The Week in Ransomware – October 14th 2022


Bitcoin in chains

This week’s information is action-packed, with police tricking ransomware into releasing keys to victims calling ransomware operations liars.

Probably the most fascinating information this week is in regards to the Dutch Police and Responders.NU working some trickery on the DeadBolt Ransomware operation that prompted them to fork over 155 decryption keys for victims.

Different fascinating analysis contains pretend grownup websites pushing information wipers, TTPs on Black Basta, information on a brand new Status Ransomware concentrating on Ukraine and Poland, and Magniber ransomware being put in by way of JavaScript recordsdata.

We additionally discovered some details about some assaults that had been made public not too long ago.

Healthcare org CommonSpirit admitted this week that they suffered a ransomware assault. Nonetheless, ADATA denies they suffered a latest assault by RansomHouse and says the info is being recirculated from a 2021 breach by RagnarLocker.

Contributors and those that supplied new ransomware info and tales this week embrace: @struppigel, @VK_Intel, @serghei, @BleepinComputer, @billtoulas, @LawrenceAbrams, @malwareforme, @demonslay335, @FourOctets, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @malwrhunterteam, @DanielGallagher, @AuCyble, @UID_, @linuxct@MsftSecIntel, @ahnlab, @Amermelsad, @TrendMicro, and @pcrisk.

October eighth 2022

ADATA denies RansomHouse cyberattack, says leaked information from 2021 breach

Taiwanese chip maker ADATA denies claims of a RansomHouse cyberattack after the risk actors started posting stolen recordsdata on their information leak website.

Pretend grownup websites push information wipers disguised as ransomware

Malicious grownup web sites push pretend ransomware which, in actuality, acts as a wiper that quietly tries to delete virtually the entire information in your gadget.

October tenth 2022

New VoidCrypt variant

PCrisk discovered a VoidCrypt variant that appends the .solo extension and drops a ransom observe named unlock-info.txt.

New Dharma variant

PCrisk discovered a brand new Dharma variant that appends the .dkey extension to encrypted recordsdata.

October eleventh 2022

Microsoft Change servers hacked to deploy LockBit ransomware

Microsoft is investigating stories of a brand new zero-day bug abused to hack Change servers which had been later used to launch Lockbit ransomware assaults.

FinCEN fines Bittrex $29 million

“For years, Bittrex’s AML program and SAR reporting failures unnecessarily uncovered the U.S. monetary system to risk actors,” stated FinCEN Performing Director Himamauli Das. “Bittrex’s failures created publicity to high-risk counterparties together with sanctioned jurisdictions, darknet markets, and ransomware attackers. Digital asset service suppliers are on discover that they need to implement strong risk-based compliance packages and meet their BSA reporting necessities. FinCEN won’t hesitate to behave when it identifies willful violations of the BSA.”

October twelfth 2022

CommonSpirit confirms ransomware assault

As beforehand shared, upon discovering the ransomware assault, we took fast steps to guard our techniques, include the incident, start an investigation, and guarantee continuity of care. Our services are following current protocols for system outages, which incorporates taking sure techniques offline, resembling digital well being information. As well as, we’re taking steps to mitigate the disruption and keep continuity of care. To additional help and help our group within the investigation and response course of, we engaged main cybersecurity specialists and notified regulation enforcement.

Black Basta Ransomware Gang Infiltrates Networks by way of QAKBOT, Brute Ratel, and Cobalt Strike

We analyzed a QAKBOT-related case resulting in a Brute Ratel C4 and Cobalt Strike payload that may be attributed to the risk actors behind the Black Basta ransomware.

New STOP ransomware variants

PCrisk discovered new STOP ransomware variants that append the .powz and .pohj extensions.

October thirteenth 2022

Magniber ransomware now infects Home windows customers by way of JavaScript recordsdata

A latest malicious marketing campaign delivering Magniber ransomware has been concentrating on Home windows dwelling customers with pretend safety updates.

New Dharma variant

PCrisk discovered a brand new Dharma variant that appends the .CYBER extension to encrypted recordsdata and drops a ransom observe named CYBER.txt.

October 14th 2022

Microsoft: New Status ransomware targets orgs in Ukraine, Poland

Microsoft says new Status ransomware is getting used to focus on transportation and logistics organizations in Ukraine and Poland in ongoing assaults.

Police methods DeadBolt ransomware out of 155 decryption keys

The Dutch Nationwide Police, in collaboration with cybersecurity agency Responders.NU, obtained 155 decryption keys from the DeadBolt ransomware gang by faking ransom funds.

Ransom Cartel Ransomware: A Potential Connection With REvil

On this report, we are going to present our evaluation of Ransom Cartel ransomware, in addition to our evaluation of the attainable connections between REvil and Ransom Cartel ransomware.

Why name police after a cyber assault? As a result of they’re ready for you

For instance, after the RCMP seized cryptocurency held by Canadian Sebastien Vachon-Desjardins, an affiliate of the Netwalker ransomware gang, it tried returning the funds to Canadian victims. Some organizations refused to acknowledge being hit, she stated.

That is it for this week! Hope everybody has a pleasant weekend!


Please enter your comment!
Please enter your name here