-based attacks across the U.S. and Europe. The attackers are targeting an easy-to-fix vulnerability in a small piece of code, which is commonly found in cloud servers.
Hacker’s ambitious campaign
According to the report, the group aims at compromising over 5,000 victims across the U.S. and Europe.
Most of the targeted entities are using VMware products hosted on the low-cost hosting services offered by the European cloud provider OVHcloud. These VMware products, deployed on bare-metal servers, were not patched for several years.
The targeted entities include manufacturers in Germany, universities in the U.S. and Hungary, and shipping and construction groups in Italy.
Around 4,468 potential victims have been identified in France, the U.S., Germany, and the U.K. Out of these, the highest impacted nation is France, with more than 2,000 victims.
Publicly visible ransom notes
Hackers ask for two Bitcoins (which is around $50,000), a relatively small ransom amount as compared to prominent ransomware groups.
Another peculiar feature of these attacks is that attackers leave the ransom notes publicly visible, including their Bitcoin wallet addresses, making it possible to trace the transactions.
The attacks began around three weeks ago, and based on their announcements of new recruitments on the internet, it is believed that most members of the Nevada Group are from Russia and China.
Within a week of the attacks starting, the CISA released a simple workaround to nullify the attack, allowing some of the victims to regain their data. However, within a few hours of the release of the workaround, attackers modified their malware and started using that to target hundreds of victims.
Amidst major ransomware attack campaigns, small-sized attacks and simple attack methods tend to go unnoticed. Researchers fear that the simplicity of the attack could lead more copycat attackers to follow the steps. The CISA has further mentioned that it is working on public and private partnerships to assess the impact of these attacks and help the victims if and when needed.