PyLocky Ransomware Source Code Leaked Online

PyLocky represents a new ransomware strain that was detected in the wild in late July 2018, and whose volume of infections increased throughout the month of August. The malware is usually distributed through malspam emails claiming to link to a fake payment invoice, and it features advanced anti-detection and anti-sandbox capabilities. Notably, infection telemetry data shows that PyLocky mainly targeted France and German cyberspace, but ransom notes also exist in Italian and Korean.

On September 11, 2018, we detected the leakage of PyLocky source code on Pastebin. Thus far, the incident has not received media attention. However, the paste was viewed by over 2,500 users. Therefore, our assessment is that this leakage might lower the barrier to entry for wannabe cybercriminals, possibly leading to an increase in malspam campaigns distributing this malware strain in the future. Continue reading “PyLocky Ransomware Source Code Leaked Online”

Anonymous Italia Robs the Police (Again)

On October 12, 2016, Anonymous Italia launched a cyber offensive against the Polizia Penitenziaria (the Italian penitentiary police) to protest against the “unjust” acquittal of all those involved in the trial of Stefano Cucchi’s, a young Italian citizen who died in 2009 under still unclear circumstances a week after being remanded in custody by the Italian police for alleged drug dealing. Continue reading “Anonymous Italia Robs the Police (Again)”

#OpSafePharma 3.0: Italian Hacktivists Attack the Healthcare Sector

The #OpSafePharma is a hacktivist campaign targeting the Italian healthcare and pharma industries, protesting their treatment of ADHD. Hacktivists affiliated with Anonymous Italia perform DDoS attacks and leak information stolen from databases of websites related to the abovementioned sectors. The campaign, which started in March 2016, was relaunched at the beginning of June following a decrease in the number of attacks against Italian targets in the past month.

On August 21, 2016, Anonymous Italia and its affiliated hacktivist collective AntiSec-Italia, relaunched the campaign, this time dubbed #OperationSafePharma, targeting four different healthcare-related Italian institutions with website defacement attacks and substantial data leakages. The outcomes of the operation, namely the screenshots of the defaced websites and the addresses of the downloadable data leakages, uploaded on dedicated file sharing platforms, were announced on the social media outlets of AntiSec-Italia, specifically on their Facebook page and Twitter account.

AntiSec-Italia published the outcomes of the operation on its Facebook page
AntiSec-Italia published the outcomes of the operation on its Facebook page

 

 

 

 

 

 

 

 

 

 

 

 

The Data Leakage

The hacktivists leaked approximately 2.5 GB of data, stolen from the databases of two prominent Italian healthcare institutions, and provided links to file-sharing platforms where they uploaded the dumps.

We acquired the leaked databases and, upon verification, we assess that they mostly contain internal communications, as well as a great volume of personal data relating to the in-house personnel of the two healthcare institutions, mainly CVs of the physicians and administrative executives working in the facilities. We did not find any indications that medical records of patients treated in these healthcare facilities were disclosed or compromised during the data leakage. Notably, the most recent documents we detected within the stolen files are dated August 5, 2016.

A partial list of the folders included in one of the leaked databases.
A partial list of the folders included in one of the leaked databases.
Sample of leaked data, notably personal documents of a patient who applied to be treated by a different physician
Sample of leaked data, notably personal documents of a patient who applied to be treated by a different physician

Website Defacements

The group defaced four distinct websites, explaining in a public statement – recycled from previous operations – the rationale underpinning the protest.

Screenshots of the defacements related to two of the affected Italian medical facilities
Screenshots of the defacements related to two of the affected Italian medical facilities

Assessment

Our assessment is that this latest iteration of #OperationSafePharma originates more from a one-time opportunity window that the hacktivist group AntiSec-Italia spotted in vulnerable websites associated with Italian medical centers and hospitals, than a concerted effort by multiple Anonymous-affiliated collectives to launch a massive hacktivist campaign against the Italian healthcare sector as a whole. We base this assumption on the analysis conducted using our automated SMA (Social Media Analytics) toolset, which indicated a spike in the activity of the attackers.

Nonetheless, the achievements of the operation, in particular the exfiltration of sensitive databases belonging to prominent Italian healthcare institutions, display noteworthy technical capabilities by the initiators of the offensive.

As yet, we have not identified any preparations for future hacktivist campaigns against the Italian healthcare or financial sector, nonetheless we continue to monitor Italian hacktivist threat actors on a daily basis.