The Week in Ransomware - December 15th 2023 - Ransomware Drama

Trending 2 months ago

Chains connected a bitcoin lock

Today's file brings you 2 weeks of accusation connected nan latest ransomware attacks and investigation aft we skipped past week's article.

The large news complete nan past 2 weeks is nan continued play plaguing BlackCat/ALPHV aft their infrastructure abruptly stopped moving for almost 5 days. Multiple sources told BleepingComputer that this outage was related to a rule enforcement operation, but BlackCat claims nan outages were caused by a hardware/hosting issue.

However, BleepingComputer has learned that immoderate of nan BlackCat/ALPHV affiliates are not buying nan mentation and person started to interaction victims straight via email to execute negotiations extracurricular of nan ransomware operation's Tor speech sites.

It is unclear if that is because they are moving connected their last victims nether this cognition earlier they move to different pack aliases if they consciousness nan ALPHV cognition has been compromised successful immoderate manner.

Whatever nan reasons, nan LockBit cognition is taking advantage of nan drama. The cybercrime pack has told BleepingComputer that they spot this arsenic a Christmas gift and person started recruiting ALPHV's affiliates.

In different news, we learned astir galore ransomware attacks complete nan past 2 weeks, including:

  • Tipalti is investigating claims that BlackCat breached their systems and stole data. So far, location is nary denotation that this is true.
  • Norton Healthcare disclosed a information breach aft a May BlackCat ransomware attack.
  • Toyota Financial Servers disclosed a information breach aft Medusa leaked data.
  • Kraft Heinz says they are investigating claims that nan Snatch Team extortion group breached their systems.
  • HTC Global Services confirmed they suffered a cyberattack aft BlackCat leaked data.
  • Navy contractor Austal USA confirms cyberattack aft Hunters International leaks data.
  • Sony says they are investigating nan claims that Rhysida breached Insomniac Games.

Finally, rule enforcement has had immoderate confirmed actions this week, including arresting a money launderer linked to Hive ransomware and a Russian pleading blameworthy to running a crypto speech utilized by ransomware gangs.

Contributors and those who provided caller ransomware accusation and stories this week include: @malwrhunterteam, @demonslay335, @billtoulas, @fwosar, @Seifreed, @serghei, @BleepinComputer, @LawrenceAbrams, @Ionut_Ilascu, @ValeryMarchive, @BushidoToken, @azalsecurity, @SentinelOne, @g0njxa, @AlvieriD, @ShadowStackRE, @AShukuhi, @BrettCallow, @GossiTheDog, @vmiss33, @pcrisk, and @RESecurity.

December 3rd 2023

Linux type of Qilin ransomware focuses connected VMware ESXi

A sample of nan Qilin ransomware gang's VMware ESXi encryptor has been recovered and it could beryllium 1 of nan astir precocious and customizable Linux encryptors seen to date.

December 4th 2023

Tipalti investigates claims of information stolen successful ransomware attack

Tipalti says they are investigating claims that nan ALPHV ransomware pack breached its web and stole 256 GB of data, including information for Roblox and Twitch.

New Phobos ransomware variant

PCrisk recovered a caller Phobos ransomware version that appends nan .elpy and drops ransom notes named info.txt and info.hta.

RA World encryptor

PCrisk recovered nan encryptor for nan caller RA World operation, which appends nan .RAWLD hold and drops a ransom statement named Data breach warning.txt.

New Xorist variant

PCrisk recovered a caller Xorist version that appends nan .xro hold and drops a ransom statement named HOW TO DECRYPT FILES.txt.

December 5th 2023

HTC Global Services confirms cyberattack aft information leaked online

IT services and business consulting institution HTC Global Services has confirmed that they suffered a cyberattack aft nan ALPHV ransomware pack began leaking screenshots of stolen data.

December 6th 2023

Qilin ESXi encryptor analysis

Qilin ransomware has built a highly configurable malware family that makes usage of nan section ESXi tooling to summation nan occurrence complaint of encrypting and ransoming their victim.

