This edition of the Week in Ransomware covers the last two weeks of news, as we could not cover it last week, and includes quite a bit of new information, including the return of the Avaddon ransomware gang.
Last month, a new ransomware operation named NoEscape (or No_Escape) was launched that quickly began amassing a stream of new corporate victims.
After the operation’s encryptor was analyzed, it soon became apparent that NoEscape was a rebrand of Avaddon, who shut down their operation in June 2020 after feeling the heat from law enforcement.
However, it looks like the gang never really retired but was simply biding their time until they could return as the new NoEscape operation, likely previously working in other operations.
While the gang has claimed not to have any affiliation with Avaddon, their encryptor is very similar to the former operation’s ransomware, according to ransomware expert Michael Gillespie.
This includes a unique encryption chunking routine only used by Avaddon, similarities in code, the same configuration file format, and many other routines. The only significant change was the switch from AES encryption to Salsa20.
Law enforcement has been busy, arresting a Ukrainian scareware developer after a 10-year hunt and an IT employee sentenced to over three years in prison for impersonating a ransomware gang in an extortion scheme.
In other ransomware reports from BleepingComputer and cybersecurity firms:
Finally, Clop’s data theft attacks using the MOVEit Transfer zero-day continue to be a hot topic in the news, with companies continuing to disclose data breaches as they are added to the gang’s data leak site.
According to a new Coveware report released today, these attacks have been very successful, with the ransomware gang expected to earn $75-100 million in extortion payments.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Seifreed, @BleepinComputer, @malwrhunterteam, @billtoulas, @Ionut_Ilascu, @struppigel, @fwosar, @LawrenceAbrams, @serghei, @chainalysis, @TrendMicro, @Intel_by_KELA, @pcrisk, @SophosXOps, @coveware, @BroadcomSW, @pcrisk, and @azalsecurity.
July 8th 2023
Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word installers.
PCrisk found new Makop ransomware variants that appends the .rajah and drops a ransom note named +README-WARNING+.txt.
PCrisk found new STOP variants that append the .gayn and .gazp extensions.
July 12th 2023
Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small.
PCrisk found new STOP variants that append the .waqq and .gaqq extensions.
PCRisk found a new Chaos variant that appends the .hackedbySnea575 extension and drops a ransom note named README_txt.txt.
July 14th 2023
Shutterfly, an online retail and photography manufacturing platform, is among the latest victims hit by Clop ransomware.
July 17th 2023
The new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021.
The Spanish National Police has apprehended a Ukrainian national wanted internationally for his involvement in a scareware operation spanning from 2006 to 2011.
28-year-old Ashley Liles, a former IT employee, has been sentenced to over three years in prison for attempting to blackmail his employer during a ransomware attack.
PCrisk found new STOP variants that append the .miza, .mitu, and .miqe extensions.
PCrisk found a new Xorist variant that appends the .PrO extension and drops a ransom note named HOW TO DECRYPT FILES.txt.
July 18th 2023
Cybersecurity vendor Sophos is being impersonated by a new ransomware-as-a-service called SophosEncrypt, with the threat actors using the company name for their operation.
A financially motivated cybercrime gang has been observed deploying BlackCat ransomware payloads on networks backdoored using a revamped Sardonic malware version.
July 19th 2023
Two ransomware actors, ALPHV/BlackCat and Clop, have listed beauty company Estée Lauder on their data leak sites as a victim of separate attacks.
July 20th 2023
New programming languages often have fewer security measures and less mature detection mechanisms than well-established ones. Threat Actors (TAs) often attempt to bypass traditional security defenses and avoid detection by using a less-known programming language.
PCrisk found a new Kronos ransomware that appends the .khronos extension and drops a ransom note named info.hta.
July 21st, 2023
The Clop ransomware gang is expected to earn between $75-100 million from extorting victims of their massive MOVEit data theft campaign.
In the second quarter of 2023, the percentage of ransomware attacks that resulted in the victim paying, fell to a record low of 34%. The trend represents the compounding effects that we have noted previously of companies continuing to invest in security, continuity assets, and incident response training. Despite these encouraging statistics, ransomware threat actors and the entire cyber extortion economy, continue to evolve their attack and extortion tactics.
AzAl Security noted that the ransomware gang is recruiting new affiliates, but requires a payment first.
Bl00dy ransomware has now advertised in RAMP forum and is asking 10k USD to join their affiliate program. This is half the price of Lockbits fee. Bl00dy appears to have felt some heat and is looking to be more covert. Notably, the poster appears to be a native English speaker.
PCrisk found new STOP variants that append the .kiqu and .kizu extensions.
PCrisk found a new Kronos ransomware that appends the .Hunt2 and drops ransom notes named #BlackHunt_ReadMe.txt and #BlackHunt_ReadMe.hta.
Source: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-july-21st-2023-avaddon-back-as-noescape/
