This week’s news has been dominated by the Clop ransomware gang extorting companies whose GoAnywhere services were breached using a zero-day vulnerability.
Over the past month, one hundred new companies have been added to Clop’s data leak site, with the extortion gang threatening to leak data if a ransom is not paid.
While it is not confirmed if all of these companies were breached using the GoAnywhere zero-day, BleepingComputer has confirmed this week that Saks Fifth Avenue, the City of Toronto, Procter & Gamble, Virgin Red, and the UK Pension Protection Fund are related to the vulnerability.
In strange news this week, the City of Oakland is suddenly being extorted on the LockBit data leak site, when a few weeks ago, they were claimed by a Play ransomware attack. It is unclear if LockBit is helping Play extort the City.
There also appears to be a spat brewing between the Monti ransomware gang and Donut Leaks.
Finally, we saw some reports on ransomware released this week about the ACL scareware pretending to be ransomware and a write-up on the DarkPower gang.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @Seifreed, @fwosar, @malwrhunterteam, @LawrenceAbrams, @serghei, @demonslay335, @billtoulas, @PogoWasRight, @cyfirma, @pcrisk, @Trellix, and @jgreigj.
March 19th 2023
MONTI ransomware gang leaks Donut Leaks
In one of the more intriguing listings of this week, the MONTI ransomware group has added another group, Donut Leaks, to their leak site.
March 20th 2023
ALC Scareware Pretends to be a Ransomware
Research team at CYFIRMA recently discovered a malicious sample in wild which pretends to be a ransomware named as ALC Ransomware. Our research team analysed and found it to be a scareware in actual, as it is not encrypting files on the victim machine.
New STOP Ransomware variant
PCrisk found a new STOP ransomware variant that appends the .darj extension to encrypted files.
March 21st 2023
LockBit ransomware gang now also claims City of Oakland breach
Another ransomware operation, the LockBit gang, now threatens to leak what it describes as files stolen from the City of Oakland’s systems.
Clop ransomware claims Saks Fifth Avenue, retailer says mock data stolen
The Clop ransomware gang claims to have attacked Saks Fifth Avenue on its dark web leak site.
March 22nd 2023
Dole discloses employee data breach after ransomware attack
Fresh produce giant Dole Food Company has confirmed threat actors behind a February ransomware attack have accessed the information of an undisclosed number of employees.
New STOP Ransomware variant
PCrisk found a new STOP ransomware variant that appends the .tywd extension to encrypted files.
New Xorist ransomware variant
PCrisk found a new Xorist ransomware variant that appends the .Rans-A extension and drops ransom notes named HOW TO DECRYPT FILES.txt.
March 23rd 2023
City of Toronto confirms data theft, Clop claims responsibility
City of Toronto is among Clop ransomware gang’s latest victims hit in the ongoing GoAnywhere hacking spree.
Tennessee city hit with ransomware attack
Oak Ridge, Tennessee said city officials are working with law enforcement and cybersecurity experts to deal with a ransomware attack affecting its technology systems.
New STOP Ransomware variant
PCrisk found a new STOP ransomware variant that appends the .tyos extension to encrypted files.
March 24th 2023
Procter & Gamble confirms data theft via GoAnywhere zero-day
Consumer goods giant Procter & Gamble has confirmed a data breach affecting an undisclosed number of employees after its GoAnywhere MFT secure file-sharing platform was compromised in early February.
