The Week in Ransomware – August 4th 2023

VMware ESXi locker

Ransomware gangs proceed to prioritize concentrating on VMware ESXi servers, with nearly each lively ransomware gang creating customized Linux encryptors for this objective.

This week, BleepingComputer analyzed the Linux encryptor for Abyss Locker and illustrated the way it was particularly designed to encrypt ESXi digital machines.

Different ransomware operations with ESXi encryptors embody Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.

Fairly a little bit of analysis was launched this week as nicely, with cybersecurity companies and researchers releasing experiences on:

Concerning ransomware or extortion assaults, EY and Serco sent data breach notifications for the Clop MOVEit assaults.

Hospitals run by Prospect Medical Holdings have been additionally impacted this week by a ransomware attack on the father or mother firm. Nevertheless, it’s unclear what gang is behind the assault.

Lastly, Argentina’s Complete Medical Care Program (PAMI) suffered a ransomware attack that impacted its operations.

Contributors and those that supplied new ransomware info and tales this week embody: @billtoulas, @Seifreed, @malwrhunterteam, @demonslay335, @serghei, @malwareforme, @LawrenceAbrams, @BleepinComputer, @Ionut_Ilascu, @Fortinet, @malvuln, @Intel_by_KELA, @DragosInc, @MrJamesSullivan, @pcrisk, and @juanbrodersen.

July twenty ninth 2023

Linux version of Abyss Locker ransomware targets VMware ESXi servers

The Abyss Locker operation is the newest to develop a Linux encryptor to focus on VMware’s ESXi digital machines platform in assaults on the enterprise.

New RansomLord anti-ransomware tool

Safety researcher Malvuln has launched a instrument referred to as RansomLord that exploits DLL hijacking vulnerabilities in ransomware encryptors to terminate the processes earlier than encryption begins. It’s not 100% assured to work, so all customers ought to learn the initiatives readme.

July thirty first 2023

Dragos Industrial Ransomware Attack Analysis: Q2 2023

The second quarter of 2023 proved to be an exceptionally lively interval for ransomware teams, posing vital threats to industrial organizations and infrastructure. The rise in ransomware assaults on industrial targets and their consequential impacts highlights the fast development of ransomware ecosystems and the adoption of various ways, strategies, and procedures (TTPs) by these teams to attain their goals. In Q2, Dragos noticed that out of the 66 teams we monitor, 33 continued to influence industrial organizations. These teams continued to make use of beforehand efficient ways, together with exploiting zero-day vulnerabilities, leveraging social engineering, concentrating on public-facing companies, and compromising IT service suppliers.

Cyber Insurance and the Ransomware Challenge

A examine inspecting the function of cyber insurance coverage in addressing the threats posed by ransomware.

New Dharma variant

PCrisk discovered a brand new Dharma ransomware variant that appends the .Z0V extension and drops a ransom word named Z0V.txt.

New STOP ransomware variant

PCrisk discovered new STOP ransomware variants that append the .pouu or .poaz extensions.

August 1st 2023

Akira Ransomware Gang Evades Decryptor, Exploiting Victims Uninterruptedly

Regardless of the decryptor for the Akira ransomware that was launched on the finish of June 2023, the group nonetheless appears to efficiently extort victims. In July, we noticed 15 new victims of the group, both publicly disclosed or detected by KELA in the middle of their negotiations.

Cyclops Ransomware Gang Unveils Knight 2.0 RaaS Operation: Partner-Friendly and Expanding Targets

The Cyclops ransomware gang has launched a 2.0 model of its RaaS operation named Knight. On July 26, the gang introduced on their weblog they have been “releasing the brand new panel and program this week”, doubtless referring to updates to each their ransomware pressure and their associates’ panel. Lately, Cyclops introduced they “upgraded” the operation and referred to as for brand new associates to affix the group. A thread promoting Cyclops’ RaaS has been renamed to “[RaaS]Knight”.

Qilin Ransomware Gang Adopts Uncommon Payment System: All Ransom Payments Funneled through Affiliates

In July, KELA noticed that actors behind Qilin (Agenda) RaaS program have introduced that ransom funds are paid solely to their associates’ wallets. Apparently, solely then a share of earnings is transferred to the Qilin RaaS homeowners. This strategy is much less widespread for RaaS applications: normally victims are paying ransom to wallets managed by RaaS builders/managers, and solely then associates obtain their share of ransom. The “reverse” strategy, now adopted by Qilin, is understood for use by LockBit.

New Xorist ransomware variant

PCrisk discovered new Xorist ransomware variant that appends the .rtg.

New STOP ransomware variant

PCrisk discovered new Xorist ransomware variant that appends the .popn and drops a ransom word named _readme.txt.

August 2nd 2023

The PAMI confirmed a ransomware cyberattack: it took down the site, but they assure that “it was mitigated”

The Complete Medical Care Program ( PAMI ) suffered a ransomware cyberattack , a sort of virus that encrypts recordsdata to demand a ransom in alternate. Official sources confirmed to Clarín that such a cyberattack was concerned and that they’re investigating the place the intrusion got here from. Shifts are maintained and medicines will be purchased usually in pharmacies, they assured.

August third 2023

US govt contractor Serco discloses data breach after MoveIT attacks

Serco Inc, the Americas division of multinational outsourcing firm Serco Group, has disclosed an information breach after attackers stole the non-public info of over 10,000 people from a third-party vendor’s MoveIT managed file switch (MFT) server.

Ransomware Roundup – DoDo and Proton

This version of the Ransomware Roundup covers the DoDo and Proton ransomware.

EY sends MOVEit data breach notification

Based mostly on our investigation, we consider an unauthorized occasion was capable of receive sure recordsdata transferred by way of the MOVEit instrument, together with recordsdata that contained private information of three Maine residents. EY Legislation then additionally undertook an intensive evaluation of the affected recordsdata to find out which people and information might have been affected, and to substantiate their identities and speak to info.

New Phobos ransomware variant

PCrisk discovered new Phobos ransomware variant that appends the .G-STARS extension.

New TrashPanda ransomware

PCrisk discovered the brand new TrashPanda ransomware that appends the .monochromebear extension and drops a ransom word named [random_string]-readme.html.

New CryBaby ransomware

PCrisk discovered the brand new Crybaby python ransomware that appends the .lockedbycrybaby extension.

That is it for this week! Hope everybody has a pleasant weekend!

Leave a Reply

Your email address will not be published. Required fields are marked *