DOGE Big Balls Ransomware Attack — What You Need To Know
Although current high-profile news events are more often to be found used as bait in the realm of organized phishing crime to hook victims into clicking links, one cybercrime group has taken political conspiracy theory and woven it into ransomware code in an attempt to throw law enforcement off the scent. Welcome to the very strange world that is the DOGE Big Balls ransomware threat.
If you think the threat from ransomware attackers is all but over, then you are very wrong indeed. While the amount paid in ransoms is declining the attacks themselves are not only surging but evolving fast. With new ransomware groups employing tools to brute force VPN and firewall passwords, old groups wanting to make friends with the FBI, and some even, I kid you not, moving the ransomware threat to snail mail, the danger is far from over.
An April 14 report from threat intelligence platform Cyble, has detailed how one ransomware group is leveraging provocative political commentary, conspiracy theory, and even the name and address of a high-profile individual within the Department Of Government Efficiency to manipulate, misattribute and draw attention while sowing the seeds of confusion. That ransomware threat is called DOGE Big Balls.
Although the ransomware payload itself is a highly-customized version of an existing malware threat known as Fog, the threat actors behind the latest attacks have renamed their threat to DOGE Big Balls Ransomware, likely to attract media attention and stand out from the crowd. Mea culpa, it's working. It's relatively basic in attack methodology, leveraging a ZIP file with a deceptive shortcut that ultimately executes a multi-stage Windows Powershell infection chain. A known vulnerability, CVE-2015-2291, is exploited to get the necessary kernel-level access to enable privilege escalation. Where things get more unusual, however, is that the ransomware scripts include political commentary and conspiracy theory in the code.
'By introducing conspiracy-laced commentary in the code and ransom notes,' Cyble threat intelligence analysts said, 'the threat actor demonstrates a psychological play designed to unsettle and distract victims during critical moments of response.'
These statements include the likes of 'The CIA didn't kill Kennedy you idiot. Oswald is a very deranged person that felt ostracized by his own country.' The ransomware demand text itself references 19-year-old software engineer and DOGE worker Edward Coristine, known online as Big Balls, and about whom much has been written in the media regarding his alleged past. Not only do the attackers falsely claim that Coristine is the threat actor behind the ransomware attack, but they include his full home address and telephone number. 'The use of Coristine's name and the DOGE reference in the ransomware could be a tactic to malign him and the DOGE initiative,' Cyble said.
I have reached out to DOGE for a statement.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
The Hill
17 minutes ago
- The Hill
DOJ rocked by wave of Trump firings
The Justice Department has been rocked by a wave of recent firings, a sign the administration is not done culling the ranks of career officials as it seeks to shape the department under a second Trump term. Maurene Comey, a New York-based federal prosecutor and the daughter of the former FBI director, was fired Wednesday without explanation. And news broke this week that the Justice Department also fired immigration court Judge Jennifer Peyton, who served as head of the Chicago immigration court system, shortly after the jurist gave a tour to Sen. Dick Durbin (D-Ill.), ranking member of the Judiciary Committee. Those firings come on the heels of the dismissal of at least 20 staffers who worked under special counsel Jack Smith, a group that includes not only attorneys but also support staff and even U.S. Marshals. Attorney General Pam Bondi last week also fired the top career ethics official at the department, Joseph Tirrell, the latest in a string of ethics officials pushed out under President Trump. 'Every time I think we're at some point when the firings are over, there's another wave. So I would predict we'll see more,' said Sen. Richard Blumenthal (D-Conn.), a member of the Senate Judiciary Committee. 'It's more dedicated career professionals being given walking papers when they really deserve to be elevated and empowered. And to fire the ethics attorney, I think, speaks volumes about where she's taking the department,' Blumenthal said. Justice Connection, a network of the department's alumni dedicated to protecting 'colleagues who are under attack,' estimate that more than 200 employees have been terminated at DOJ, a figure that includes firings at the FBI and other agencies, as well as prosecutors that worked on the cases of Jan. 6 rioters at the U.S. Attorney's Office in D.C. 'The senseless terminations at the Justice Department are growing exponentially. The very institution created to enforce the law is trampling over the civil service laws enacted by Congress. It's shameful, and it's devastating the workforce,' Stacey Young, executive director and founder of the group, said in a statement to The Hill 'DOJ leadership is making clear the ability to keep your job is not tied to your performance, your expertise, or your commitment to uphold and defend the Constitution. Those who remain at the department are now worried about how to uphold their professional ethical standards when it seems that their willingness to do whatever they are ordered matters more than any other aspect of their work.' The Justice Department declined to comment on personnel matters. Many of the attorneys that were fired have received brief letters saying they were terminated under the authority of the second article of the constitution, the one that establishes the presidency. A letter from Comey to her colleagues referenced the guiding ethos of the Justice Department: to pursue cases 'without fear or favor.' 