The Week in Ransomware – October 14th 2022

Bitcoin in chains

This week’s information is action-packed, with police tricking ransomware into releasing keys to victims calling ransomware operations liars.

Essentially the most attention-grabbing information this week is concerning the Dutch Police and Responders.NU working some trickery on the DeadBolt Ransomware operation that brought on them to fork over 155 decryption keys for victims.

Different attention-grabbing analysis contains fake adult sites pushing data wipers, TTPs on Black Basta, information on a brand new Prestige Ransomware targeting Ukraine and Poland, and Magniber ransomware being installed via JavaScript files.

We additionally realized some details about some assaults that had been made public lately.

Healthcare org CommonSpirit admitted this week that they suffered a ransomware assault. Nonetheless, ADATA denies they suffered a recent attack by RansomHouse and says the information is being recirculated from a 2021 breach by RagnarLocker.

Contributors and those that offered new ransomware info and tales this week embrace: @struppigel, @VK_Intel, @serghei, @BleepinComputer, @billtoulas, @LawrenceAbrams, @malwareforme, @demonslay335, @FourOctets, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @malwrhunterteam, @DanielGallagher, @AuCyble, @UID_, @linuxct@MsftSecIntel, @ahnlab, @Amermelsad, @TrendMicro, and @pcrisk.

October eighth 2022

ADATA denies RansomHouse cyberattack, says leaked data from 2021 breach

Taiwanese chip maker ADATA denies claims of a RansomHouse cyberattack after the risk actors started posting stolen recordsdata on their information leak website.

Fake adult sites push data wipers disguised as ransomware

Malicious grownup web sites push pretend ransomware which, in actuality, acts as a wiper that quietly tries to delete nearly the entire information in your gadget.

October tenth 2022

New VoidCrypt variant

PCrisk discovered a VoidCrypt variant that appends the .solo extension and drops a ransom observe named unlock-info.txt.

New Dharma variant

PCrisk discovered a brand new Dharma variant that appends the .dkey extension to encrypted recordsdata.

October eleventh 2022

Microsoft Exchange servers hacked to deploy LockBit ransomware

Microsoft is investigating reviews of a brand new zero-day bug abused to hack Change servers which had been later used to launch Lockbit ransomware assaults.

FinCEN fines Bittrex $29 million

“For years, Bittrex’s AML program and SAR reporting failures unnecessarily uncovered the U.S. monetary system to risk actors,” stated FinCEN Appearing Director Himamauli Das. “Bittrex’s failures created publicity to high-risk counterparties together with sanctioned jurisdictions, darknet markets, and ransomware attackers. Digital asset service suppliers are on discover that they have to implement strong risk-based compliance packages and meet their BSA reporting necessities. FinCEN is not going to hesitate to behave when it identifies willful violations of the BSA.”

October twelfth 2022

CommonSpirit confirms ransomware attack

As beforehand shared, upon discovering the ransomware assault, we took fast steps to guard our methods, comprise the incident, start an investigation, and guarantee continuity of care. Our amenities are following present protocols for system outages, which incorporates taking sure methods offline, equivalent to digital well being information. As well as, we’re taking steps to mitigate the disruption and preserve continuity of care. To additional help and help our crew within the investigation and response course of, we engaged main cybersecurity specialists and notified regulation enforcement.

Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike

We analyzed a QAKBOT-related case resulting in a Brute Ratel C4 and Cobalt Strike payload that may be attributed to the risk actors behind the Black Basta ransomware.

New STOP ransomware variants

PCrisk discovered new STOP ransomware variants that append the .powz and .pohj extensions.

October thirteenth 2022

Magniber ransomware now infects Windows users via JavaScript files

A current malicious marketing campaign delivering Magniber ransomware has been concentrating on Home windows house customers with pretend safety updates.

New Dharma variant

PCrisk discovered a brand new Dharma variant that appends the .CYBER extension to encrypted recordsdata and drops a ransom observe named CYBER.txt.

October 14th 2022

Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland

Microsoft says new Status ransomware is getting used to focus on transportation and logistics organizations in Ukraine and Poland in ongoing assaults.

Police tricks DeadBolt ransomware out of 155 decryption keys

The Dutch Nationwide Police, in collaboration with cybersecurity agency Responders.NU, obtained 155 decryption keys from the DeadBolt ransomware gang by faking ransom funds.

Ransom Cartel Ransomware: A Possible Connection With REvil

On this report, we are going to present our evaluation of Ransom Cartel ransomware, in addition to our evaluation of the doable connections between REvil and Ransom Cartel ransomware.

Why call police after a cyber attack? Because they’re waiting for you

For instance, after the RCMP seized cryptocurency held by Canadian Sebastien Vachon-Desjardins, an affiliate of the Netwalker ransomware gang, it tried returning the funds to Canadian victims. Some organizations refused to acknowledge being hit, she stated.

That is it for this week! Hope everybody has a pleasant weekend!

Leave a Reply

Your email address will not be published. Required fields are marked *