Skip links

The Week in Ransomware – August 26th 2022 – Fighting back



We saw a bit of ransomware drama this week, mostly centered around LockBit, who saw their data leak sites taken down by a DDoS attack after they started leaking the allegedly stolen Entrust data.

Last week, LockBit claimed responsibility for a ransomware attack on cybersecurity giant Entrust and began leaking the company’s allegedly stolen data Friday evening.

Soon after leaking the data, LockBit’s Tor data leak sites experienced a DDoS attack that made them inaccessible.

DDoS HTTPS requests with a message to LockBit

Researchers released reports this week on a Genshin Impact anti-cheat driver being abused to terminate antivirus processes during ransomware attacks and a new extortion group called Donut Leaks.

Finally, this week’s ransomware attacks include DESFA, Center Hospitalier Sud Francilien (CHSF), Instituto Agrario Dominicano, and Bombardier Recreational Products (BRP).

Contributors and those who provided new ransomware information and stories this week include: @VK_Intel, @LawrenceAbrams, @jorntvdw, @billtoulas, @demonslay335, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @DanielGallagher, @struppigel, @BleepinComputer, @malwareforme, @serghei, @FourOctets, @malwrhunterteam, @TrendMicro, @GossiTheDog, @AlvieriD, @ValeryMarchive, @Cyberknow20, @VenezuelaBTH, @S0ufi4n3, @vxunderground, @AShukuhi, @pcrisk, and @ddd1ms.

August 20th 2022

New PT_Moisha ransomware

MalwareHunterTeam found a sample of the new PT_Moisha ransomware operation after users open a support topic in the BleepingComputer forums. The ransomware does not append a new extension to encrypted files and drops a ransom note named !!!READ TO RECOVER YOUR DATA!!! PT_MOISHA.html.

August 22nd 2022

LockBit ransomware blames Entrust for DDoS attacks on leak sites

The LockBit ransomware operation’s data leak sites have been shut down over the weekend due to a DDoS attack telling them to remove Entrust’s allegedly stolen data.

Greek natural gas operator suffers ransomware-related data breach

Greece’s largest natural gas distributor DESFA confirmed on Saturday that they suffered a limited scope data breach and IT system outage following a cyberattack.

New Phobos variant

PCrisk found a new Phobos ransomware variant that appends the .KOPYTZEMPEREEBET extension.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .qqjj extension.

August 23rd 2022

New ‘Donut Leaks’ extortion gang linked to recent ransomware attacks

A new data extortion group named ‘Donut Leaks’ is linked to recent cyberattacks, including those on Greek natural gas company DESFA, UK architectural firm Sheppard Robson, and multinational construction company Sando.

French hospital hit by $10M ransomware attack, sends patients elsewhere

The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located 28km from the center of Paris, suffered a cyberattack on Sunday, which has resulted in the medical center referring patients to other establishments and postponing appointments for surgeries.

New Dharma ransomware variant

PCrisk found a new Dharma variant that appends the .zxcvb extension.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .qqkk extension.

August 24th 2022

Quantum ransomware attack disrupts govt agency in Dominican Republic

The Dominican Republic’s Instituto Agrario Dominicano has suffered a Quantum ransomware attack that encrypted multiple services and workstations throughout the government agency.

RansomEXX claims ransomware attack on Sea-Doo, Ski-Doo maker

The RansomEXX ransomware gang is claiming responsibility for the cyberattack against Bombardier Recreational Products (BRP), disclosed by the company on August 8, 2022.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .qqpp extension.

New Scarab ransomware variant

PCrisk found a new Scarab ransomware variant that appends the .ZZZZZ extension.

New DonkeyHot ransomware

PCrisk found a new ransomware named ‘DonkeyHot’ that appends the .DONKEYHOT extension and drops a ransom note named #HOW_TO_DECRYPT#.txt.

August 25th 2022

Hackers abuse Genshin Impact anti-cheat system to disable antivirus

Hackers are abusing an anti-cheat system driver for the immensely popular Genshin Impact game to disable antivirus software while conducting ransomware attacks.

Cyberattack: misappropriation of provider account suspected at CHSF

According to our information, the investigators in charge of the cyberattack that led to the outbreak of the LockBit ransomware, last weekend, at the Sud-Francilien hospital center (CHSF), in Corbeil-Essonnes , currently suspect that the hijacking of a publisher’s support account served as the initial intrusion vector.

August 26th 2022

An interview with initial access broker Wazawaka: ‘There is no such money anywhere as there is in ransomware’

Matveev talked to Recorded Future analyst and product manager Dmitry Smilyanets about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk. The conversation was conducted in Russian and was translated to English with the help of linguists from Recorded Future’s Insikt group.

That’s it for this week! Hope everyone has a nice weekend!

Adblock test (Why?)