'Our focus was really on acting 'without favor.' That is, making sure people with access, money, and power were not treated differently than anyone else; and making sure this office remained separate from politics and focused only on the facts and the law,' Comey said in the memo, adding, 'but we have entered a new phase where 'without fear' may be the challenge.' In the case of Peyton, Durbin said he sees a direct line between the tour she gave him – something he called a routine oversight visit – and her termination. 'Judge Peyton took time to show me the court and explain its functions. Soon after, she received an email from Department of Justice political appointees. The email claimed that immigration judges should not directly communicate with members of Congress and congressional staff and required all communications from congressional offices to be forwarded to headquarters for review and response,' Durbin said in a Tuesday email. 'Judge Peyton was fired soon after. Her abrupt termination is an abuse of power by the Administration to punish a non-political judge simply for doing her job.' On Smith's team, the recent firings make for at least 37 staffers who have been dismissed, according to Reuters. And on the ethics front, beyond Terrill, Jeffrey Ragsdale, the head of the Office of Professional Responsibility, which reviews the conduct of attorneys in the department, was fired in March. Brad Weinsheimer, another top ethics official, resigned after he was reassigned to a new working group focused on cracking down on sanctuary cities. Sen. Adam Schiff (D-Calif.), also a member of the Senate Judiciary Committee, said he sees two primary patterns. 'This is Pam Bondi attempting to go after all the president's perceived political enemies, to go after dedicated prosecutors who brought cases successfully to conviction. It's also part of the broader effort to completely rewrite history about Jan. 6,' he told The Hill, adding that he expects more firing of those 'deemed insufficiently pro-MAGA.' He then listed a string of officials inside and outside of DOJ that have been fired under Trump, including the heads of the Office of the Special Counsel and the Office of Government Ethics. 'They seem to be doing everything they can to eviscerate any kind of watchdog or ethical oversight – clearly part of a pattern of trying to eliminate all accountability,' said Schiff, who sent a letter to Bondi this week asking for more details on Terrill's firings and plans to comply with ethics guidelines at the department. Beyond the firings, many Justice Department lawyers have left the department of their own accord, with several sharing with The Hill they feared being asked to do something illegal or would be forced to defend unlawful actions. Rep. Jamie Raskin (D-Md.), the top Democrat on the House Judiciary Committee, said the result is a culture of fear at the Justice Department. 'The Department of Justice is now a joke. When you look at the history of a once storied and legendary department, Pam Bondi has defined her job as doing whatever Donald Trump wants. She's completely sycophantic and subservient. And there may be some lawyers still left in the building who are trying to do their jobs in an honest way consistent with professional ethics, but everything has been supported, subordinated to the political will of Donald Trump,' he told The Hill. 'It's a tough thing for the real lawyers who are still there, and they express a lot of fear and anxiety about where the DOJ is going.' He added that some Republican colleagues, largely former prosecutors, have privately expressed concern over the firings. 'I have had Republican colleagues who were former federal prosecutors telling me privately that they are absolutely appalled that United States assistant attorneys are being fired because they worked on the January 6 case,' Raskin said. 'Think about the implications of that. People are being fired for doing their jobs well, and their job was bringing cases against people who violently assaulted federal police officers,' he said. But that concern was not publicly shared by Rep. Jim Jordan (R-Ohio), the chair of the panel. 'I have confidence in President Trump, confidence in his team at the Justice Department, if that's what they think is in the best interest of fulfilling their mission, that's their call,' he told The Hill. 'I don't know this particulars about each individual, but if that's what the attorney general believes is in the best interest of the Justice Department's mission, that's fine.' Comey and Terrill both addressed morale in letters to their colleagues. Comey said unjustified firings mean 'fear may seep into the decisions of those who remain.' 'Do not let that happen. Fear is the tool of a tyrant, wielded to suppress independent thought. Instead of fear, let this moment fuel the fire that already burns at the heart of this place. A fire of righteous indignation at abuses of power. Of commitment to seek justice for victims. Of dedication to truth above all else,' she wrote. Terrill, too, hinted at a call to action from colleagues. 'I believe in the words of Dr. Martin Luther King Jr. – 'the arc of the moral universe is long, but it bends toward justice,'' he wrote in a post on LinkedIn that included his brief termination notice. 'I also believe that Edmund Burke is right and that 'the only thing necessary for the triumph of evil is for good people to do nothing.'
New York Post
an hour ago
- New York Post
Virginia man who cheered ‘political assassinations' pleads guilty after 150 pipe bombs are seized from home
A Virginia man charged with stockpiling the largest number of finished explosives in FBI history and accused of making threatening comments about politicians has pleaded guilty in federal court to possession of an unregistered short barrel rifle and possession of unregistered destructive devices. Authorities seized around 150 pipe bombs and other explosive devices from Brad Spafford's home near Norfolk last fall, according to court documents. Spafford was also accused by prosecutors of using former President Joe Biden's photo for target practice, saying 'he believed political assassinations should be brought back' and telling someone shortly after President Donald Trump's assassination attempt, 'Bro, I hope the shooter doesn't miss Kamala,' according to an informant. The investigation into Spafford began in 2023, when the informant, who is in law enforcement, told authorities Spafford was stockpiling ammunition and weapons. Authorities found a highly unstable explosive material in a freezer next to frozen foods and more explosive material inside a backpack that said '#NoLivesMatter' while searching his home in December. Spafford has remained in custody since his arrest in December, when a judge ruled he had 'shown the capacity for extreme danger.' He originally pleaded not guilty in January, and his defense argued he should be released because he had a steady job and no criminal record. Federal agents seized a stockpile of homemade explosives in Brad Spafford's home. AP This image provided by U.S. Attorney's Office, Eastern District of Virginia shows a rifle seized when they arrested Spafford. AP Spafford, who is married with two young daughters, lost three fingers in a homemade explosives accident in 2021, the judge noted. Spafford could face 10 years in prison on each charge and is scheduled to be sentenced in December.
Forbes
an hour ago
- Forbes
This Password Hack Jumps From Laptop To Smartphone — Attacks Underway
Scanception password attack magically jumps from laptop to smartphone. Your passwords are under attack. It really is as simple as that. I mean, it's not surprising when 98.5% fail the most basic password hacking test, and cross-service password reuse just adds fuel to the credentials attack fire. Behind much of this barrage of threat actor activity lies one tactic: phishing. One newly analysed and ongoing password hacking campaign, given the name Scanception by security researchers, uses a transitional tactic to switch the attack from your laptop to your smartphone, which is likely to have much less protection. Here's what you need to know. The Scanception Password Hack Attack Explained At the heart of the Scanception password hack campaign, as analyzed by the Cyble Research & Intelligence Labs team, is an old friend of the Forbes cybersecurity section, quishing. Oh my goodness, I just used that awful word, didn't I? QR code phishing, to be a little longer-winded but much less cheesy, is where the scanning of a QR code takes the unsuspecting user to a malicious site where harm can be done. That might be by way of malware downloads, including infostealers, or more straightforward credential theft involving a cloned account login page. 'The attack chain typically begins with a phishing email containing a PDF lure that urges recipients to scan an embedded QR code,' the Cyble report said, noting this technique 'effectively bypasses traditional email security and endpoint protection controls by shifting the attack surface to unmanaged personal mobile devices.' In the space of just 12 short weeks, the threat actors behind the Scanception campaign, which is very much still active, ongoing and evolving, have used at least 600 unique PDF document lures, and Cyble reported that 'nearly 80% of the quishing PDFs we observed had zero detections on VirusTotal.' The attack has so far targeted a broad sweep of users across North America, EMEA and APAC regions, and high-value industries appear to be favored by the threat actors behind the campaign. These include tech, healthcare, manufacturing and financial sectors. Rather cleverly, the attackers have embedded the malicious QR code at the very end of a four-page PDF that appears legitimate. No doubt intended to evade those detection methods that only scan the start of a document, rather than the whole thing. To scan the QR code and access the further information it promises, the user must use their smartphone camera, thereby shifting the attack from the laptop to the phone. Mitigating The Scanception Password Hack Attacks The Cyble Research & Intelligence Labs team recommended the following mitigation measures:
