Cybersecurity researchers did not disappoint, with reports linking RansomCartel to REvil, on OldGremlin hackers targeting Russia with ransomware, a new data exfiltration tool used by BlackByte, a warning that ransomware actors are exploiting VMware vulnerabilities, and finally, our own report on the Venus Ransomware.
The FBI released an advisory warning that the Daixin ransomware gang is targeting U.S. Healthcare and Public Health (HPH) sector in multiple attacks.
This week, Medibank finally confirmed it was ransomware behind its recent cyberattack. We also saw an attack on the Stimme Mediengruppe media group that prevented the printing and distribution of German newspapers.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @PolarToffee, @Ionut_Ilascu, @FourOctets, @jorntvdw, @struppigel, @BleepinComputer, @demonslay335, @billtoulas, @Seifreed, @LawrenceAbrams, @serghei, @fwosar, @DanielGallagher, @VK_Intel, @malwareforme, @Fortinet, @BroadcomSW, @0verfl0w_, @linuxct, @Unit42_Intel, @Amermelsad, @MsftSecIntel, @CrowdStrike, @GroupIB_GIB, @BushidoToken, @JackRhysider, @Intel471Inc, @NCCGroupplc, and @pcrisk.
October 16th 2022
Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.
October 17th 2022
German newspaper ‘Heilbronn Stimme’ published today’s 28-page issue in e-paper form after a Friday ransomware attack crippled its printing systems.
Health insurance provider Medibank has confirmed that a ransomware attack is responsible for last week’s cyberattack and disruption of online services.
PCrisk found new STOP ransomware variants that append the .tury and .tuis extension.
PCrisk found the new ESCANOR Ransomware that appends the .ESCANOR and drops the HELP_DECRYPT_YOUR_FILES.txt ransom note.
October 18th 2022
Researchers have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil gang based on code similarities in both operations’ encryptors.
In this blog, we detail a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code. Cobalt Strike was used for persistence on the network with NT AUTHORITY/SYSTEM (local SYSTEM) privileges to maintain access to the network after password resets of compromised accounts.
New RONALDIHNO ransomware variant
PCrisk found a new RONALDIHNO ransomware that appends the .r7 extension and drops a ransom note named READ_THIS.txt.
PCrisk found a new CMlocker ransomware that appends the .CMLOCKER extension and drops a ransom note named HELP_DECRYPT_YOUR_FILES.txt.
REvil is the name of a ransomware service as well as a group of criminals inflicting ransomware onto the world. Hear how this ransomware shook the world.
October 19th 2022
The Group-IB Incident Response Team investigated an incident related to a DeadBolt attack and analyzed a DeadBolt ransomware sample
PCrisk found new Dcrtr ransomware variants that append the .flash or .ash extensions to encrypted files.
October 20th 2022
OldGremlin, one of the few ransomware groups attacking Russian corporate networks, has expanded its toolkit with file-encrypting malware for Linux machines.
Researchers at @Intel471Inc observed 455 #ransomware attacks in Q3 of 2022 with the most prevalent variants being #LockBit 3.0, #BlackBasta, #Hive, #ALPHV & #BlackCat. Our latest report analyzes the leading variants & the industries most impacted by them.
PCrisk found a new Chaos ransomware variant that appends the .eu extension and drops a ransom note named read_instruction.txt.
October 21st 2022
A BlackByte ransomware affiliate is using a new custom data stealing tool called ‘ExByte’ to steal data from compromised Windows devices quickly.
Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives.
CISA, the FBI, and the Department of Health and Human Services (HHS) warned that a cybercrime group known as Daixin Team is actively targeting the U.S. Healthcare and Public Health (HPH) sector in ransomware attacks.
In Part 1, we explained what Intel SGX enclaves are and how they benefit ransomware authors. In Part 2, we explore a hypothetical step-by-step implementation and outline the limitations of this method.
Claiming the fourth most active spot, just behind BlackCat was new entrant Sparta. With 12 victims reported in one day and 14 over the course of the month, the group has emerged onto the ransomware scene with an explosive start. Observations suggest it is currently solely targeting Spain-based entities, suggesting it is a Spanish-speaking organised crime group.
Source: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-21st-2022-stop-the-presses/
