This week saw a lot of ransomware news, ranging from new extortion tactics, to a ransomware gang giving away a free decryptor after attacking a children’s hospital.
Overall, it was a pretty bad year for organizations, with Emsisoft reporting that 200 government, education, and healthcare entities were targeted by ransomware in 2022.
The cybersecurity firm states that ransomware operations attacked twenty-four hospitals and multi-hospital health systems last year.
However, the year is off with a bang, with LockBit ransomware confirming they attacked the SickKids children’s hospital. This attack led to delays in receive lab and imaging results and longer wait times for patients.
The ransomware gang claims the attack was conducted by a rogue affiliate who broke the operation’s policies, leading to a free decryptor being given to the hospital.
However, LockBit members are known for stealing data during their attacks, and it is unclear if data was stolen and if it is being misused in any way.
BlackCat/AlphV is evolving their extortion tactics by cloning a victim’s website and using it to leak stolen data. The threat actors previously created dedicated data leak sites for victims, allowing employees to search for their data.
We also learned more information this week about various cyberattacks, which have now been confirmed as ransomware.
These ransomware attacks include a LockBit attack on the SickKids children’s hospital. Rackspace confirming they were attacked by Play Ransomware, a Royal ransomware attack on QUT, and a LockBit ransomware attack on Wabtec.
Rackspace later confirmed that the Play ransomware operation was able to access the Microsoft Exchange Personal Storage Table (PST) files for 27 customers. These files are used to store emails for email accounts.
While it has mostly been bad news, we did see some good news this week.
BitDefender and law enforcement released a free decryptor for the MegaCortex ransomware. Any victims who saved their encrypted files in the hopes of a decryptor being released can recover their files for free.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @serghei, @PolarToffee, @billtoulas, @Ionut_Ilascu, @Seifreed, @fwosar, @struppigel, @demonslay335, @malwrhunterteam, @BleepinComputer, @Fortinet, @emsisoft, @BrettCallow, @Bitdefender, @AlvieriD, and @pcrisk.
January 1st 2023
Ransomware gang apologizes, gives SickKids hospital free decryptor
The LockBit ransomware gang has released a free decryptor for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organization.
Ransomware gang cloned victim’s website to leak stolen data
The ALPHV ransomware operators have gotten creative with their extortion tactic and, in at least one case, created a replica of the victim’s site to publish stolen data on it.
January 2nd 2023
Ransomware impacts over 200 govt, edu, healthcare orgs in 2022
Ransomware attacks in 2022 impacted more than 200 hundred larger organizations in the U.S. public sector in the government, educational, and healthcare verticals.
New STOP Ransomware variant
PCrisk found a new variant of the STOP ransomware that appends the .znto extension to encrypted files.
New Dharma ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .CY3 extension.
New Upsilon Ransomware
PCrisk found the new Upsilon ransomware that appends the .upsil0n extension and drops a ransom note named Upsilon.txt.
New BetterCallSaul ransomware
PCrisk found a new ransomware that appends the .bettercallsaul extension and drops ransom notes named DECRYPT_MY_FILES.txt.
January 3rd 2023
Royal ransomware claims attack on Queensland University of Technology
The Royal ransomware gang has claimed responsibility for a recent cyberattack on the Queensland University of Technology and begun to leak data allegedly stolen during the security breach.
Rail giant Wabtec discloses data breach after Lockbit ransomware attack
U.S. rail and locomotive company Wabtec Corporation has disclosed a data breach that exposed personal and sensitive information.
New Dharma ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .d0n extension.
New STOP Ransomware variant
PCrisk found a new variant of the STOP ransomware that appends the .bpsm extension to encrypted files.
January 4th 2023
Rackspace confirms Play ransomware was behind recent cyberattack
Texas-based cloud computing provider Rackspace has confirmed that the Play ransomware operation was behind a recent cyberattack that took down the company’s hosted Microsoft Exchange environments.
January 5th 2023
Bitdefender releases free MegaCortex ransomware decryptor
Antivirus company Bitdefender has released a decryptor for the MegaCortex ransomware family, making it possible for victims of the once notorious gang to restore their data for free.
Rackspace: Customer email data accessed in ransomware attack
Rackspace revealed on Thursday that attackers behind last month’s incident accessed some of its customers’ Personal Storage Table (PST) files which can contain a wide range of information, including emails, calendar data, contacts, and tasks.
Ransomware Roundup – Monti, BlackHunt, and Putin Ransomware
This latest edition of the Ransomware Roundup covers Monti, BlackHunt, and Putin ransomware.
January 6th 2023
New STOP Ransomware variants
PCrisk found new variants of the STOP ransomware that append the .bpws and .bpto extensions to encrypted files.
