This week marked the return of the notorious REvil ransomware group, who disappeared in July after conducting a massive attack using a Kaseya zero-day vulnerability.
Their July attack affected over 1,500 businesses and drew the full attention of international law enforcement and the White House, who demanded that Russia do something about these attacks.
Soon after, REvil shut down all of its servers and mysteriously disappeared.
That is until this week when REvil’s servers started back up, and a new sample of their ransomware was spotted on VirusTotal.
It is still too soon to tell if the ransomware gang is fully operational, but we will likely see new attacks shortly.
In other news, a report was released this week outlining what a ransomware gang’s ideal target is for attacks, and the Ragnar Locker gang threatened to automatically release stolen data if victims contact negotiators or law enforcement.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @malwareforme, @malwrhunterteam, @VK_Intel, @fwosar, @serghei, @struppigel, @LawrenceAbrams, @PolarToffee, @FourOctets, @Seifreed, @jorntvdw, @DanielGallagher, @demonslay335, @Ionut_Ilascu, @AdvIntel, @y_advintel, @McAfee_Business, @Glacius_, @Intel471Inc, @PogoWasRight, @ddd1ms, @JakubKroustek, @Libranalysis, @John_Fokker, @cPeterr, @fbgwls245, and @pcrisk.
September 5th 2021
This is my analysis for the BlackMatter Ransomware version 2.0.
September 6th 2021
Ransomware gangs increasingly purchase access to a victim’s network on dark web marketplaces and from other threat actors. Analyzing their want ads makes it possible to get an inside look at the types of companies ransomware operations are targeting for attacks.
September 7th 2021
The dark web servers for the REvil ransomware operation have suddenly turned back on after an almost two-month absence. It is unclear if this marks their ransomware gang’s return or the servers being turned on by law enforcement.
The Ragnar Locker ransomware group is warning that they will leak stolen data from victims that contact law enforcement authorities, like the FBI.
September 8th 2021
On September 7, 2021, a representative of the newly-formed Groove ransomware syndicate decided to share their insights and their perspective on the inner aspects of the ransomware business.
The private Howard University in Washington disclosed that it suffered a ransomware attack late last week and is currently working to restore affected systems.
McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself.
September 9th 2021
Jakub Kroustek found the first new REvil sample uploaded to VirusTotal since they disappeared and now have come back alive.
September 10th 2021
On August 30, HHS added Queen Creek Medical Center d/b/a Desert Wells Family Medicine in Arizona to its public breach tool. The entity had reported that 35,000 patients were impacted by a breach involving a hack of the network.
dnwls0719 found a new Chaos ransomware variant that appends the .CRYPTEDPAY extension.
PCrisk found a new Dharma ransowmare variant that appends the .RME extension.
Source: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-10th-2021-revil-returns/