It has been a fairly quiet week on the ransomware front, with the biggest news being US sanctions on Iranians linked to ransomware attacks.
On Wednesday, the US Treasury Department announced sanctions against Iranians affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) for their breaching of US networks and encrypting devices with DiskCryptor and BitLocker.
Researchers also released some interesting reports this week:
In ransomware attack-related news, the Yanluowang ransomware gang began leaking data stolen during a cyberattack on Cisco and the Hive ransomware claimed an attack on Bell Technical Solutions (BTS).
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @demonslay335, @serghei, @malwareforme, @malwrhunterteam, @BleepinComputer, @LawrenceAbrams, @Seifreed, @DanielGallagher, @VK_Intel, @FourOctets, @billtoulas, @struppigel, @PolarToffee, @fwosar, @Ionut_Ilascu, @Bitdefender, @AlvieriD, @AWNetworks, @LabsSentinel, @pcrisk, @CISAgov, and @security_score, @censysio, and @juanbrodersen.
September 10th 2022
Ransomware gangs switching to new intermittent encryption tactic
A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims’ systems faster while reducing the chances of being detected and stopped.
The Neverending Story of Deadbolt
But recently, Censys has observed a massive uptick in Deadbolt-infected QNAP devices. The Deadbolt crew is ramping up their operations, and the victim count is growing daily.
September 12th 2022
Cisco confirms Yanluowang ransomware leaked stolen company data
Cisco has confirmed that the data leaked yesterday by the Yanluowang ransomware gang was stolen from the company network during a cyberattack in May.
Lorenz ransomware breaches corporate network via phone systems
The Lorenz ransomware gang now uses a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises, using their phone systems for initial access to their corporate networks.
New STOP Ransomware variants
PCrisk found new STOP ransomware variants that append the .eemv and .eewt extensions to encrypted files.
New Scam ransomware variant
PCrisk found the new Scam Ransomware that appends the .scam extension to encrypted files and drops a ransom note named read_it.txt.
New Babuk ransomware variant
PCrisk found the new Babuk ransomware variant that appends the .demon extension to encrypted files and drops a ransom note named How To Recover Your Files.txt.
September 14th 2022
US govt sanctions ten Iranians linked to ransomware attacks
The Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions today against ten individuals and two entities affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks.
The Buenos Aires Legislature recovers after the cyberattack
The Legislature of the City of Buenos Aires is slowly recovering from the cyberattack it suffered last Sunday : after changing passwords and disconnecting infected computers, they re-enabled WiFi , recovered one computer per area and continued with parliamentary work. However, they do not disclose what information was compromised or what type of attack it was.
CISA: Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors
This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC.
New Dharma ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .gnik extension to encrypted files.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .eeyu extension to encrypted files.
New Snatch ransomware variant
PCrisk found a new Snatch ransomware variant that appends the .winxvykljw extension to encrypted files.
September 15th 2022
Hive ransomware claims cyberattack on Bell Canada subsidiary
The Hive ransomware gang claimed responsibility for an attack that hit the systems of Bell Canada subsidiary Bell Technical Solutions (BTS).
A Detailed Analysis of the Quantum Ransomware
Quantum ransomware, a rebrand of the MountLocker ransomware, was discovered in August 2021. The malware stops a list of processes and services, and can encrypt the machines found in the Windows domain or the local network, as well as the network shared resources. It logs all of its activities in a file called “.log” and computes a Client Id that is the XOR-encryption of the computer name.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .eebn extension to encrypted files.
New BISAMWARE ransomware
PCrisk found the BISAMWARE Ransomware that appends the .BISAMWARE and drops a ransom note named SYSTEM=RANSOMWARE=INFECTED.TXT.
September 16th 2022
Bitdefender releases free decryptor for LockerGoga ransomware
Romanian cybersecurity firm Bitdefender has released a free decryptor to help LockerGoga ransomware victims recover their files without paying a ransom.
