This week’s biggest news was the coordinated, international law enforcement operation between Europol, the FBI, the Netherlands, Germany, and Ukraine that targeted the DoppelPaymer operation.
As part of this operation, the police arrested two core members of the DoppelPaymer gang and raided multiple locations where they seized electronics.
DoppelPaymer is believed to be one of the ransomware brands operated by the Evil Corp cybercrime operation, also known for managing and distributing the Dridex malware botnet.
After the U.S. sanctioned Evil Corp in 2019 for causing over $100 million in financial damages, many ransomware recovery and negotiation firms refused to interact with the ransomware operation, causing a significant decrease in ransom payments.
These sanctions led to EvilCorp constantly rebranding their ransomware operations under new names, with DoppelPaymer rebranding as Grief (a.k.a. Pay or Grief) in the summer of 2021.
Another significant news this week came today, with the SEC announcing a settlement with BlackBaud for failing to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers.
New research was also released this week on the ESXi encryptor of the Royal Ransomware and a new IceFire Linux encryptor.
Finally, we learned more about various ransomware attacks this week, including ones on the City of Oakland, Hospital Clínic de Barcelona, Technion, Fonasa, and the Minneapolis Public Schools district.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @serghei, @Seifreed, @malwrhunterteam, @demonslay335, @LawrenceAbrams, @billtoulas, @fwosar, @PolarToffee, @LabsSentinel, @BrettCallow, @security_score, @AhnLab_SecuInfo, @AJVicens, @AlvieriD, @pcrisk, @chum1ng0, and @TrendMicro.
March 4th 2023
The Play ransomware gang has begun to leak data from the City of Oakland, California, that was stolen in a recent cyberattack.
March 6th 2023
Europol has announced that law enforcement in Germany and Ukraine targeted two individuals believed to be core members of the DoppelPaymer ransomware group.
March 7th 2023
The Hospital Clínic de Barcelona suffered a ransomware attack on Sunday morning, severely disrupting its healthcare services after the institution’s virtual machines were targeted by the attacks.
“Royal ransomware joins other ransomware groups targeting ESXi servers. The files are encrypted using the AES algorithm, with the key and IV being encrypted using theRSA public key that is hard-coded in the executable. The process can partially encrypt a filedepending on its size and the value of the “-ep” parameter. The extension of the encrypted filesis changed to “.royal_u”.”
Iran was behind a cyberattack on a major research university in Israel last month, the Israel National Cyber Directorate announced on Tuesday.
Albanian news outlets have reported two large-scale targeted cyber-attacks of the same type and most likely by the same attackers as another previous ransomware attack on Albania.
PCrisk found a new MedusaLocker variant that appends the .acessd extension and drops a ransom note named How_to_back_files.html.
March 8th 2023
The Medusa ransomware gang is demanding a $1,000,000 ransom from the Minneapolis Public Schools (MPS) district to delete data allegedly stolen in a ransomware attack.
March 9th 2023
Threat actors linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor.
ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the iswr ransomware during the team’s monitoring.
In this entry, we discuss case studies that demonstrated how data-science techniques were applied in our investigation of ransomware groups’ ransom transactions, as detailed in our joint research with Waratah Analytics, “What Decision-Makers Need to Know About Ransomware Risk.”
PCrisk found a STOP variant that appends the .coba extension.
March 10th 2023
Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging that it failed to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers.
In a chat on Tox, BlackCat confirmed to DataBreaches that they are responsible for the attack and they say that they will announce it soon on their leaks page. A spokesperson for the group told DataBreaches that they are not giving Fonasa any more time to respond because they have not heard from them at all.
Source: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2023-police-take-action/