The Week in Ransomware – December 1st 2023


An international law enforcement operation claims to have dismantled a ransomware affiliate operation in Ukraine, which was responsible for attacks on organizations in 71 countries.

The threat actors are said to be affiliates of numerous ransomware operations, including LockerGoga, MegaCortex, HIVE, and Dharma. This cybercriminal operation is said to have led to the loss of hundreds of millions of euros.

The law enforcement operation occurred on November 21st, with coordinated raids in 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia. As a result of the operation, police arrested the group’s alleged ringleader and four of his accomplices.

Of particular interest is that Norway was involved in the operation, making cybersecurity researchers believe that this affiliate group may have been behind the Norsk Hydro attack, which involved the LockerGoga ransomware.

However, a threat actor disputed those rumors on the Russian-speaking XSS hacking forum, claiming that the affiliate group had nothing to do with the attack. The threat actor further claims to be the one who gave a police drone the finger in the below video of the law enforcement operation.

In other news, ransomware attacks have been surging, with further information about attacks being disclosed this week.

This includes attacks on the Ethyrial: Echoes of Yore game developer, Ardent Health Services, Slovenia’s largest power provider HSE, and a re-encryption of healthcare giant Henry Schein as punishment for allegedly not paying the ransom.

We also learned that the attack on DP World did not involve encryption. However, it could have been a ransomware attack that was stopped before encryptors were deployed.

Finally, researchers released some interesting information about ransomware, including Cactus ransomware exploiting Qlik Sense flaws to breach networks, and Black Basta ransomware believed to have made over $100 million.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @billtoulas, @serghei, @Seifreed, @BleepinComputer, @demonslay335, @fwosar, @pcrisk, @CorvusInsurance, @elliptic, @AWNetworks, @ShadowStackRE, @ddd1ms@3xp0rtblog, and @BrettCallow.

November 27th 2023

Healthcare giant Henry Schein hit twice by BlackCat ransomware

American healthcare company Henry Schein has reported a second cyberattack this month by the BlackCat/ALPHV ransomware gang, who also breached their network in October.

Ransomware attack on indie game maker wiped all player accounts

A ransomware attack on the “Ethyrial: Echoes of Yore” MMORPG last Friday destroyed 17,000 player accounts, deleting their in-game items and progress in the game.

Ardent hospital ERs disrupted in 6 states after ransomware attack

Ardent Health Services, a healthcare provider operating 30 hospitals across six U.S. states, disclosed today that its systems were hit by a ransomware attack on Thursday.

Slovenia’s largest power provider HSE hit by ransomware attack

Slovenian power company Holding Slovenske Elektrarne (HSE) has suffered a ransomware attack that compromised its systems and encrypted files, yet the company says the incident did not disrupt electric power production.

LostTrust Ransomware analysis

The LostTrust ransomware family has a fairly small victim pool and has compromised victims earlier this year. The encryptor has similar characteristcs to the MetaEncryptor ransomware family including code flow and strings which indicates that the encryptor is a variant from the original MetaEncryptor source.

New “MuskOff” Chaos variant

PCrisk found a new Chaos variant that appends the .MuskOff extension and drops a ransom note named read_it.txt.

November 28th 2023

Police dismantle ransomware group behind attacks in 71 countries

In cooperation with Europol and Eurojust, law enforcement agencies from seven nations have arrested in Ukraine the core members of a ransomware group linked to attacks against organizations in 71 countries.

Qilin ransomware claims attack on automotive giant Yanfeng

The Qilin ransomware group has claimed responsibility for a cyber attack on Yanfeng Automotive Interiors (Yanfeng), one of the world’s largest automotive parts suppliers.

DP World confirms data stolen in cyberattack, no ransomware used

International logistics giant DP World has confirmed that data was stolen during a cyber attack that disrupted its operations in Australia earlier this month. However, the company says no ransomware payloads or encryption was used in the attack.

November 29th 2023

Black Basta ransomware made over $100 million from extortion

Russia-linked ransomware gang Black Basta has raked in at least $100 million in ransom payments from more than 90 victims since it first surfaced in April 2022, according to joint research from Corvus Insurance and Elliptic.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .jawr and .jazi extensions.

New Phobos ransomware variant

PCrisk found a new Phobos variant that appends the .LEAKDB extension and drops a ransom notes named info.txt and info.hta.

November 30th 2023

Cactus ransomware exploiting Qlik Sense flaws to breach networks

Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks.

December 1st 2023

New “DoctorHelp” MedusaLocker variant

PCrisk found a new MedusaLocker variant that appends the .doctorhelp extension and drops a ransom note named How_to_back_files.html.

New Dharma ransomware variant

PCrisk found a new Darhma variant that appends the .intel extension.

That’s it for this week! Hope everyone has a nice weekend!





Source link