There have been some interesting developments in ransomware this week, with the arrest of a cybercrime ring leader and reports shedding light on two new, but up-and-coming, ransomware operations.
One of the biggest stories this week is the arrest of Ukrainian Vyacheslav Igorevich Penchukov, aka ‘Tank,’ for his alleged role as a leader in the JabberZeus cybercrime gang that operated the Zeus malware botnet.
Penchukov is also believed to be one of the managers of the notorious Maze ransomware operation, which popularized double-extortion attacks.
Other news this week are new reports on rising ransomware operations:
Finally, Ukraine says that a new Somnia ransomware is being used in attacks, CISA/FBI warned Iranian hackers breached a federal agency, and the FBI warned that Hive ransomware had made over $100 million in ransom payments.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @Ionut_Ilascu, @malwareforme, @malwrhunterteam, @DanielGallagher, @serghei, @jorntvdw, @fwosar, @LawrenceAbrams, @PolarToffee, @demonslay335, @FourOctets, @billtoulas, @VK_Intel, @BleepinComputer, @pcrisk, @Seifreed, @GeeksCyber, @BlackBerry, @ahnlab, and @MsftSecIntel.
November 13th 2022
Russian hacktivists have infected multiple organizations in Ukraine with a new ransomware strain called ‘Somnia,’ encrypting their systems and causing operational problems.
November 14th 2022
Royal ransomware is a recent threat that appeared in 2022 and was particularly active during recent months. The ransomware deletes all Volume Shadow Copies and avoids specific file extensions and folders. It encrypts the network shares found in the local network as well as the local drives. A parameter called “-id” that identifies the victim and is also written in the ransom note must be specified in the command line.
Australia’s Home Affairs Minister Clare O’Neil on Sunday said the government would consider making illegal the paying of ransoms to cyber hackers, following recent cyber attacks affecting millions of Australians.
PCrisk found a new Phobos variant that appends the .faust extension to encrypted files and drops ransom notes named info.txt and info.hta.
PCrisk found new STOP ransomware variants that append the .fatp and .fate extensions to encrypted files.
PCrisk found a new Xorist variant that appends the .ZeRy extension and drops a ransom note name HOW TO DECRYPT FILES.txt.
November 16th 2022
Vyacheslav Igorevich Penchukov, also known as Tank and one of the leaders of the notorious JabberZeus cybercrime gang, was arrested in Geneva last month.
The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware.
It was discovered that the DAGON LOCKER ransomware (hereinafter referred to as “DAGON”) is being distributed in Korea. It was first found through AhnLab ASD infrastructure’s suspicious ransomware behavior block history. In October, it was also reported to AhnLab as a suspicious file by a Korean organization. DAGON is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor.
PCrisk found a new VoidCrypt variant that appends the .DRCRM extension and drops a ransom note named Read.txt.
PCrisk found a new ‘Anthraxbulletproof ‘ ransomware based on Chaos that appends the .Anthraxbulletproof extension and drops a ransom note named read_it.txt.
November 17th 2022
A previously unknown ‘ARCrypter’ ransomware that compromised key organizations in Latin America is now expanding its attacks worldwide.
The Federal Bureau of Investigation (FBI) said today that the notorious Hive ransomware gang has successfully extorted roughly $100 million from over a thousand companies since June 2021.
Recent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation.
November 18th 2022
PCrisk found a new SATANA ransomware variant that appends the .SEX3 extension and drops a ransom note named !satana!.txt.