Skip links

The Week in Ransomware – October 14th 2022 – Bitcoin Trickery



This week’s news is action-packed, with police tricking ransomware into releasing keys to victims calling ransomware operations liars.

The most interesting news this week is about the Dutch Police and Responders.NU working some trickery on the DeadBolt Ransomware operation that caused them to fork over 155 decryption keys for victims.

Other interesting research includes fake adult sites pushing data wipers, TTPs on Black Basta, info on a new Prestige Ransomware targeting Ukraine and Poland, and Magniber ransomware being installed via JavaScript files.

We also learned some information about some attacks that were made public recently.

Healthcare org CommonSpirit admitted this week that they suffered a ransomware attack. However, ADATA denies they suffered a recent attack by RansomHouse and says the data is being recirculated from a 2021 breach by RagnarLocker.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @VK_Intel, @serghei, @BleepinComputer, @billtoulas, @LawrenceAbrams, @malwareforme, @demonslay335, @FourOctets, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @malwrhunterteam, @DanielGallagher, @AuCyble, @UID_, @linuxct@MsftSecIntel, @ahnlab, @Amermelsad, @TrendMicro, and @pcrisk.

October 8th 2022

ADATA denies RansomHouse cyberattack, says leaked data from 2021 breach

Taiwanese chip maker ADATA denies claims of a RansomHouse cyberattack after the threat actors began posting stolen files on their data leak site.

Fake adult sites push data wipers disguised as ransomware

Malicious adult websites push fake ransomware which, in reality, acts as a wiper that quietly tries to delete almost all of the data on your device.

October 10th 2022

New VoidCrypt variant

PCrisk found a VoidCrypt variant that appends the .solo extension and drops a ransom note named unlock-info.txt.

New Dharma variant

PCrisk found a new Dharma variant that appends the .dkey extension to encrypted files.

October 11th 2022

Microsoft Exchange servers hacked to deploy LockBit ransomware

Microsoft is investigating reports of a new zero-day bug abused to hack Exchange servers which were later used to launch Lockbit ransomware attacks.

FinCEN fines Bittrex $29 million

“For years, Bittrex’s AML program and SAR reporting failures unnecessarily exposed the U.S. financial system to threat actors,” said FinCEN Acting Director Himamauli Das. “Bittrex’s failures created exposure to high-risk counterparties including sanctioned jurisdictions, darknet markets, and ransomware attackers. Virtual asset service providers are on notice that they must implement robust risk-based compliance programs and meet their BSA reporting requirements. FinCEN will not hesitate to act when it identifies willful violations of the BSA.”

October 12th 2022

CommonSpirit confirms ransomware attack

As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation, and ensure continuity of care. Our facilities are following existing protocols for system outages, which includes taking certain systems offline, such as electronic health records. In addition, we are taking steps to mitigate the disruption and maintain continuity of care. To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement.

Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike

We analyzed a QAKBOT-related case leading to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind the Black Basta ransomware.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .powz and .pohj extensions.

October 13th 2022

Magniber ransomware now infects Windows users via JavaScript files

A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates.

New Dharma variant

PCrisk found a new Dharma variant that appends the .CYBER extension to encrypted files and drops a ransom note named CYBER.txt.

October 14th 2022

Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland

Microsoft says new Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks.

Police tricks DeadBolt ransomware out of 155 decryption keys

The Dutch National Police, in collaboration with cybersecurity firm Responders.NU, obtained 155 decryption keys from the DeadBolt ransomware gang by faking ransom payments.

Ransom Cartel Ransomware: A Possible Connection With REvil

In this report, we will provide our analysis of Ransom Cartel ransomware, as well as our assessment of the possible connections between REvil and Ransom Cartel ransomware.

Why call police after a cyber attack? Because they’re waiting for you

For example, after the RCMP seized cryptocurency held by Canadian Sebastien Vachon-Desjardins, an affiliate of the Netwalker ransomware gang, it tried returning the funds to Canadian victims. Some organizations refused to acknowledge being hit, she said.

That’s it for this week! Hope everyone has a nice weekend!

Adblock test (Why?)