This week, we learned of healthcare data leaks out of Australia, information about existing attacks, and reports on how ransomware gangs operate and partner with malware developers for initial access.
Of particular interest is Microsoft’s reporting that the Raspberry Robin worm is providing access to corporate networks for the Clop ransomware gang.
Other research includes TommyLeaks and SchoolBoys extortion gangs being actually the same group, with TommyLeaks focusing on pure data extortion and SchoolBoys deploying ransomware.
Finally, Microsoft disclosed that Vice Society uses multiple ransomware families in attacks, including BlackCat, Quantum, Zeppelin, and a Vice Society-branded variant of Zeppelin ransomware. Additionally, BleepingComputer is also aware of the group using the HelloKitty ransomware in attacks.
We also learned more information about new and existing ransomware attacks, such as an alleged 60 million LockBit ransomware demand on Pendragon, Hive claiming the attack on Tata Power, Medibank warning that the hackers accessed all customers’ personal data, a ransomware attack on the Indianapolis Housing Agency, and Australian Clinical Labs disclosing that patient data was stolen.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @BleepinComputer, @struppigel, @malwrhunterteam, @serghei, @fwosar, @Ionut_Ilascu, @DanielGallagher, @VK_Intel, @jorntvdw, @demonslay335, @billtoulas, @FourOctets, @Seifreed, @PolarToffee, @malwareforme, @AlvieriD, @_CERT_UA, @Jeremy_Kirk, @MsftSecIntel, @pcrisk, @TrendMicro, @DragosInc, and @BrettCallow.
October 22nd 2022
TommyLeaks and SchoolBoys: Two sides of the same ransomware gang
Two new extortion gangs named ‘TommyLeaks’ and ‘SchoolBoys’ are targeting companies worldwide. However, there is a catch — they are both the same ransomware gang.
October 24th 2022
Cuba ransomware affiliate targets Ukrainian govt agencies
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert about potential Cuba Ransomware attacks against critical networks in the country.
Pendragon car dealer refuses $60 million LockBit ransomware demand
Pendragon Group, with more than 200 car dealerships in the U.K., was breached in a cyberattack from the LockBit ransomware gang, who allegedly demanded $60 million to decrypt files and not leak them.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .nuis and .nury extensions.
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that appends the .eking extension.
New KillNet ransomware
PCrisk found a new KillNet ransomware that appears to be tied to pro-Russia hacking group. When encrypting files it will append the .killnet and drops a ransom note named Ru.txt.
October 25th 2022
Hive claims ransomware attack on Tata Power, begins leaking data
Hive ransomware group has claimed responsibility for a cyber attack disclosed by Tata Power this month.
Microsoft: Vice Society targets schools with multiple ransomware families
A threat group known as Vice Society has been switching ransomware payloads in attacks targeting the education sector across the United States and worldwide.
LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company
Similarly, the initial access portion of this attack began on the exchange servers in the targeted environment, when a web shell file was dropped in the public access folders in early September 2022 via ProxyShell exploitation.
New Zeppelin ransomware variant
PCrisk found a new Zeppelin ransomware variant called ‘Buybackdate’ that appends the .bbd2.[victim’s_ID] extension and drops a ransom note named ALL YOUR FILES ARE ENCRYPTED.txt.
October 26th 2022
Medibank now says hackers accessed all its customers’ personal data
Australian insurance firm Medibank has confirmed that hackers accessed all of its customers’ personal data and a large amount of health claims data during a recent ransomware attack.
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant called ‘CRYPTONITE’ that appends a random extension and drops a ransom note named lisezmoi.txt.
New Makop ransomware variant
PCrisk found a new Makop ransomware variant that appends the .INT extension and drops a ransom note named +README-WARNING+.txt.
Dragos Industrial Ransomware Analysis: Q3 2022
Dragos is aware of multiple new ransomware groups targeting industrial entities during Q3, like SPARTA BLOG, BIANLIAN, Donuts, ONYX, and YANLUOWANG. Until now, Dragos cannot confirm if these groups are reformed from other dissolved ransomware groups, such as Conti, who shut down their operation last quarter.
Indianapolis Housing Agency responds to massive system-wide ransomware attack
The Indianapolis Housing Agency, the federal agency responsible for providing housing to low-income tenants in the city, has been battling a cyber-attack for the past three weeks that’s compromised their entire information technology system.
October 27th 2022
Australian Clinical Labs says patient data stolen in ransomware attack
Australian Clinical Labs (ACL) has disclosed a February 2022 data breach that impacted its Medlab Pathology business, exposing the medical records and other sensitive information of 223,000 people.
Microsoft links Raspberry Robin worm to Clop ransomware attacks
Microsoft says a threat group tracked as DEV-0950 used Clop ransomware to encrypt the network of a victim previously infected with the Raspberry Robin worm.
New Zeppelin ransomware variant
PCrisk found a new Zeppelin ransomware variant called ‘Venolock’ that appends the .vn2.1.[victim’s_ID] extension and drops a ransom note named ALL YOUR FILES ARE ENCRYPTED.txt.
October 28th 2022
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .powd and .pozq extensions.
