Skip links

The Week in Ransomware – October 21st 2022 – Stop the Presses



Cybersecurity researchers did not disappoint, with reports linking RansomCartel to REvil, on OldGremlin hackers targeting Russia with ransomware, a new data exfiltration tool used by BlackByte, a warning that ransomware actors are exploiting VMware vulnerabilities, and finally, our own report on the Venus Ransomware.

The FBI released an advisory warning that the Daixin ransomware gang is targeting U.S. Healthcare and Public Health (HPH) sector in multiple attacks.

This week, Medibank finally confirmed it was ransomware behind its recent cyberattack. We also saw an attack on the Stimme Mediengruppe media group that prevented the printing and distribution of German newspapers.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @PolarToffee, @Ionut_Ilascu, @FourOctets, @jorntvdw, @struppigel, @BleepinComputer, @demonslay335, @billtoulas, @Seifreed, @LawrenceAbrams, @serghei, @fwosar, @DanielGallagher, @VK_Intel, @malwareforme, @Fortinet, @BroadcomSW, @0verfl0w_, @linuxct, @Unit42_Intel, @Amermelsad, @MsftSecIntel, @CrowdStrike, @GroupIB_GIB, @BushidoToken, @JackRhysider, @Intel471Inc, @NCCGroupplc, and @pcrisk.

October 16th 2022

Venus Ransomware targets publicly exposed Remote Desktop services

Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.

October 17th 2022

Ransomware attack halts circulation of some German newspapers

German newspaper ‘Heilbronn Stimme’ published today’s 28-page issue in e-paper form after a Friday ransomware attack crippled its printing systems.

Australian insurance firm Medibank confirms ransomware attack

Health insurance provider Medibank has confirmed that a ransomware attack is responsible for last week’s cyberattack and disruption of online services.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .tury and .tuis extension.

New Escanor ransomware

PCrisk found the new ESCANOR Ransomware that appends the .ESCANOR and drops the HELP_DECRYPT_YOUR_FILES.txt ransom note.

October 18th 2022

Ransom Cartel linked to notorious REvil ransomware operation

Researchers have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil gang based on code similarities in both operations’ encryptors.

Defenders beware: A case for post-ransomware investigations

In this blog, we detail a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code. Cobalt Strike was used for persistence on the network with NT AUTHORITY/SYSTEM (local SYSTEM) privileges to maintain access to the network after password resets of compromised accounts.

New RONALDIHNO ransomware variant

PCrisk found a new RONALDIHNO ransomware that appends the .r7 extension and drops a ransom note named READ_THIS.txt.

New CMLocker ransomware variant

PCrisk found a new CMlocker ransomware that appends the .CMLOCKER extension and drops a ransom note named HELP_DECRYPT_YOUR_FILES.txt.

Darknet Diaries – EP 126: REvil

REvil is the name of a ransomware service as well as a group of criminals inflicting ransomware onto the world. Hear how this ransomware shook the world.

October 19th 2022

DeadBolt ransomware: nothing but NASty

The Group-IB Incident Response Team investigated an incident related to a DeadBolt attack and analyzed a DeadBolt ransomware sample

New Dcrtr ransomware variants

PCrisk found new Dcrtr ransomware variants that append the .flash or .ash extensions to encrypted files.

October 20th 2022

OldGremlin hackers use Linux ransomware to attack Russian orgs

OldGremlin, one of the few ransomware groups attacking Russian corporate networks, has expanded its toolkit with file-encrypting malware for Linux machines.

Leading Ransomware Variants Q3 2022

Researchers at @Intel471Inc observed 455 #ransomware attacks in Q3 of 2022 with the most prevalent variants being #LockBit 3.0, #BlackBasta, #Hive, #ALPHV & #BlackCat. Our latest report analyzes the leading variants & the industries most impacted by them.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .eu extension and drops a ransom note named read_instruction.txt.

October 21st 2022

BlackByte ransomware uses new data theft tool for double-extortion

A BlackByte ransomware affiliate is using a new custom data stealing tool called ‘ExByte’ to steal data from compromised Windows devices quickly.

Hackers exploit critical VMware flaw to drop ransomware, miners

Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives.

US govt warns of Daixin Team targeting health orgs with ransomware

CISA, the FBI, and the Department of Health and Human Services (HHS) warned that a cybercrime group known as Daixin Team is actively targeting the U.S. Healthcare and Public Health (HPH) sector in ransomware attacks.

Playing Hide-and-Seek with Ransomware, Part 2

In Part 1, we explained what Intel SGX enclaves are and how they benefit ransomware authors. In Part 2, we explore a hypothetical step-by-step implementation and outline the limitations of this method.

NCC Group Monthly Threat Pulse – September 2022

Claiming the fourth most active spot, just behind BlackCat was new entrant Sparta. With 12 victims reported in one day and 14 over the course of the month, the group has emerged onto the ransomware scene with an explosive start. Observations suggest it is currently solely targeting Spain-based entities, suggesting it is a Spanish-speaking organised crime group.

That’s it for this week! Hope everyone has a nice weekend!

Adblock test (Why?)