Today’s column brings you two weeks of information on the latest ransomware attacks and research after we skipped last week’s article.
The big news over the past two weeks is the continued drama plaguing BlackCat/ALPHV after their infrastructure suddenly stopped working for almost five days. Multiple sources told BleepingComputer that this outage was related to a law enforcement operation, but BlackCat claims the outages were caused by a hardware/hosting issue.
However, BleepingComputer has learned that some of the BlackCat/ALPHV affiliates are not buying the explanation and have started to contact victims directly via email to perform negotiations outside of the ransomware operation’s Tor negotiation sites.
It is unclear if that is because they are working on their final victims under this operation before they switch to another gang or if they feel the ALPHV operation has been compromised in some manner.
Whatever the reasons, the LockBit operation is taking advantage of the drama. The cybercrime gang has told BleepingComputer that they see this as a Christmas gift and have started recruiting ALPHV’s affiliates.
In other news, we learned about numerous ransomware attacks over the past two weeks, including:
Finally, law enforcement has had some confirmed actions this week, including arresting a money launderer linked to Hive ransomware and a Russian pleading guilty to running a crypto exchange used by ransomware gangs.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @demonslay335, @billtoulas, @fwosar, @Seifreed, @serghei, @BleepinComputer, @LawrenceAbrams, @Ionut_Ilascu, @ValeryMarchive, @BushidoToken, @azalsecurity, @SentinelOne, @g0njxa, @AlvieriD, @ShadowStackRE, @AShukuhi, @BrettCallow, @GossiTheDog, @vmiss33, @pcrisk, and @RESecurity.
December 3rd 2023
Linux version of Qilin ransomware focuses on VMware ESXi
A sample of the Qilin ransomware gang’s VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date.
December 4th 2023
Tipalti investigates claims of data stolen in ransomware attack
Tipalti says they are investigating claims that the ALPHV ransomware gang breached its network and stole 256 GB of data, including data for Roblox and Twitch.
New Phobos ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .elpy and drops ransom notes named info.txt and info.hta.
RA World encryptor
PCrisk found the encryptor for the new RA World operation, which appends the .RAWLD extension and drops a ransom note named Data breach warning.txt.
New Xorist variant
PCrisk found a new Xorist variant that appends the .xro extension and drops a ransom note named HOW TO DECRYPT FILES.txt.
December 5th 2023
HTC Global Services confirms cyberattack after data leaked online
IT services and business consulting company HTC Global Services has confirmed that they suffered a cyberattack after the ALPHV ransomware gang began leaking screenshots of stolen data.
December 6th 2023
Qilin ESXi encryptor analysis
Qilin ransomware has built a highly configurable malware family that makes use of the local ESXi tooling to increase the success rate of encrypting and ransoming their victim.
Navy contractor Austal USA confirms cyberattack after data leak
Austal USA, a shipbuilding company and a contractor for the U.S. Department of Defense (DoD) and the Department of Homeland Security (DHS) confirmed that it suffered a cyberattack and is currently investigating the impact of the incident.
New STOP ransomware variants
PCRisk found new STOP ransomware variants that append the .nbwr and .nbzi extensions.
New Phobos ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .GrafGrafel and drops ransom notes named info.txt and info.hta.
December 7th 2023
Russian pleads guilty to running crypto-exchange used by ransomware gangs
Russian national Anatoly Legkodymov pleaded guilty to operating the Bitzlato cryptocurrency exchange that helped ransomware gangs and other cybercriminals launder over $700 million.
December 8th 2023
ALPHV ransomware site outage rumored to be caused by law enforcement
A law enforcement operation is rumored to be behind an outage affecting ALPHV ransomware gang’s websites over the last 30 hours.
Norton Healthcare discloses data breach after May ransomware attack
Kentucky health system Norton Healthcare has confirmed that a ransomware attack in May exposed personal information belonging to patients, employees, and dependents.
New HiddenTear variant
PCrisk found a new HiddenTear ransomware variant that appends the .funny extension and drops a ransom note named readme.txt.
December 11th 2023
Toyota warns customers of data breach exposing personal, financial info
Toyota Financial Services (TFS) is warning customers it suffered a data breach, stating that sensitive personal and financial data was exposed in the attack.
Cold storage giant Americold discloses data breach after April malware attack
Cold storage and logistics giant Americold has confirmed that over 129,000 employees and their dependents had their personal information stolen in an April attack, later claimed by Cactus ransomware.
New STOP ransomware variants
PCRisk found new STOP ransomware variants that append the .hhuy and .hhaz extensions.
December 12th 2023
Spider-Man 2 developer Insomniac Games hit by Rhysida ransomware attack
Ransomware operator Rhysida has posted limited data that appears to back up its claim that it has successfully hacked video game developer Insomniac Games.
December 13th 2023
LockBit ransomware now poaching BlackCat, NoEscape affiliates
The LockBit ransomware operation is now recruiting affiliates and developers from the BlackCat/ALPHV and NoEscape after recent disruptions and exit scams.
French police arrests Russian suspect linked to Hive ransomware
French authorities arrested a Russian national in Paris for allegedly helping the Hive ransomware gang with laundering their victims’ ransom payments.
Technical analysis of Rhysida
ShadowStackRE has published a technical analysis of the Rhysida ransomware encryptor.
Mallox Resurrected | Ransomware Attacks Exploiting MS-SQL Continue to Burden Enterprises
In this post, we highlight recent Mallox activity, explain the group’s initial access methods and provide a high-level analysis of recent Mallox payloads to help defenders better understand and defend against this persistent threat.
December 14th 2023
Kraft Heinz investigates hack claims, says systems ‘operating normally’
Kraft Heinz has confirmed that their systems are operating normally and that there is no evidence they were breached after an extortion group listed them on a data leak site.
December 15th 2023
Exposing The Cyber-Extortion Trinity – BianLian, White Rabbit, And Mario Ransomware Gangs Spotted In A Joint Campaign
Based on a recent Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency (LEA) and one of the leading investment organizations in Singapore, Resecurity, Inc. (USA) has uncovered a meaningful link between three major ransomware groups. Resecurity’s HUNTER (HUMINT) unit spotted the BianLian, White Rabbit, and Mario ransomware gangs collaborating in a joint extortion campaign targeting publicly-traded financial services firms.
New STOP ransomware variants
PCRisk found new STOP ransomware variants that append the .ljuy and .ljaz extensions.