We saw a bit of ransomware drama this week, mostly centered around LockBit, who saw their data leak sites taken down by a DDoS attack after they started leaking the allegedly stolen Entrust data.
Soon after leaking the data, LockBit’s Tor data leak sites experienced a DDoS attack that made them inaccessible.
Contributors and those who provided new ransomware information and stories this week include: @VK_Intel, @LawrenceAbrams, @jorntvdw, @billtoulas, @demonslay335, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @DanielGallagher, @struppigel, @BleepinComputer, @malwareforme, @serghei, @FourOctets, @malwrhunterteam, @TrendMicro, @GossiTheDog, @AlvieriD, @ValeryMarchive, @Cyberknow20, @VenezuelaBTH, @S0ufi4n3, @vxunderground, @AShukuhi, @pcrisk, and @ddd1ms.
August 20th 2022
MalwareHunterTeam found a sample of the new PT_Moisha ransomware operation after users open a support topic in the BleepingComputer forums. The ransomware does not append a new extension to encrypted files and drops a ransom note named !!!READ TO RECOVER YOUR DATA!!! PT_MOISHA.html.
August 22nd 2022
The LockBit ransomware operation’s data leak sites have been shut down over the weekend due to a DDoS attack telling them to remove Entrust’s allegedly stolen data.
Greece’s largest natural gas distributor DESFA confirmed on Saturday that they suffered a limited scope data breach and IT system outage following a cyberattack.
PCrisk found a new Phobos ransomware variant that appends the .KOPYTZEMPEREEBET extension.
PCrisk found a new STOP ransomware variant that appends the .qqjj extension.
August 23rd 2022
A new data extortion group named ‘Donut Leaks’ is linked to recent cyberattacks, including those on Greek natural gas company DESFA, UK architectural firm Sheppard Robson, and multinational construction company Sando.
The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located 28km from the center of Paris, suffered a cyberattack on Sunday, which has resulted in the medical center referring patients to other establishments and postponing appointments for surgeries.
PCrisk found a new Dharma variant that appends the .zxcvb extension.
PCrisk found a new STOP ransomware variant that appends the .qqkk extension.
August 24th 2022
The Dominican Republic’s Instituto Agrario Dominicano has suffered a Quantum ransomware attack that encrypted multiple services and workstations throughout the government agency.
The RansomEXX ransomware gang is claiming responsibility for the cyberattack against Bombardier Recreational Products (BRP), disclosed by the company on August 8, 2022.
PCrisk found a new STOP ransomware variant that appends the .qqpp extension.
PCrisk found a new Scarab ransomware variant that appends the .ZZZZZ extension.
PCrisk found a new ransomware named ‘DonkeyHot’ that appends the .DONKEYHOT extension and drops a ransom note named #HOW_TO_DECRYPT#.txt.
August 25th 2022
Hackers are abusing an anti-cheat system driver for the immensely popular Genshin Impact game to disable antivirus software while conducting ransomware attacks.
According to our information, the investigators in charge of the cyberattack that led to the outbreak of the LockBit ransomware, last weekend, at the Sud-Francilien hospital center (CHSF), in Corbeil-Essonnes , currently suspect that the hijacking of a publisher’s support account served as the initial intrusion vector.
August 26th 2022
An interview with initial access broker Wazawaka: ‘There is no such money anywhere as there is in ransomware’
Matveev talked to Recorded Future analyst and product manager Dmitry Smilyanets about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk. The conversation was conducted in Russian and was translated to English with the help of linguists from Recorded Future’s Insikt group.