Cybersecurity researchers did not disappoint, with reports linking RansomCartel to REvil, on OldGremlin hackers targeting Russia with ransomware, a new data exfiltration tool used by BlackByte, a warning that ransomware actors are exploiting VMware vulnerabilities, and finally, our own report on the Venus Ransomware.
The FBI released an advisory warning that the Daixin ransomware gang is targeting U.S. Healthcare and Public Health (HPH) sector in multiple attacks.
This week, Medibank finally confirmed it was ransomware behind its recent cyberattack. We also saw an attack on the Stimme Mediengruppe media group that prevented the printing and distribution of German newspapers.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @PolarToffee, @Ionut_Ilascu, @FourOctets, @jorntvdw, @struppigel, @BleepinComputer, @demonslay335, @billtoulas, @Seifreed, @LawrenceAbrams, @serghei, @fwosar, @DanielGallagher, @VK_Intel, @malwareforme, @Fortinet, @BroadcomSW, @0verfl0w_, @linuxct, @Unit42_Intel, @Amermelsad, @MsftSecIntel, @CrowdStrike, @GroupIB_GIB, @BushidoToken, @JackRhysider, @Intel471Inc, @NCCGroupplc, and @pcrisk.
October 16th 2022
Venus Ransomware targets publicly exposed Remote Desktop services
Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.
October 17th 2022
Ransomware attack halts circulation of some German newspapers
German newspaper ‘Heilbronn Stimme’ published today’s 28-page issue in e-paper form after a Friday ransomware attack crippled its printing systems.
Australian insurance firm Medibank confirms ransomware attack
Health insurance provider Medibank has confirmed that a ransomware attack is responsible for last week’s cyberattack and disruption of online services.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .tury and .tuis extension.
New Escanor ransomware
PCrisk found the new ESCANOR Ransomware that appends the .ESCANOR and drops the HELP_DECRYPT_YOUR_FILES.txt ransom note.
October 18th 2022
Ransom Cartel linked to notorious REvil ransomware operation
Researchers have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil gang based on code similarities in both operations’ encryptors.
Defenders beware: A case for post-ransomware investigations
In this blog, we detail a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code. Cobalt Strike was used for persistence on the network with NT AUTHORITY/SYSTEM (local SYSTEM) privileges to maintain access to the network after password resets of compromised accounts.
New RONALDIHNO ransomware variant
PCrisk found a new RONALDIHNO ransomware that appends the .r7 extension and drops a ransom note named READ_THIS.txt.
New CMLocker ransomware variant
PCrisk found a new CMlocker ransomware that appends the .CMLOCKER extension and drops a ransom note named HELP_DECRYPT_YOUR_FILES.txt.
Darknet Diaries – EP 126: REvil
REvil is the name of a ransomware service as well as a group of criminals inflicting ransomware onto the world. Hear how this ransomware shook the world.
October 19th 2022
DeadBolt ransomware: nothing but NASty
The Group-IB Incident Response Team investigated an incident related to a DeadBolt attack and analyzed a DeadBolt ransomware sample
New Dcrtr ransomware variants
PCrisk found new Dcrtr ransomware variants that append the .flash or .ash extensions to encrypted files.
October 20th 2022
OldGremlin hackers use Linux ransomware to attack Russian orgs
OldGremlin, one of the few ransomware groups attacking Russian corporate networks, has expanded its toolkit with file-encrypting malware for Linux machines.
Leading Ransomware Variants Q3 2022
Researchers at @Intel471Inc observed 455 #ransomware attacks in Q3 of 2022 with the most prevalent variants being #LockBit 3.0, #BlackBasta, #Hive, #ALPHV & #BlackCat. Our latest report analyzes the leading variants & the industries most impacted by them.
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that appends the .eu extension and drops a ransom note named read_instruction.txt.
October 21st 2022
BlackByte ransomware uses new data theft tool for double-extortion
A BlackByte ransomware affiliate is using a new custom data stealing tool called ‘ExByte’ to steal data from compromised Windows devices quickly.
Hackers exploit critical VMware flaw to drop ransomware, miners
Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives.
US govt warns of Daixin Team targeting health orgs with ransomware
CISA, the FBI, and the Department of Health and Human Services (HHS) warned that a cybercrime group known as Daixin Team is actively targeting the U.S. Healthcare and Public Health (HPH) sector in ransomware attacks.
Playing Hide-and-Seek with Ransomware, Part 2
In Part 1, we explained what Intel SGX enclaves are and how they benefit ransomware authors. In Part 2, we explore a hypothetical step-by-step implementation and outline the limitations of this method.
NCC Group Monthly Threat Pulse – September 2022
Claiming the fourth most active spot, just behind BlackCat was new entrant Sparta. With 12 victims reported in one day and 14 over the course of the month, the group has emerged onto the ransomware scene with an explosive start. Observations suggest it is currently solely targeting Spain-based entities, suggesting it is a Spanish-speaking organised crime group.
