The Week in Ransomware – May 19, 2023 – A changing landscape

In the ever-changing ransomware landscape, we’ve seen the emergence of new ransomware gangs, the return of threat actors from a long absence, shifts in extortion tactics, and a series of attacks on the enterprise.

Over the past few weeks, we’ve reported on new ransomware operations that have emerged in enterprise attacks, including new Cactus, Akira, and RA Group operations.

This week, a relatively new operation named Abyss hit L3Harris, a $17 billion defense firm, bringing it into the spotlight.

We also learned about MalasLocker, a ransomware attack that has been targeting Zimbra servers since March. Hackers also have an unusual extortion technique, asking victims to donate to an approved charity to receive a decryption tool and prevent data leakage.

Whether or not the ransomware gang will stick to the arrangement or if this is just an interesting marketing campaign is too early to tell.

As for changing extortion tactics, a joint FBI and CISA report confirmed that the BianLian ransomware operation only switched to extortion attacks after Avast released a decryption tool.

We also learned of new attacks and important developments in previous attacks:

Finally, researchers and law enforcement released new reports:

Among the contributors and those who provided new information and stories about ransomware this week: @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd Lord, save herAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employeeAnd @employee.

May 13, 2023

Capita warns customers not to assume that data has been stolen

Business process outsourcing company Capita is warning customers to assume their data may have been stolen in a cyberattack that affected its systems in early April.

May 15, 2023

Hypervisor Jackpot Part 3: Lack of Antivirus Support Opens Door to Adversary Attacks

In April 2023, for example, CrowdStrike Intelligence identified a new RaaS program named MichaelKors, which provides affiliates with ransomware binaries targeting Windows and ESXi/Linux systems. Other RaaS platforms capable of targeting ESXi environments, such as Nevada ransomware, have also been released.

New RA Group ransomware targets US institutions in dual extortion attacks

The new ransomware group called “RA Group” targets pharmaceutical, insurance, wealth management and manufacturing companies in the United States and South Korea.

Ransomware gang steals data of 5.8 million PharMerica patients

Pharmacy services provider PharMerica has disclosed a massive data breach affecting more than 5.8 million patients, exposing their medical data to hackers.

I’m Kept in the Dark (Web): Qilin RaaS Software Revealed

In this blog, we aim to provide a detailed analysis of ransomware group – Qilin (also known as Agenda ransomware). This group, which was discovered in August 2022, has been targeting companies in critical sectors with ransomware written in Rust* and Go* (Golang) languages.

The cyber attack has been contained at LACROIX

LACROIX announces that during the night of Friday 12th May to Saturday 13th May, it intercepted a targeted cyberattack on French (Beaupreau), German (Willich) and Tunisian (Zriba) electronics activity websites. Measures were immediately taken to secure all other group sites.

New variant of STOP ransomware

Peserisk Found a new STOP ransomware variant attached to the .xash extension.

New VoidCrypt ransomware variant

PCrisk has found a new VoidCrypt ransomware variant appended to the .cyb extension and drops the ransom note as encryption directory. txt.

New Phobos ransomware variant

PCrisk has found a new Phobos ransomware variant that appends the .Black stone extension.

May 16, 2023

A Russian ransomware affiliate accused of attacks on critical infrastructure

The US Department of Justice has filed charges against a Russian national named Mikhail Pavlovich Matveyev (aka Wazawaka, Ohuderansomwar, M1X, and Borisylcin) for his involvement in three ransomware attacks targeting victims across the United States.

Technical analysis of CryptNet Ransomware

Zscaler ThreatLabz tracks the New ransomware collection Known as CryptNet which appeared in April 2023. The group claims to be stealing data before doing file encryption and hosts a data leak website hosted on Tor hidden service which currently has two victims.

New variants STOP ransomware

PCrisk has found new STOP ransomware variants that attach to the .xatz And .xaro Accessories.

The new alternative to MedusaLocker ransomware

PCrisk has found a new variant of the MedusaLocker ransomware appended to the .olsavelock31 (number may vary) extension and drops a named ransom note How_to_back_files.html.

May 17, 2023

MalasLocker ransomware targets Zimbra servers and demands a charitable donation

A new ransomware operation penetrates Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom, the threat actors claim to be asking for a donation to charity to provide encryption and prevent data leakage.

The FBI confirms that the BianLian ransomware shifted to extortion attacks only

A joint cybersecurity advisory from government agencies in the United States and Australia, published by the Cybersecurity and Infrastructure Security Agency (CISA,) warns organizations of the latest tactics, techniques, and procedures (TTPs) employed by the BianLian ransomware group.

ScanSource says a ransomware attack is behind several days of service outages

Technology provider ScanSource has announced that it has fallen victim to a ransomware attack that affected some of its systems, business operations and customer portals.

New Rhysida ransomware

MalwareHunterTeam Found a new Rhysida ransomware process.

May 18, 2023

Pharmacies cyber attack: Hackers are given a month to pay the ransom or publish the stolen information

Lockbit, the cybercriminal group that carried out the attack on the Farmalink system for selling prescription drugs, was given about a month to negotiate the payment of a ransom and the return of the stolen information. After this period, they will publish the data.

New Snatch ransomware variant

PCrisk has found a new Snatch ransomware variant that appends the .adfuhbazi extension and drops the ransom note as How to restore ADFUHBAZI files.

May 19, 2023

It is likely that Dish Network paid a ransom after the recent ransomware attack

Dish Network, a US television company, most likely paid the ransom after suffering a ransomware attack in February based on the wording used in data breach notification messages sent to affected employees.

Microsoft: Famous FIN7 hackers back in Clop ransomware attacks

A financially motivated cybercriminal group known as FIN7 resurfaced last month, with Microsoft threat analysts linking these attacks to attacks whose ultimate goal was to spread Clop ransomware payloads onto victim networks.

The new AlphaWare ransomware

PCrisk has found a new AlphaWare ransomware that appends .alphaware extension and drops the ransom note as readme. txt.

That’s it for the week! I wish everyone a happy weekend!

#Week #Ransomware #changing #landscape

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top