Below are the top headlines we’ve been reporting this whole week on *Cyber Security Headlines.*
If you’d like to hear and participate in a discussion about them, the CISO Series does a live 20-minute show every Thursday at 4pm PT/7pm ET. The show is hosted by reporter Steve Prentice and we welcome a cyber practitioner to offer some color to the week’s stories. Our guest this week/tonight is Jerich Beason, CISO, Epiq
If you want to get involved you can watch live and participate in the discussion on Crowdcast ([register](https://www.crowdcast.io/e/cyber-security-headlines)), or you can just[ subscribe to the Cyber Security Headlines podcast](https://cisoseries.com/subscribe-podcast/) and get it into your feed.
Here are some of the stories we’ll be covering.
## Emotet malware officially removed from all infected devices globally
The infamous botnet that once empowered over 70% of global infections was apparently successfully uninstalled from all infected systems globally, yesterday.German police, in association with other police agencies, has captured the C2 servers of Emotet botnet and disabled operations. Emotet was infamous for making backdoors through which second-stage payloads such as Qbot and TrickBot, were able to procure ransomware malware such as ProLock, Ryuk, and Conti. This botnet was reported to have been operated by TA542, also known as Mummy Spider.
## Computer security world in mourning over death of Dan Kaminsky
Celebrated information security researcher Dan Kaminsky, has died. He was 42. Though Kaminsky rose to fame in 2008 for identifying a critical design weakness in the internet’s infrastructure – and worked in secret with software developers to mitigate the issue before it could be easily exploited – he had worked behind the scenes in the infosec world for at least the past two decades. He was heralded for his work in spotting flaws in SSL, and in automating the detection of Conficker malware infections. He had been a stalwart of the security research scene for years, and was a much-loved regular at conferences big and small. He would talk with and advise anyone – even paying the entrance fees for some researchers or letting them crash in his hotel room floor – and it was this generosity that people are overwhelmingly remembering this weekend.
([The Register](https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/) and all of us at CISOSeries.com)
## Password manager Passwordstate hacked to deploy malware on customer systems
Click Studios, the Australian software firm behind Passwordstate, notified its 29,000 customers via email on Friday, after a malware-laced update was live for 28 hours between April 20 and 22. Once the intrusion was discovered, the attackers immediately took down their C&C server, which prevented investigators from discovering what additional payloads and other actions the attackers had performed. It is also very likely that the malware had full access to customers’ password stores. Click Studios has recommended that customers change all their passwords as soon as possible.
## Millions of Pentagon dormant IP addresses spring to life following Trump departure
On January 20th, Global Resource Systems LLC, an obscure company based in Florida discreetly announced to the world’s computer networks that it now was managing 56 million IP addresses that had been owned by the Pentagon, a number that quickly increased to 175 million which amounts to 6 percent of the IPv4 sector, worth billions of dollars on the open market, and usually controlled by telecommunications giants. The reason for the release and the way it was done both remain unclear, but a spokesperson for an elite Pentagon unit known as the Defense Digital Service, which reports directly to the Secretary of Defense, says it is a “pilot effort [that] will assess, evaluate and prevent unauthorized use of DoD IP address space.”
([The Washington Post](https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery))
## The state of ransomware in Q1
According to Coveware’s Quarterly Ransomware Report, Q1 saw the average ransomware payment increase 42% from Q4 2020 to $220,298, with median payments up 59% to $78,398. While considerable increases, these both are still below the peaks in ransom payments seen in Q3 2020. A small number of very high ransoms tied to the CloP ransomware group pulled the average higher. Data extortion ransomware attacks continued to gain in popularity, now accounting for 77% of all ransomware attacks, up 10% on the quarter. Remote desktop compromises were the most common vector, surpassing email phishing and making up just under 50% of all attacks, and most common in organizations over 10,000 employees.
## Ransomware gang threatens to expose police informants if ransom is not paid
The Babuk Locker gang claims it has downloaded more than 250 GB of data from the Metropolitan Police Department of the District of Columbia. It is now giving DC Police officials three days to respond to their ransom demand; otherwise, they say they will contact local gangs and expose police informants. The gang posted screenshots on Tor that suggest it had obtained access to investigation reports, officer disciplinary files, documents on local gangs, mugshots, and administrative files. The Babuk Locker gang is one of the most recent ransomware groups today and is behind the attack on the NBA’s Houston Rockets that we reported on yesterday.
## FBI shares four million email addresses used by Emotet with Have I Been Pwned
Now that Emotet has been removed from victim machines globally, the millions of email addresses collected by the botnet for malware distribution campaigns have been shared by the FBI as part of the agency’s effort to clean infected computers. Individuals and domain owners can now learn if Emotet impacted their accounts by searching the database. Given its sensitive nature, the Emotet data is not publicly searchable. Subscribers to the service that were impacted by the breach have already been alerted, says HIBP creator, Troy Hunt.