This week, we learned of healthcare data leaks out of Australia, information about existing attacks, and reports on how ransomware gangs operate and partner with malware developers for initial access.
Of particular interest is Microsoft’s reporting that the Raspberry Robin worm is providing access to corporate networks for the Clop ransomware gang.
Other research includes TommyLeaks and SchoolBoys extortion gangs being actually the same group, with TommyLeaks focusing on pure data extortion and SchoolBoys deploying ransomware.
Finally, Microsoft disclosed that Vice Society uses multiple ransomware families in attacks, including BlackCat, Quantum, Zeppelin, and a Vice Society-branded variant of Zeppelin ransomware. Additionally, BleepingComputer is also aware of the group using the HelloKitty ransomware in attacks.
We also learned more information about new and existing ransomware attacks, such as an alleged 60 million LockBit ransomware demand on Pendragon, Hive claiming the attack on Tata Power, Medibank warning that the hackers accessed all customers’ personal data, a ransomware attack on the Indianapolis Housing Agency, and Australian Clinical Labs disclosing that patient data was stolen.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @BleepinComputer, @struppigel, @malwrhunterteam, @serghei, @fwosar, @Ionut_Ilascu, @DanielGallagher, @VK_Intel, @jorntvdw, @demonslay335, @billtoulas, @FourOctets, @Seifreed, @PolarToffee, @malwareforme, @AlvieriD, @_CERT_UA, @Jeremy_Kirk, @MsftSecIntel, @pcrisk, @TrendMicro, @DragosInc, and @BrettCallow.
October 22nd 2022
Two new extortion gangs named ‘TommyLeaks’ and ‘SchoolBoys’ are targeting companies worldwide. However, there is a catch — they are both the same ransomware gang.
October 24th 2022
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert about potential Cuba Ransomware attacks against critical networks in the country.
Pendragon Group, with more than 200 car dealerships in the U.K., was breached in a cyberattack from the LockBit ransomware gang, who allegedly demanded $60 million to decrypt files and not leak them.
PCrisk found new STOP ransomware variants that append the .nuis and .nury extensions.
PCrisk found a new Chaos ransomware variant that appends the .eking extension.
PCrisk found a new KillNet ransomware that appears to be tied to pro-Russia hacking group. When encrypting files it will append the .killnet and drops a ransom note named Ru.txt.
October 25th 2022
Hive ransomware group has claimed responsibility for a cyber attack disclosed by Tata Power this month.
A threat group known as Vice Society has been switching ransomware payloads in attacks targeting the education sector across the United States and worldwide.
Similarly, the initial access portion of this attack began on the exchange servers in the targeted environment, when a web shell file was dropped in the public access folders in early September 2022 via ProxyShell exploitation.
PCrisk found a new Zeppelin ransomware variant called ‘Buybackdate’ that appends the .bbd2.[victim’s_ID] extension and drops a ransom note named ALL YOUR FILES ARE ENCRYPTED.txt.
October 26th 2022
Australian insurance firm Medibank has confirmed that hackers accessed all of its customers’ personal data and a large amount of health claims data during a recent ransomware attack.
PCrisk found a new Chaos ransomware variant called ‘CRYPTONITE’ that appends a random extension and drops a ransom note named lisezmoi.txt.
PCrisk found a new Makop ransomware variant that appends the .INT extension and drops a ransom note named +README-WARNING+.txt.
Dragos is aware of multiple new ransomware groups targeting industrial entities during Q3, like SPARTA BLOG, BIANLIAN, Donuts, ONYX, and YANLUOWANG. Until now, Dragos cannot confirm if these groups are reformed from other dissolved ransomware groups, such as Conti, who shut down their operation last quarter.
The Indianapolis Housing Agency, the federal agency responsible for providing housing to low-income tenants in the city, has been battling a cyber-attack for the past three weeks that’s compromised their entire information technology system.
October 27th 2022
Australian Clinical Labs (ACL) has disclosed a February 2022 data breach that impacted its Medlab Pathology business, exposing the medical records and other sensitive information of 223,000 people.
Microsoft says a threat group tracked as DEV-0950 used Clop ransomware to encrypt the network of a victim previously infected with the Raspberry Robin worm.
PCrisk found a new Zeppelin ransomware variant called ‘Venolock’ that appends the .vn2.1.[victim’s_ID] extension and drops a ransom note named ALL YOUR FILES ARE ENCRYPTED.txt.
October 28th 2022
PCrisk found new STOP ransomware variants that append the .powd and .pozq extensions.