Ransomware gangs continue to prioritize targeting VMware ESXi servers, with almost every active ransomware gang creating custom Linux encryptors for this purpose.
This week, BleepingComputer analyzed the Linux encryptor for Abyss Locker and illustrated how it was specifically designed to encrypt ESXi virtual machines.
Other ransomware operations with ESXi encryptors include Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.
Quite a bit of research was released this week as well, with cybersecurity firms and researchers releasing reports on:
- Ransomware's impact on industrial organizations and infrastructure.
- A study examined cyber insurance's role in addressing the threats posed by ransomware.
- Three reports from KELA on Qilin, the new Knight 2.0 RaaS, and Akira.
- A tool to exploit DLL hijacking flaws in ransomware to prevent encryption.
Regarding ransomware or extortion attacks, EY and Serco sent data breach notifications for the Clop MOVEit attacks.
Hospitals run by Prospect Medical Holdings were also impacted this week by a ransomware attack on the parent company. However, it is unclear what gang is behind the attack.
Finally, Argentina's Comprehensive Medical Care Program (PAMI) suffered a ransomware attack that impacted its operations.
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @Seifreed, @malwrhunterteam, @demonslay335, @serghei, @malwareforme, @LawrenceAbrams, @BleepinComputer, @Ionut_Ilascu, @Fortinet, @malvuln, @Intel_by_KELA, @DragosInc, @MrJamesSullivan, @pcrisk, and @juanbrodersen.
July 29th 2023
Linux version of Abyss Locker ransomware targets VMware ESXi servers
The Abyss Locker operation is the latest to develop a Linux encryptor to target VMware's ESXi virtual machines platform in attacks on the enterprise.
New RansomLord anti-ransomware tool
Security researcher Malvuln has released a tool called RansomLord that exploits DLL hijacking vulnerabilities in ransomware encryptors to terminate the processes before encryption starts. It is not 100% guaranteed to work, so all users should read the projects readme.
July 31st 2023
Dragos Industrial Ransomware Attack Analysis: Q2 2023
The second quarter of 2023 proved to be an exceptionally active period for ransomware groups, posing significant threats to industrial organizations and infrastructure. The rise in ransomware attacks on industrial targets and their consequential impacts highlights the rapid growth of ransomware ecosystems and the adoption of different tactics, techniques, and procedures (TTPs) by these groups to achieve their objectives. In Q2, Dragos observed that out of the 66 groups we monitor, 33 continued to impact industrial organizations. These groups continued to employ previously effective tactics, including exploiting zero-day vulnerabilities, leveraging social engineering, targeting public-facing services, and compromising IT service providers.
Cyber Insurance and the Ransomware Challenge
A study examining the role of cyber insurance in addressing the threats posed by ransomware.
New Dharma variant
PCrisk found a new Dharma ransomware variant that appends the .Z0V extension and drops a ransom note named Z0V.txt.
New STOP ransomware variant
PCrisk found new STOP ransomware variants that append the .pouu or .poaz extensions.
August 1st 2023
Akira Ransomware Gang Evades Decryptor, Exploiting Victims Uninterruptedly
Despite the decryptor for the Akira ransomware that was released at the end of June 2023, the group still seems to successfully extort victims. In July, we observed 15 new victims of the group, either publicly disclosed or detected by KELA in the course of their negotiations.
Cyclops Ransomware Gang Unveils Knight 2.0 RaaS Operation: Partner-Friendly and Expanding Targets
The Cyclops ransomware gang has launched a 2.0 version of its RaaS operation named Knight. On July 26, the gang announced on their blog they were “releasing the new panel and program this week”, likely referring to updates to both their ransomware strain and their affiliates’ panel. Recently, Cyclops announced they “upgraded” the operation and called for new affiliates to join the group. A thread advertising Cyclops’ RaaS has been renamed to “[RaaS]Knight”.
Qilin Ransomware Gang Adopts Uncommon Payment System: All Ransom Payments Funneled through Affiliates
In July, KELA observed that actors behind Qilin (Agenda) RaaS program have announced that ransom payments are paid only to their affiliates’ wallets. Apparently, only then a share of profits is transferred to the Qilin RaaS owners. This approach is less common for RaaS programs: usually victims are paying ransom to wallets controlled by RaaS developers/managers, and only then affiliates receive their share of ransom. The “opposite” approach, now adopted by Qilin, is known to be used by LockBit.
New Xorist ransomware variant
PCrisk found new Xorist ransomware variant that appends the .rtg.
New STOP ransomware variant
PCrisk found new Xorist ransomware variant that appends the .popn and drops a ransom note named _readme.txt.
August 2nd 2023
The PAMI confirmed a ransomware cyberattack: it took down the site, but they assure that "it was mitigated"
The Comprehensive Medical Care Program ( PAMI ) suffered a ransomware cyberattack , a type of virus that encrypts files to demand a ransom in exchange. Official sources confirmed to Clarín that this type of cyberattack was involved and that they are investigating where the intrusion came from. Shifts are maintained and medicines can be bought normally in pharmacies, they assured.
August 3rd 2023
US govt contractor Serco discloses data breach after MoveIT attacks
Serco Inc, the Americas division of multinational outsourcing company Serco Group, has disclosed a data breach after attackers stole the personal information of over 10,000 individuals from a third-party vendor's MoveIT managed file transfer (MFT) server.
Ransomware Roundup - DoDo and Proton
This edition of the Ransomware Roundup covers the DoDo and Proton ransomware.
EY sends MOVEit data breach notification
Based on our investigation, we believe an unauthorized party was able to obtain certain files transferred through the MOVEit tool, including files that contained personal data of 3 Maine residents. EY Law then also undertook an extensive analysis of the affected files to determine which individuals and data may have been affected, and to confirm their identities and contact information.
New Phobos ransomware variant
PCrisk found new Phobos ransomware variant that appends the .G-STARS extension.
New TrashPanda ransomware
PCrisk found the new TrashPanda ransomware that appends the .monochromebear extension and drops a ransom note named [random_string]-readme.html.
New CryBaby ransomware
PCrisk found the new Crybaby python ransomware that appends the .lockedbycrybaby extension.
Comments
Amigo-A - 1 month ago
The 'STOP Ransomware' has DejaVu again:
0756 with .yyza extension - https://tria.ge/230806-nvf58abc8x
0757 with .yytw extension - https://tria.ge/230806-wfdesacg5z
0758 with .yyza extension - https://tria.ge/230806-n3m9hahh87
---
Yes, that's right, DejaVu is DejaVu - the extension was repeated. :)