This week’s news is packed with action, with police tricking ransomware into releasing keys to victims who call ransomware operations liars.
The most interesting news this week is about the Dutch police and Responders.NU working on some tricks in the DeadBolt Ransowmare operation which led them to fork over 155 decryption keys for the victims.
We also learned information about some attacks that were recently made public.
The health organization CommonSpirit admitted this week that they suffered a ransomware attack. However, ADATA denies having suffered a recent attack by RansomHouse and says that data is being recirculated from a 2021 breach by RagnarLocker.
Contributors and those who provided new information and ransomware stories this week include: @struppigel, @VK_Intel, @serghei, @BleepinComputer, @billtoulas, @LawrenceAbrams, @malwareforme, @demonslay335, @FourOctets, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @malwrhunterteam, @DanielGallagher, @aucyble, @UID_, @linuxct, @MsftSecIntel, @ahnlab, @Amermelsad, @TrendMicroY @pcrisk.
October 8, 2022
ADATA denies RansomHouse cyberattack, says leaked 2021 breach data
Taiwanese chipmaker ADATA denies claims of a RansomHouse cyberattack after threat actors began posting stolen files on its data leak site.
Fake Adult Sites Push Data Erasers Disguised As Ransomware
Malicious adult websites deliver fake ransomware that actually acts as a wiper that tries to silently delete almost all the data on your device.
October 10, 2022
PCrisk found a variant of VoidCrypt that adds the .only extension and drops a ransom note called unlock-info.txt.
PCrisk found a new Dharma variant that adds the .dkey extension for encrypted files.
October 11, 2022
Microsoft Exchange servers hacked to deploy LockBit ransomware
Microsoft is investigating reports of a new zero-day bug that was abused to hack into Exchange servers which were then used to launch Lockbit ransomware attacks.
FinCEN Fines Bittrex $29 Million
“For years, Bittrex’s AML program and SAR reporting flaws unnecessarily exposed the US financial system to threat actors,” said Acting FinCEN Director Himamauli Das. “The Bittrex flaws created exposure to high-risk counterparties, including sanctioned jurisdictions, darknet marketplaces, and ransomware attackers. Virtual asset service providers have received notice that they must implement robust risk-based compliance programs and comply with BSA reporting requirements. FinCEN will not hesitate to act when it identifies intentional violations of the BSA.”
October 12, 2022
CommonSpirit confirms ransomware attack
As previously shared, upon discovering the ransomware attack, we took immediate action to secure our systems, contain the incident, begin an investigation, and ensure continuity of care. Our facilities are following existing protocols for system outages, including taking certain systems offline, such as electronic health records. Additionally, we are taking steps to mitigate disruption and maintain continuity of care. To further assist and support our team in the investigation and response process, we hired top cyber security specialists and notified law enforcement.
Black Basta Ransomware Gang infiltrates networks via QAKBOT, Brute Ratel and Cobalt Strike
We analyzed a QAKBOT-related case that led to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind Black Basta ransomware.
PCrisk found new variants of STOP ransomware that add .powz and .pohj extensions.
October 13, 2022
A recent malicious campaign delivering Magniber ransomware has targeted home Windows users with fake security updates.
PCrisk found a new variant of Dharma that adds the .CYBER extension for encrypted files and drops a ransom note called CYBER.txt.
October 14, 2022
Microsoft: New Prestige ransomware targets organizations in Ukraine and Poland
Microsoft says the new Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks.
Police cheat DeadBolt ransomware with 155 decryption keys
The Dutch National Police, in collaboration with the cybersecurity firm Responders.NU, obtained 155 decryption keys from the DeadBolt ransomware gang by forging ransom payments.
Ransom Cartel Ransomware: A possible connection to REvil
In this report, we will provide our analysis of the Ransom Cartel ransomware as well as our assessment of possible connections between REvil and the Ransom Cartel ransomware.
Why call the police after a cyber attack? because they are waiting for you
For example, after the RCMP seized cryptocurrency held by Canadian Sebastien Vachon-Desjardins, an affiliate of the Netwalker ransomware gang, it attempted to return funds to Canadian victims. Some organizations refused to acknowledge that they had been beaten, he said.