Navy contractor Austal USA confirms cyberattack aft information leak

Austal USA, a shipbuilding institution and a contractor for nan U.S. Department of Defense (DoD) and nan Department of Homeland Security (DHS) confirmed that it suffered a cyberattack and is presently investigating nan effect of nan incident.

New STOP ransomware variants

PCRisk recovered caller STOP ransomware variants that append nan .nbwr and .nbzi extensions.

New Phobos ransomware variant

PCrisk recovered a caller Phobos ransomware version that appends nan .GrafGrafel and drops ransom notes named info.txt and info.hta.

December 7th 2023

Russian pleads blameworthy to moving crypto-exchange utilized by ransomware gangs

Russian nationalist Anatoly Legkodymov pleaded blameworthy to operating nan Bitzlato cryptocurrency speech that helped ransomware gangs and different cybercriminals launder complete $700 million.

December 8th 2023

ALPHV ransomware tract outage rumored to beryllium caused by rule enforcement

A rule enforcement cognition is rumored to beryllium down an outage affecting ALPHV ransomware gang's websites complete nan past 30 hours.

Norton Healthcare discloses information breach aft May ransomware attack

Kentucky wellness strategy Norton Healthcare has confirmed that a ransomware onslaught successful May exposed individual accusation belonging to patients, employees, and dependents.

New HiddenTear variant

PCrisk recovered a caller HiddenTear ransomware version that appends nan .funny hold and drops a ransom statement named readme.txt.

December 11th 2023

Toyota warns customers of information breach exposing personal, financial info

Toyota Financial Services (TFS) is informing customers it suffered a information breach, stating that delicate individual and financial information was exposed successful nan attack.

Cold retention elephantine Americold discloses information breach aft April malware attack

Cold retention and logistics elephantine Americold has confirmed that complete 129,000 labor and their dependents had their individual accusation stolen successful an April attack, later claimed by Cactus ransomware.

New STOP ransomware variants

PCRisk recovered caller STOP ransomware variants that append nan .hhuy and .hhaz extensions.

December 12th 2023

Spider-Man 2 developer Insomniac Games deed by Rhysida ransomware attack

Ransomware usability Rhysida has posted constricted information that appears to backmost up its declare that it has successfully hacked video crippled developer Insomniac Games.

December 13th 2023

LockBit ransomware now poaching BlackCat, NoEscape affiliates

The LockBit ransomware cognition is now recruiting affiliates and developers from nan BlackCat/ALPHV and NoEscape aft caller disruptions and exit scams.

French constabulary arrests Russian fishy linked to Hive ransomware

French authorities arrested a Russian nationalist successful Paris for allegedly helping nan Hive ransomware pack pinch laundering their victims' ransom payments.

Technical study of Rhysida

ShadowStackRE has published a method study of nan Rhysida ransomware encryptor.

Mallox Resurrected | Ransomware Attacks Exploiting MS-SQL Continue to Burden Enterprises

In this post, we item caller Mallox activity, explicate nan group’s first entree methods and supply a high-level study of caller Mallox payloads to thief defenders amended understand and take sides against this persistent threat.

December 14th 2023

Kraft Heinz investigates hack claims, says systems ‘operating normally’

Kraft Heinz has confirmed that their systems are operating usually and that location is nary grounds they were breached aft an extortion group listed them connected a information leak site.

December 15th 2023

Exposing The Cyber-Extortion Trinity - BianLian, White Rabbit, And Mario Ransomware Gangs Spotted In A Joint Campaign

Based connected a caller Digital Forensics & Incident Response (DFIR) engagement pinch a rule enforcement agency (LEA) and 1 of nan starring finance organizations successful Singapore, Resecurity, Inc. (USA) has uncovered a meaningful nexus betwixt 3 awesome ransomware groups. Resecurity’s HUNTER (HUMINT) portion spotted nan BianLian, White Rabbit, and Mario ransomware gangs collaborating successful a associated extortion run targeting publicly-traded financial services firms.

New STOP ransomware variants

PCRisk recovered caller STOP ransomware variants that append nan .ljuy and .ljaz extensions.

That's it for this week! Hope everyone has a bully weekend!