ARCHER compromised, shut down. Ramsay malware vs. air-gaps. Ransomware surcharge. CreepWare booted from Play. COVID-19 notes.
The UK-based ARCHER academic supercomputing system has sustained what the network calls a "security exploitation" that led its administrators to rewrite passwords and SSH keys. They also took ARCHER offline while the incident was investigated, the Register reports. ARCHER's managers have warned that computers in Europe may also be affected, and that users should not expect access to be restored before tomorrow at the earliest. The Register says that "knowledgeable" speculation points out that ARCHER is an "obvious resource for research work by computational biologists as well as those modelling the potential further spread of the novel coronavirus," which also makes it an obvious target for espionage.
ESET describes "Ramsay," an attack designed to exploit air-gapped computers. It's not that Ramsay defeats air-gapping in some exotic way. Instead it concentrates on other infection vectors, like removable media. ZDNet says that Ramsay appears to collect Word, PDF, and ZIP documents in a hidden folder, where they're staged for later exfiltration. Few victims have so far been identified, which suggests to ESET that Ramsay remains in a relatively early stage of development. There's no attribution, but Ramsay appears to share artifacts with DarkHotel's Retro malware.
Ransomware gangs routinely steal victims' data to gain additional leverage. BleepingComputer reports that one gang, the operators of Ako, are now also imposing a surcharge for deleting their copies of stolen files.
According to ZDNet, Google has used an algorithm, "CreepRank," developed by a university-industry team to identify 813 creepware apps for removal from the Play store.
Gloss