The Week in Ransomware - December 22nd 2023 - BlackCat hacked

Trending 2 months ago

Black cat

Earlier this month, nan BlackCat/ALPHV ransomware cognition suffered a five-day disruption to their Tor information leak and speech sites, rumored to beryllium caused by a rule enforcement action.

The FBI revealed this week that they hacked nan BlackCat/ALPHV ransomware operation, which raked successful $300 cardinal from complete 1,000 victims. While softly surveilling nan ransomware gang, rule enforcement retrieved decryption and Tor backstage keys.

Law enforcement says that they were capable to thief decrypt 400 victims for free utilizing nan retrieved decryptors and used nan Tor backstage keys to prehend nan URLs for nan gang's information leak tract and speech sites.

FBI seizure connection connected BlackCat's information leak siteFBI seizure connection connected BlackCat's information leak site
Source: BleepingComputer.com

However, arsenic nan threat actors and nan FBI person nan aforesaid keys, location has been a changeless tug of warfare arsenic they some "reseize" nan URL.

Some person seen this changeless alteration successful ownership of nan URL arsenic a grounded cognition by rule enforcement. However, retrieving 400 decryption keys and apt much information from nan hacked servers has importantly tarnished nan ransomware operation's reputation.

BleepingComputer has learned that this has caused immoderate affiliates to interaction victims straight via email, arsenic they person mislaid spot successful nan ransomware gang's expertise to unafraid nan servers. Others are said to person moved to competing ransomware operations, specified arsenic LockBit.

Now, LockBitSupp (the usability of LockBit) and nan BlackCat usability person discussed creating a "cartel," to subordinate forces against rule enforcement.

Post by BlackCat usability astir creating a cartelPost by BlackCat usability astir creating a cartel
Source: 3xp0rt

Previous "ransomware cartels" allegedly created by Maze didn't win successful helping nan ransomware operation, arsenic Ukrainian constabulary arrested pack members aft they rebranded arsenic Egregor.

We besides learned this week astir caller ransomware attacks aliases accusation astir aged ones, including:

  • Akira claimed nan ransomware attack connected Nissan Australia.
  • A ransomware onslaught connected ESO Solutions exposed nan information of 2.7 cardinal people.
  • University of Buenos Aires (UBA) suffered a ransomware cyberattack.
  • Vans, North Face, Supreme proprietor VF Corp deed by ransomware attack.

Contributors and those who provided caller ransomware accusation and stories this week include: @malwrhunterteam, @BleepinComputer, @demonslay335, @Seifreed, @billtoulas, @Ionut_Ilascu, @fwosar, @serghei, @LawrenceAbrams, @BrettCallow, @PRODAFT, @AShukuhi, @uuallan, @SophosXOps, @pcrisk, @3xp0rtblog, @oct0xor, @MorganDemboski, and @juanbrodersen.

December 18th 2023

Mortgage elephantine Mr. Cooper information breach affects 14.7 cardinal people

Mr. Cooper is sending information breach notifications informing that a caller cyberattack has exposed nan information of 14.7 cardinal customers who have, aliases antecedently had, mortgages pinch nan company.

FBI: Play ransomware breached 300 victims, including captious orgs

The Federal Bureau of Investigation (FBI) says nan Play ransomware pack has breached astir 300 organizations worldwide betwixt June 2022 and October 2023, immoderate of them captious infrastructure entities.

Vans and North Face proprietor VF Corp deed by ransomware attack

American world apparel and footwear elephantine VF Corporation, nan proprietor of brands for illustration Supreme, Vans, Timberland, and The North Face, has disclosed a information incident that caused operational disruptions

The UBA suffered a ransomware cyber attack: teachers and students cannot entree nan systems

The University of Buenos Aires (UBA) suffered a ransomware cyberattack , a type of malicious programme that encrypts nan victim's files, makes them inaccessible and demands a ransom money successful exchange. Since Thursday, servers successful portion of nan acquisition institution person been compromised and this prevents teachers and students from managing grades, enrolling successful summertime courses and more.

December 19th 2023

FBI disrupts Blackcat ransomware operation, creates decryption tool

The Department of Justice announced coming that nan FBI successfully breached nan ALPHV ransomware operation's servers to show their activities and get decryption keys.

How nan FBI seized BlackCat (ALPHV) ransomware’s servers

An unsealed FBI hunt warrant revealed really rule enforcement hijacked nan ALPHV/BlackCat ransomware operations websites and seized nan associated URLs.

FBI: ALPHV ransomware raked successful $300 cardinal from complete 1,000 victims

The ALPHV/BlackCat ransomware pack has made complete $300 cardinal successful ransom payments from much than 1,000 victims worldwide arsenic of September 2023, according to nan Federal Bureau of Investigation (FBI).

Smoke and Mirrors: Understanding The Workings of Wazawaka

This investigation provides a broad study of Wazawaka’s background, affiliations, and strategies successful nan threat scenery associated pinch his activities. It includes accusation astir Wazawaka’s squad and his adjacent relations pinch different threat actors.

December 20th 2023

Healthcare package supplier information breach impacts 2.7 million

ESO Solutions, a supplier of package products for healthcare organizations and occurrence departments, disclosed that information belonging to 2.7 cardinal patients has been compromised arsenic a consequence of a ransomware attack.

Fake F5 BIG-IP zero-day informing emails push information wipers

The Israel National Cyber Directorate warns of phishing emails pretending to beryllium F5 BIG-IP zero-day information updates that deploy Windows and Linux information wipers.

New BO Team ransomware

PCrisk recovered a caller ransomware that appends nan .bot hold and drops a ransom statement named How To Restore Your Files.txt.

December 21st 2023

Akira, again: The ransomware that keeps connected taking

Following our first study connected Akira ransomware, Sophos has responded to complete a twelve incidents involving Akira impacting various sectors and regions. According to our dataset, Akira has chiefly targeted organizations located successful Europe, North America, and Australia, and operating successful nan government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunication sectors.

Windows CLFS and 5 exploits utilized by ransomware operators

Seeing a Win32k driver zero-day being utilized successful attacks isn’t really astonishing these days, arsenic nan creation issues pinch that constituent are good known and person been exploited clip and clip again. But we had ne'er seen truthful galore CLFS driver exploits being utilized successful progressive attacks before, and past abruptly location are truthful galore of them captured successful conscionable 1 year.

New Phobos ransomware variant

PCrisk recovered a caller ransomware that appends a unsocial hold and drops ransom notes named info.txt and info.hta.

New Tprc ransomware

PCrisk recovered a caller ransomware that appends nan .tprc hold and drops a ransom statement named !RESTORE!.txt.

December 22nd 2023

Nissan Australia cyberattack claimed by Akira ransomware gang

Japanese car shaper Nissan is investigating a cyberattack that targeted its systems successful Australia and New Zealand, which whitethorn person fto hackers entree individual information.

That's it for this week! Hope everyone has a bully weekend!