19 May 2023

5 min read

US sanctions prolific Russian ransomware developer | Cyber Intelligence Briefing: 19 May

May 2023
US sanctions prolific Russian ransomware developer | Cyber Intelligence Briefing: 19 May placeholder thumbnail


Top news stories this week

  1. Sanctions storm. US sanctions major ransomware operator linked to Babuk and LockBit.
  2. Under pressure. Philadelphia newspaper hit by cyber attack and Capita’s woes continue.
  3. Greatness. Cyber criminals use new phishing platform to target Microsoft 365 users.
  4. Insider threat. Former Ubiquiti employee sentenced for extortion attempt against company.
  5. New player. New ransomware-as-a-service group 'MichaelKors’ specialises in targeting ESXi hypervisors.
  6. Cloudy with a chance of hackers. Hackers use phishing and SIM swapping to target Azure virtual machines. 



1. US sanctions prolific Russian ransomware developer

The United States Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned Mikhail Matveev for his involvement in cyber attacks on American businesses, law enforcement, and critical infrastructure. The Russian national has been a key developer of multiple ransomware strains, including Babuk, Hive, and LockBit. The US Department of Justice is also offering a reward of up to USD 10 million for information that leads to his arrest or conviction.

So what?

With law enforcement increasingly using sanctions to target individual ransomware operators, organisations must carefully consider the legal ramifications of paying a ransom, in addition to the ethical and reputational implications.


New call-to-action


2. Cyber attacks: daily newspaper suffers significant disruption as Capita costs mounts

A major US newspaper, the Philadelphia Inquirer, has suffered a cyber attack that temporarily took down its critical publishing systems. The attack prevented employees from accessing key software used to write and publish prints, resulting in the non-release of the paper’s Sunday edition.

Separately, IT outsourcing firm Capita announced it expects to spend over GBP 20 million on recovery, restoration, and reinforcement of IT systems following a cyber attack last month. In a further data breach, the firm has also been accused by clients of improperly storing client information, after data was found to be kept on an unsecured cloud server.

So what?

Cyber incidents are expensive. Implementing preventative security controls, and protecting critical systems and data is more cost efficient in the long run.



3. New phishing platform used to target Microsoft 365 users

Cyber criminals are using a new phishing-as-a-service platform named Greatness to target Microsoft 365 users. The platform allows users to create convincing phishing emails that imitate Microsoft login pages, including company email addresses, logos, and backgrounds.

So what?

Cyber defences are only as strong as the weakest link. Implementing regular phishing awareness training for employees will ensure they are prepared to identify and report phishing emails. 



4. Former employee jailed after extortion attempt

A former employee of US tech company Ubiquiti has been jailed for data theft, extortion, and spreading misleading news that impacted the company's market value. The employee used insider access to steal confidential data and then posed as an anonymous attacker, demanding nearly USD 2 million worth of cryptocurrency as a ransom.

So what?

Organisations should remain vigilant against the possibility of insider threats. Enforcing stringent data access control measures, adhering to the principle of least privilege, and implementing data loss preventing tools are a few methods to curb the insider threat.



5. New RAAS group 'MichaelKors' targets VMware ESXI systems

Researchers have discovered a new ransomware group known as "MichaelKors" targeting VMware ESXi hypervisors. While ransomware groups have traditionally focused on Windows operating systems, threat actors are increasingly targeting VMware ESXi hypervisors as they lack third-party anti-malware support and are frequently misconfigured.

So what?

Organisations using ESXi hypervisors should deploy careful network segmentation and avoid providing direct access to the hypervisor hosts to minimise the risk of attack.



6. Hackers use phishing and SIM swapping to target azure virtual machines

Hackers are using phishing and SIM swapping to gain access to Azure administrator accounts so they can take control of virtual machines and steal data. The attack involves tricking helpdesk agents into sending a code to reset multi-factor authentication (MFA) and then gaining access by swapping the victim’s phone number to receive the code.

So what?

Organisations should not rely on SMS-based authentication for cloud-based services, instead, they should adopt secure MFA methods, such as hardware tokens, mobile authenticator apps, or biometric authentication.



Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Miles Arkwright
Miles Arkwright
Associate, Cyber Security
James Tytler
James Tytler
Associate, Cyber Security

James Tytler is a cyber security associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Miles Arkwright
Miles Arkwright

Associate, Cyber Security

James Tytler
James Tytler

Associate, Cyber Security

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.