The Week in Ransomware – October 14, 2022

This week’s news is packed with action, with police tricking ransomware into releasing keys to victims who call ransomware operations liars.

The most interesting news this week is about the Dutch police and Responders.NU working on some tricks in the DeadBolt Ransowmare operation which led them to fork over 155 decryption keys for the victims.

Other interesting research includes fake adult sites pushing data erasers, TTP in Black Basta, information about a new Prestige Ransomware targeting Ukraine and Poland, and Magniber ransomware that gets installed via JavaScript files.

We also learned information about some attacks that were recently made public.

The health organization CommonSpirit admitted this week that they suffered a ransomware attack. However, ADATA denies having suffered a recent attack by RansomHouse and says that data is being recirculated from a 2021 breach by RagnarLocker.

Contributors and those who provided new information and ransomware stories this week include: @struppigel, @VK_Intel, @serghei, @BleepinComputer, @billtoulas, @LawrenceAbrams, @malwareforme, @demonslay335, @FourOctets, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @malwrhunterteam, @DanielGallagher, @aucyble, @UID_, @linuxct, @MsftSecIntel, @ahnlab, @Amermelsad, @TrendMicroY @pcrisk.

October 8, 2022

ADATA denies RansomHouse cyberattack, says leaked 2021 breach data

Taiwanese chipmaker ADATA denies claims of a RansomHouse cyberattack after threat actors began posting stolen files on its data leak site.

Fake Adult Sites Push Data Erasers Disguised As Ransomware

Malicious adult websites deliver fake ransomware that actually acts as a wiper that tries to silently delete almost all the data on your device.

October 10, 2022

New VoidCrypt variant

PCrisk found a variant of VoidCrypt that adds the .only extension and drops a ransom note called unlock-info.txt.

New Dharma variant

PCrisk found a new Dharma variant that adds the .dkey extension for encrypted files.

October 11, 2022

Microsoft Exchange servers hacked to deploy LockBit ransomware

Microsoft is investigating reports of a new zero-day bug that was abused to hack into Exchange servers which were then used to launch Lockbit ransomware attacks.

FinCEN Fines Bittrex $29 Million

“For years, Bittrex’s AML program and SAR reporting flaws unnecessarily exposed the US financial system to threat actors,” said Acting FinCEN Director Himamauli Das. “The Bittrex flaws created exposure to high-risk counterparties, including sanctioned jurisdictions, darknet marketplaces, and ransomware attackers. Virtual asset service providers have received notice that they must implement robust risk-based compliance programs and comply with BSA reporting requirements. FinCEN will not hesitate to act when it identifies intentional violations of the BSA.”

October 12, 2022

CommonSpirit confirms ransomware attack

As previously shared, upon discovering the ransomware attack, we took immediate action to secure our systems, contain the incident, begin an investigation, and ensure continuity of care. Our facilities are following existing protocols for system outages, including taking certain systems offline, such as electronic health records. Additionally, we are taking steps to mitigate disruption and maintain continuity of care. To further assist and support our team in the investigation and response process, we hired top cyber security specialists and notified law enforcement.

Black Basta Ransomware Gang infiltrates networks via QAKBOT, Brute Ratel and Cobalt Strike

We analyzed a QAKBOT-related case that led to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind Black Basta ransomware.

New variants of STOP ransomware

PCrisk found new variants of STOP ransomware that add .powz and .pohj extensions.

October 13, 2022

Magniber ransomware now infects Windows users via JavaScript files

A recent malicious campaign delivering Magniber ransomware has targeted home Windows users with fake security updates.

New Dharma variant

PCrisk found a new variant of Dharma that adds the .CYBER extension for encrypted files and drops a ransom note called CYBER.txt.

October 14, 2022

Microsoft: New Prestige ransomware targets organizations in Ukraine and Poland

Microsoft says the new Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks.

Police cheat DeadBolt ransomware with 155 decryption keys

The Dutch National Police, in collaboration with the cybersecurity firm Responders.NU, obtained 155 decryption keys from the DeadBolt ransomware gang by forging ransom payments.

Ransom Cartel Ransomware: A possible connection to REvil

In this report, we will provide our analysis of the Ransom Cartel ransomware as well as our assessment of possible connections between REvil and the Ransom Cartel ransomware.

Why call the police after a cyber attack? because they are waiting for you

For example, after the RCMP seized cryptocurrency held by Canadian Sebastien Vachon-Desjardins, an affiliate of the Netwalker ransomware gang, it attempted to return funds to Canadian victims. Some organizations refused to acknowledge that they had been beaten, he said.

That’s all for this week! I hope everyone has a good weekend!

Leave a Comment