It has been a very quiet week for ransomware news, with only a few reports released and not much info about cyberattacks.
However, an item of interest was Microsoft linking the recent PaperCut server attacks on the Clop and LockBit ransomware operation.
Clop claims to have started exploiting PaperCut servers on April 13th, the same day Microsoft began seeing active exploitation of the vulnerabilities.
The ransomware operation told BleepingComputer that they utilized these exploits for initial access to corporate networks rather than to steal archived documents on the server.
Other ransomware reports released this week include:
Finally, we learned that Yellow Pages Canada suffered a BlackBasta ransomware attack.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @DanielGallagher, @malwareforme, @malwrhunterteam, @FourOctets, @billtoulas, @struppigel, @LawrenceAbrams, @Ionut_Ilascu, @Seifreed, @demonslay335, @BleepinComputer, @fwosar, @jorntvdw, @PolarToffee, @uptycs, @Trellix, @MsftSecIntel, @AlvieriD, @Jon__DiMaggio, @Fortinet, and @pcrisk.
April 24th 2023
Yellow Pages Canada confirms cyber attack as Black Basta leaks data
Yellow Pages Group, a Canadian directory publisher has confirmed to BleepingComputer that it has been hit by a cyber attack.
New Dharma ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .rea extension.
New Xorist ransomware variant
PCrisk found a new Xorist ransomware variant that appends the .VoNiX extension and drops a ransom note named HOW TO DECRYPT FILES.txt.
April 25th 2023
Ransomware Diaries: Volume 2 – A Ransomware Hacker Origin Story
The story I will tell you is not mine, but it is the account of a man who was once no different than you or me. Unfortunately, poor decisions and hardships in his life pushed him to a dark place, from which he never returned.
This is Bassterlord’s story.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .foza extension.
April 26th 2023
Microsoft: Clop and LockBit ransomware behind PaperCut server hacks
?Microsoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the vulnerabilities to steal corporate data.
New MedusaLocker ransomware variant
PCrisk found a new Xorist ransomware variant that appends the .attack7 (number may change) extension and drops a ransom note named how_to_back_files.html.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .foty extension.
April 27th 2023
Linux version of RTM Locker ransomware targets VMware ESXi servers
RTM Locker is the latest enterprise-targeting ransomware operation found to be deploying a Linux encryptor that targets virtual machines on VMware ESXi servers.
Ransomware Roundup – UNIZA Ransomware
FortiGuard Labs recently came across a new ransomware variant called UNIZA. Like other ransomware variants, it encrypts files on victims’ machines in an attempt to extort money. It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that appends the .devinn extension and drops a ransom note named unlock_here.txt.