This ‘Week in Ransomware’ covers the last two weeks of ransomware news, with new information on attacks, arrests, data wipers, and reports shared by cybersecurity firms and researchers.
The big news is the arrest of a Russian LockBit member in Canada, who is said to be responsible for making ransom demands between €5 to €70 million.
Over the past few weeks, a threat actor has been trolling victims by distributing the Azov Ransomware and blaming its creation on cybersecurity researchers and journalists.
Unfortunately, this ransomware was later confirmed to be a data wiper that overwrites alternating ‘666’ bytes of data with garbage, making it impossible to recover data.
Other reports have linked the Black Basta ransomware to FIN7 (Carbanak), warned that Venus ransomware is targeting healthcare, linked the Russian Sandworm hackers with Ukrainian ransomware attacks, and detailed how a threat actor is distributing LockBit through the Amdey botnet.
Finally, we learned more about ransomware attacks this week, with a REvil-linked gang claiming responsibility for Medibank, LockBit hitting the Continental automotive giant, and Black Basta behind Sobeys’ business disruptions.
Contributors and those who provided new ransomware information and stories this week include @jorntvdw, @DanielGallagher, @Seifreed, @LawrenceAbrams, @struppigel, @malwareforme, @demonslay335, @Ionut_Ilascu, @fwosar, @FourOctets, @VK_Intel, @malwrhunterteam, @serghei, @PolarToffee, @BleepinComputer, @billtoulas, @LabsSentinel, @vinopaljiri, @_CPResearch_, @ahnlab. @jgreigj, @MsftSecIntel, and @pcrisk.
October 30th 2022
New Azov data wiper tries to frame researchers and BleepingComputer
A new and destructive ‘Azov Ransomware’ data wiper is being heavily distributed through pirated software, key generators, and adware bundles, trying to frame well-known security researchers by claiming they are behind the attack.
November 3rd 2022
Black Basta ransomware gang linked to the FIN7 hacking group
Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as “Carbanak.”
LockBit ransomware claims attack on Continental automotive giant
The LockBit ransomware gang has claimed responsibility for a cyberattack against the German multinational automotive group Continental.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .bozq and .bowd extensions.
New Anon ransomware
PCrisk found a new ‘Anon_by Ransomware’ that appends the .anon_by and drops a ransom note named anon_by.txt.
November 4th 2022
New inlock ransomware
PCrisk found a new ransomware that appends the .inlock extension and drops a ransom note named READ_IT.txt.
November 7th 2022
Azov Ransomware is a wiper, destroying data 666 bytes at a time
The Azov Ransomware continues to be heavily distributed worldwide, now proven to be a data wiper that intentionally destroys victims’ data and infects other programs.
Ransomware gang threatens to release stolen Medibank data
A ransomware gang that some believe is a relaunch of REvil and others track as BlogXX has claimed responsibility for last month’s ransomware attack against Australian health insurance provider Medibank Private Limited.
New Dharma Ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .bDAT extension.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .zate and .zatp extensions.
New Xorist variant
PCrisk found a new Xorist variant that appends the .CrySpheRe extension and drops a ransom note named КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt.
November 8th 2022
LockBit affiliate uses Amadey Bot malware to deploy ransomware
A LockBit 3.0 ransomware affiliate is using phishing emails that install the Amadey Bot to take control of a device and encrypt devices.
November 9th 2022
Medibank warns customers their data was leaked by ransomware gang
Australian health insurance giant Medibank has warned customers that the ransomware group behind last month’s breach has started to leak data stolen from its systems.
November 10th 2022
Russian LockBit ransomware operator arrested in Canada
Europol has announced today the arrest of a Russian national linked to LockBit ransomware attacks targeting critical infrastructure organizations and high-profile companies worldwide.
Russian military hackers linked to ransomware attacks in Ukraine
A series of attacks targeting transportation and logistics organizations in Ukraine and Poland with Prestige ransomware since October have been linked to an elite Russian military cyberespionage group.
U.S. Health Dept warns of Venus ransomware targeting healthcare orgs
The U.S. Department of Health and Human Services (HHS) warned today that Venus ransomware attacks also target the country’s healthcare organizations.
Popular UK motor racing circuit investigating a ransomware attack
One of the most popular motor racing circuits in the United Kingdom is investigating a ransomware attack after a gang added it to its list of victims this week.
November 11th 2022
Canadian food retail giant Sobeys hit by Black Basta ransomware
Grocery stores and pharmacies belonging to Canadian food retail giant Sobeys have been experiencing IT systems issues since last weekend.