The Week in Ransomware – December 1st 2023


A global regulation enforcement operation claims to have dismantled a ransomware affiliate operation in Ukraine, which was chargeable for assaults on organizations in 71 international locations.

The risk actors are stated to be associates of quite a few ransomware operations, together with LockerGoga, MegaCortex, HIVE, and Dharma. This cybercriminal operation is claimed to have led to the lack of a whole lot of hundreds of thousands of euros.

The regulation enforcement operation occurred on November twenty first, with coordinated raids in 30 places in Kyiv, Cherkasy, Rivne, and Vinnytsia. On account of the operation, police arrested the group’s alleged ringleader and 4 of his accomplices.

Of specific curiosity is that Norway was concerned within the operation, making cybersecurity researchers consider that this affiliate group might have been behind the Norsk Hydro assault, which concerned the LockerGoga ransomware.

Nevertheless, a risk actor disputed these rumors on the Russian-speaking XSS hacking discussion board, claiming that the affiliate group had nothing to do with the assault. The risk actor additional claims to be the one who gave a police drone the finger within the beneath video of the regulation enforcement operation.

In different information, ransomware assaults have been surging, with additional details about assaults being disclosed this week.

This consists of assaults on the Ethyrial: Echoes of Yore recreation developer, Ardent Well being Providers, Slovenia’s largest energy supplier HSE, and a re-encryption of healthcare big Henry Schein as punishment for allegedly not paying the ransom.

We additionally realized that the assault on DP World didn’t contain encryption. Nevertheless, it may have been a ransomware assault that was stopped earlier than encryptors had been deployed.

Lastly, researchers launched some attention-grabbing details about ransomware, together with Cactus ransomware exploiting Qlik Sense flaws to breach networks, and Black Basta ransomware believed to have remodeled $100 million.

Contributors and people who supplied new ransomware data and tales this week embody: @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @billtoulas, @serghei, @Seifreed, @BleepinComputer, @demonslay335, @fwosar, @pcrisk, @CorvusInsurance, @elliptic, @AWNetworks, @ShadowStackRE, @ddd1ms, @3xp0rtblog, @jgreigj, and @BrettCallow.

November twenty seventh 2023

Healthcare big Henry Schein hit twice by BlackCat ransomware

American healthcare firm Henry Schein has reported a second cyberattack this month by the BlackCat/ALPHV ransomware gang, who additionally breached their community in October.

Ransomware assault on indie recreation maker wiped all participant accounts

A ransomware assault on the “Ethyrial: Echoes of Yore” MMORPG final Friday destroyed 17,000 participant accounts, deleting their in-game objects and progress within the recreation.

Ardent hospital ERs disrupted in 6 states after ransomware assault

Ardent Well being Providers, a healthcare supplier working 30 hospitals throughout six U.S. states, disclosed as we speak that its programs had been hit by a ransomware assault on Thursday.

Slovenia’s largest energy supplier HSE hit by ransomware assault

Slovenian energy firm Holding Slovenske Elektrarne (HSE) has suffered a ransomware assault that compromised its programs and encrypted information, but the corporate says the incident didn’t disrupt electrical energy manufacturing.

LostTrust Ransomware evaluation

The LostTrust ransomware household has a reasonably small sufferer pool and has compromised victims earlier this yr. The encryptor has comparable characteristcs to the MetaEncryptor ransomware household together with code circulate and strings which signifies that the encryptor is a variant from the unique MetaEncryptor supply.

New “MuskOff” Chaos variant

PCrisk discovered a brand new Chaos variant that appends the .MuskOff extension and drops a ransom notice named read_it.txt.

November twenty eighth 2023

Police dismantle ransomware group behind assaults in 71 international locations

In cooperation with Europol and Eurojust, regulation enforcement businesses from seven nations have arrested in Ukraine the core members of a ransomware group linked to assaults in opposition to organizations in 71 international locations.

Qilin ransomware claims assault on automotive big Yanfeng

The Qilin ransomware group has claimed accountability for a cyber assault on Yanfeng Automotive Interiors (Yanfeng), one of many world’s largest automotive elements suppliers.

DP World confirms information stolen in cyberattack, no ransomware used

Worldwide logistics big DP World has confirmed that information was stolen throughout a cyber assault that disrupted its operations in Australia earlier this month. Nevertheless, the corporate says no ransomware payloads or encryption was used within the assault.

November twenty ninth 2023

Black Basta ransomware remodeled $100 million from extortion

Russia-linked ransomware gang Black Basta has raked in not less than $100 million in ransom funds from greater than 90 victims because it first surfaced in April 2022, in accordance with joint analysis from Corvus Insurance coverage and Elliptic.

New STOP ransomware variants

PCrisk discovered new STOP ransomware variants that append the .jawr and .jazi extensions.

New Phobos ransomware variant

PCrisk discovered a brand new Phobos variant that appends the .LEAKDB extension and drops a ransom notes named information.txt and information.hta.

November thirtieth 2023

Cactus ransomware exploiting Qlik Sense flaws to breach networks

Cactus ransomware has been exploiting crucial vulnerabilities within the Qlik Sense information analytics answer to get preliminary entry on company networks.

December 1st 2023

60 credit score unions dealing with outages resulting from ransomware assault on common tech supplier

About 60 credit score unions are coping with outages resulting from a ransomware assault on a widely-used expertise supplier.

New “DoctorHelp” MedusaLocker variant

PCrisk discovered a brand new MedusaLocker variant that appends the .doctorhelp extension and drops a ransom notice named How_to_back_files.html.

New Dharma ransomware variant

PCrisk discovered a brand new Darhma variant that appends the .intel extension.

That is it for this week! Hope everybody has a pleasant weekend!



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles