The Week in Ransomware – April 19th 2024


While ransomware attacks decreased after the LockBit and BlackCat disruptions, they have once again started to ramp up with other operations filling the void.

A relatively new operation called RansomHub gained media attention this week after a BlackCat affiliate used the newer operation’s data leak site to extort Change HealthCare once again.

Change HealthCare allegedly already paid a ransom, which was stolen from an affiliate in an exit scam by the BlackCat/ALPHV ransomware operation. However, the affiliate behind the attack claims to have kept the stolen data and is now extorting the company again through RansomHub.

So far, the Change Healthcare attack has cost UnitedHealth Group $872 million, with losses expected to continue.

Another disruptive attack we learned more about this week is the Daixin operation claiming the cyberattack on Omni Hotels. This attack caused the hotel chain to shut down its IT systems, impacting reservations and requiring hotel staff to let guests into their rooms.

Other attacks targeted chipmaker Nexpira, the United Nations Development Programme (UNDP), Octapharma Plasma, and the Atlantic States Marine Fisheries Commission (ASMFC).

There were other cyberattacks this week, such as the one on Frontier Communications, but they have not been confirmed to be ransomware.

In other news, the U.S. Justice Department charged a Moldovan national for running a large-scale botnet that infected thousands of computers and deployed ransomware.

Last but not least, the FBI reported that the Akira ransomware operation had earned $42 million from 250+ victims, and HelloKitty returned, rebranding as HelloGookie.

Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @BleepinComputer, @Ionut_Ilascu, @serghei, @fwosar, @LawrenceAbrams, @malwrhunterteam, @demonslay335, @Seifreed, @pcrisk, @SophosXOps, @jgreigj, @JessicaHrdcstle, @3xp0rtblog, @AShukuhi, and @vxunderground.

April 15th 2024

Daixin ransomware gang claims attack on Omni Hotels

The Daixin Team ransomware gang claimed a recent cyberattack on Omni Hotels & Resorts and is now threatening to publish customers’ sensitive information if a ransom is not paid.

Chipmaker Nexperia confirms breach after ransomware gang leaks data

Dutch chipmaker Nexperia confirmed late last week that hackers breached its network in March 2024 after a ransomware gang leaked samples of allegedly stolen data.

Ransomware gang starts leaking alleged stolen Change Healthcare data

The RansomHub extortion gang has begun leaking what they claim is corporate and patient data stolen from United Health subsidiary Change Healthcare in what has been a long and convoluted extortion process for the company.

New ransomware variant

PCrisk found a new ransomware variant that adds the .FBIRAS extension and drops a ransom note named Readme.txt.

April 16th 2024

UnitedHealth: Change Healthcare cyberattack caused $872 million loss

UnitedHealth Group reported an $872 million impact on its Q1 earnings due to the ransomware attack disrupting the U.S. healthcare system since February.

Atlantic fisheries body confirms cyber incident after 8Base ransomware gang claims breach

A fisheries management organization for the East Coast is dealing with a cyber incident following claims by a ransomware gang that it stole data.

New Lethal Lock ransomware

PCrisk found a ransomware that appends the .LethalLock extension and drops a ransom note named SOLUTION_NOTE.txt.

New ransomware variant

PCrisk found a ransomware that appends the .Senator extension and drops a ransom note named SENATOR ENCRYPTED.txt.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .DumbStackz extension and drops a ransom note named read_it.txt.

New MedusaLocker ransomware variant

PCrisk found a new MedusaLocker ransomware variant that appends the .repair extension and drops a ransom note named How_to_back_files.html.

April 17th 2024

Moldovan charged for operating botnet used to push ransomware

The U.S. Justice Department charged Moldovan national Alexander Lefterov, the owner and operator of a large-scale botnet that infected thousands of computers across the United States.

‘Junk gun’ ransomware: Peashooters can still pack a punch

A Sophos X-Ops investigation finds that a wave of crude, cheap ransomware could spell trouble for small businesses and individuals – but also provide insights into threat actor career development and the wider threat landscape

April 18th 2024

FBI: Akira ransomware raked in $42 million from 250+ victims

According to a joint advisory from the FBI, CISA, Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL), the Akira ransomware operation has breached the networks of over 250 organizations and raked in roughly $42 million in ransom payments.

Ransomware feared as IT ‘issues’ force Octapharma Plasma to close 150+ centers

Octapharma Plasma has blamed IT “network issues” for the ongoing closure of its 150-plus centers across the US. It’s feared a ransomware infection may be the root cause of the medical firm’s ailment.

April 19th 2024

United Nations agency investigates ransomware attack, data theft

?The United Nations Development Programme (UNDP) is investigating a cyberattack after threat actors breached its IT systems to steal human resources data.

HelloKitty ransomware rebrands, releases CD Projekt and Cisco data

An operator of the HelloKitty ransomware operation announced they changed the name to ‘HelloGookie,’ releasing passwords for previously leaked CD Projekt source code, Cisco network information, and decryption keys from old attacks.

New MedusaLocker ransomware variant

PCrisk found a new MedusaLocker ransomware variant that appends the .virus3 extension and drops a ransom note named How_to_back_files.html.

That’s it for this week! Hope everyone has a nice weekend!





Source link