Skip links

The Week in Ransomware – August 12th 2022 – Attacking the defenders



It was a very busy week for ransomware news and attacks, especially with the disclosure that Cisco was breached by a threat actor affiliated with the Yanluowang ransomware gang.

On Wednesday, the Yanluowang ransomware gang claimed to have breached Cisco’s network and stolen 2.8 GB of data from the company, later telling BleepingComputer that a total of 55GB was stolen.

While the exact amount of data could not be verified, Cisco confirmed that they suffered a network breach that allowed the threat actor to steal data from a Box account and gain admin access to their domain.

Other attacks we learned more about this week were on 7-Eleven Denmark, ista International, and Advanced MSP, causing an outage for the UK’s NHS.

Researchers were also busy this week, with reports released on how ransomware gangs are moving to callback social engineering attacks, that Cuba ransomware is using a new RAT malware, a report on BlueSky, and that Zeppelin has been seen encrypting devices multiple times in a single attack.

Finally, the US government published a picture of a Conti ransomware member for the first, asking people to provide info on members named ‘Target,’ ‘Tramp,’ ‘Dandis,’ ‘Professor,’ and ‘Reshaev.’ The State Department is offering a reward of up to $10 million for information leading to their location, travel plans, and identity.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Ionut_Ilascu, @PolarToffee, @malwareforme, @LawrenceAbrams, @DanielGallagher, @VK_Intel, @fwosar, @struppigel, @Seifreed, @BleepinComputer, @billtoulas, @serghei, @malwrhunterteam, @FourOctets, @jorntvdw, @fiskerlarsen, @Sophos, @y_advintel, @AdvIntel, @Cyberknow20, @kaspersky, @PaloAltoNtwks, @AhnLab_SecuInfo, @ReversingLabs, @pcrisk, @Amigo_A_, @jamiemaccol, @Jarnecki, and @PogoWasRight.

August 6th 2022

New GwisinLocker ransomware encrypts Windows and Linux ESXi servers

A new ransomware family called ‘GwisinLocker’ targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines.

August 8th 2022

7-Eleven stores in Denmark closed due to a cyberattack

7-Eleven stores in Denmark shut down today after a cyberattack disrupted stores’ payment and checkout systems throughout the country.

New Phobos ransomware variant

PCrisk found a new Phobos variants that append the .FLSCRYPT and .BITCOINPAYMENT extensions to encrypted files.

New World2022 ransomware

PCrisk found a new ransomware called World2022 that appends .world2022decoding and drops a ransom note named WE CAN RECOVER YOUR DATA.MHT.

August 9th 2022

Maui ransomware operation linked to North Korean ‘Andariel’ hackers

The Maui ransomware operation has been linked to the North Korean state-sponsored hacking group ‘Andariel,’ known for using malicious cyber activities to generate revenue and causing discord in South Korea.

New VoidCrypt variants

PCrisk found new VoidCrypt variants that append the .Daz and .Oiltraffic extensions.

New MedusaLocker variant

PCrisk found a new MedusaLocker ransomware variant that appends the .readlockfiles and drops a ransom note named HOW_TO_RECOVER_DATA.html.

August 10th 2022

Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen

Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online.

7-Eleven Denmark confirms ransomware attack behind store closures

7-Eleven Denmark has confirmed that a ransomware attack was behind the closure of 175 stores in the country on Monday.

Ransomware gangs move to ‘callback’ social engineering attacks

At least three groups split from the Conti ransomware operation have adopted BazarCall phishing tactics as the primary method to gain initial access to a victim’s network.

Automotive supplier breached by 3 ransomware gangs in 2 weeks

An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over two weeks in May, two of the attacks happening within just two hours.

Hacker uses new RAT malware in Cuba Ransomware attacks

A member of the Cuba ransomware operation is employing previously unseen tactics, techniques, and procedures (TTPs), including a novel RAT (remote access trojan) and a new local privilege escalation tool.

BlueSky Ransomware: Fast Encryption via Multithreading

BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses.

ista International takes systems offline in wake of ransomware attack

Daixin Team claims thousands of servers encrypted

New FileRec ransomware

Amigo-A found a new FileRec ransomware that appends the .filerec extension and drops a ransom note named filerec.txt.

August 11th 2022

UK NHS service recovery may take a month after MSP ransomware attack

Managed service provider (MSP) Advanced confirmed that a ransomware attack on its systems disrupted emergency services (111) from the United Kingdom’s National Health Service (NHS).

FBI: Zeppelin ransomware may encrypt devices multiple times in attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned US organizations today that attackers deploying Zeppelin ransomware might encrypt their files multiple times.

US govt will pay you $10 million for info on Conti ransomware members

The U.S. State Department announced a $10 million reward today for information on five high-ranking Conti ransomware members, including showing the face of one of the members for the first time.

August 12th 2022

Ransomware Now Threatens the Global South

Historically, ransomware has targeted a number of high-value sectors – finance, professional services, the public sector – in wealthy countries, concentrating on the US and other G7 members. Recent attacks on countries such as Costa Rica, South Africa, Malaysia, Peru, Brazil and India illustrate the increased threat to governments, critical national infrastructure providers and businesses in middle-income and developing countries. Ransomware presents a risk to these countries’ development, economic growth and political stability by disrupting commerce and the delivery of essential services.

That’s it for this week! Hope everyone has a nice weekend!

Adblock test (Why?)