The Week in Ransomware – October twenty first 2022


Cybersecurity researchers didn’t disappoint, with reviews linking RansomCartel to REvil, on OldGremlin hackers focusing on Russia with ransomware, a new knowledge exfiltration instrument utilized by BlackByte, a warning that ransomware actors are exploiting VMware vulnerabilities, and at last, our personal report on the Venus Ransomware.

The FBI launched an advisory warning that the Daixin ransomware gang is focusing on U.S. Healthcare and Public Well being (HPH) sector in a number of assaults.

This week, Medibank lastly confirmed it was ransomware behind its latest cyberattack. We additionally noticed an assault on the Stimme Mediengruppe media group that prevented the printing and distribution of German newspapers.

Contributors and those that supplied new ransomware info and tales this week embrace: @malwrhunterteam, @PolarToffee, @Ionut_Ilascu, @FourOctets, @jorntvdw, @struppigel, @BleepinComputer, @demonslay335, @billtoulas, @Seifreed, @LawrenceAbrams, @serghei, @fwosar, @DanielGallagher, @VK_Intel, @malwareforme, @Fortinet, @BroadcomSW, @0verfl0w_, @linuxct, @Unit42_Intel, @Amermelsad, @MsftSecIntel, @CrowdStrike, @GroupIB_GIB, @BushidoToken, @JackRhysider, @Intel471Inc, @NCCGroupplc, and @pcrisk.

October sixteenth 2022

Venus Ransomware targets publicly uncovered Distant Desktop providers

Menace actors behind the comparatively new Venus Ransomware are hacking into publicly-exposed Distant Desktop providers to encrypt Home windows gadgets.

October seventeenth 2022

Ransomware assault halts circulation of some German newspapers

German newspaper ‘Heilbronn Stimme’ revealed at the moment’s 28-page situation in e-paper kind after a Friday ransomware assault crippled its printing techniques.

Australian insurance coverage agency Medibank confirms ransomware assault

Medical insurance supplier Medibank has confirmed {that a} ransomware assault is liable for final week’s cyberattack and disruption of on-line providers.

New STOP ransomware variants

PCrisk discovered new STOP ransomware variants that append the .tury and .tuis extension.

New Escanor ransomware

PCrisk discovered the brand new ESCANOR Ransomware that appends the .ESCANOR and drops the HELP_DECRYPT_YOUR_FILES.txt ransom word.

October 18th 2022

Ransom Cartel linked to infamous REvil ransomware operation

Researchers have linked the comparatively new Ransom Cartel ransomware operation with the infamous REvil gang primarily based on code similarities in each operations’ encryptors.

Defenders beware: A case for post-ransomware investigations

On this weblog, we element a latest ransomware incident through which the attacker used a group of commodity instruments and strategies, comparable to utilizing living-off-the-land binaries, to launch their malicious code. Cobalt Strike was used for persistence on the community with NT AUTHORITY/SYSTEM (native SYSTEM) privileges to keep up entry to the community after password resets of compromised accounts.

New RONALDIHNO ransomware variant

PCrisk discovered a brand new RONALDIHNO ransomware that appends the .r7 extension and drops a ransom word named READ_THIS.txt.

New CMLocker ransomware variant

PCrisk discovered a brand new CMlocker ransomware that appends the .CMLOCKER extension and drops a ransom word named HELP_DECRYPT_YOUR_FILES.txt.

Darknet Diaries – EP 126: REvil

REvil is the identify of a ransomware service in addition to a gaggle of criminals inflicting ransomware onto the world. Hear how this ransomware shook the world.

October nineteenth 2022

DeadBolt ransomware: nothing however NASty

The Group-IB Incident Response Crew investigated an incident associated to a DeadBolt assault and analyzed a DeadBolt ransomware pattern

New Dcrtr ransomware variants

PCrisk discovered new Dcrtr ransomware variants that append the .flash or .ash extensions to encrypted recordsdata.

October twentieth 2022

OldGremlin hackers use Linux ransomware to assault Russian orgs

OldGremlin, one of many few ransomware teams attacking Russian company networks, has expanded its toolkit with file-encrypting malware for Linux machines.

Main Ransomware Variants Q3 2022

Researchers at @Intel471Inc noticed 455 #ransomware assaults in Q3 of 2022 with essentially the most prevalent variants being #LockBit 3.0, #BlackBasta, #Hive, #ALPHV & #BlackCat. Our newest report analyzes the main variants & the industries most impacted by them.

New Chaos ransomware variant

PCrisk discovered a brand new Chaos ransomware variant that appends the .eu extension and drops a ransom word named read_instruction.txt.

October twenty first 2022

BlackByte ransomware makes use of new knowledge theft instrument for double-extortion

A BlackByte ransomware affiliate is utilizing a brand new customized knowledge stealing instrument referred to as ‘ExByte’ to steal knowledge from compromised Home windows gadgets shortly.

Hackers exploit vital VMware flaw to drop ransomware, miners

Safety researchers noticed malicious campaigns leveraging a vital vulnerability in VMware Workspace One Entry to ship varied malware, together with the RAR1Ransom instrument that locks recordsdata in password-protected archives.

US govt warns of Daixin Crew focusing on well being orgs with ransomware

CISA, the FBI, and the Division of Well being and Human Providers (HHS) warned {that a} cybercrime group often called Daixin Crew is actively focusing on the U.S. Healthcare and Public Well being (HPH) sector in ransomware assaults.

Taking part in Conceal-and-Search with Ransomware, Half 2

In Half 1, we defined what Intel SGX enclaves are and the way they profit ransomware authors. In Half 2, we discover a hypothetical step-by-step implementation and description the constraints of this methodology.

NCC Group Month-to-month Menace Pulse – September 2022

Claiming the fourth most energetic spot, simply behind BlackCat was new entrant Sparta. With 12 victims reported in sooner or later and 14 over the course of the month, the group has emerged onto the ransomware scene with an explosive begin. Observations recommend it’s at present solely focusing on Spain-based entities, suggesting it’s a Spanish-speaking organised crime group.

That is it for this week! Hope everybody has a pleasant weekend!