The Week in Ransomware – January 12th 2024


Mortgage lenders and related companies are becoming popular targets of ransomware gangs, with four companies in this sector recently attacked.

This week, we learned that mortgage lender loanDepot suffered a cyberattack, which the company later confirmed was ransomware.

This comes on the heels of similar attacks against Mortgage giant Mr. Cooper, which led to the exposure of data for 14 million people, and attacks on title insurance companies, including First American Financial and Fidelity National Financial.

As these companies obtain a large amount of sensitive information from their customers, they become attractive targets for ransomware gangs to conduct double-extortion attacks.

Other attacks we learned about this week include the Toronto Zoo, a Black Hunt ransomware attack on Tigo Business, and LockBit claiming to be behind the attack on the Capital Health hospital network.

Finland is also warning of Akira ransomware increasingly targeting companies in the country and wiping backups.

Cybersecurity researchers are back from the holidays, sharing new research on a BlackBasta affiliate’s use of PikaBot, Microsoft SQL servers being targeted by the Mimic ransomware, and threat actors impersonating security researchers to offer victims a chance to hack back at ransomware gangs.

For some good news, a Dutch police operation with Cisco Talos led to the arrest of a ransomware operator and the retrieval of decryption keys. This key was added to Avast’s decryptor, allowing victims of the Tortilla ransomware (based on Babuk) to recover their files for free.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @fwosar, @BleepinComputer, @serghei, @demonslay335, @Ionut_Ilascu, @Seifreed, @billtoulas, @AWNetworks, @Securonix, @TalosSecurity, @criptoboi, @pcrisk, @TrendMicro, and @Unit42_Intel.

January 7th 2024

Mortgage firm loanDepot cyberattack impacts IT systems, payment portal

U.S. mortgage lender loanDepot has suffered a cyberattack that caused the company to take IT systems offline, preventing online payments against loans.

January 8th 2024

Capital Health attack claimed by LockBit ransomware, risk of data leak

The LockBit ransomware operation has claimed responsibility for a November 2023 cyberattack on the Capital Health hospital network and threatens to leak stolen data and negotiation chats by tomorrow.

Toronto Zoo: Ransomware attack had no impact on animal wellbeing

Toronto Zoo, the largest zoo in Canada, says that a ransomware attack that hit its systems on early Friday had no impact on the animals, its website, or its day-to-day operations.

US mortgage lender loanDepot confirms ransomware attack

?Leading U.S. mortgage lender loanDepot confirmed today that a cyber incident disclosed over the weekend was a ransomware attack that led to data encryption.

New Phobos ransomware variant

PCrisk found a new Phobos variant that appends the .jopanaxye extension and drops ransom notes named info.txt and info.hta.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .cdwe and .cdaz extensions.

New Makops variant

PCrisk found a new Makops variant that appends the .SOG extension and drops a ransom note named +README-WARNING+.txt.

New Abyss ransomware

PCrisk found a new ransomware that appends the .abyss extension and drops a ransom note named WhatHappened.txt.

January 9th 2024

Paraguay warns of Black Hunt ransomware attacks after Tigo Business breach

The Paraguay military is warning of Black Hunt ransomware attacks after Tigo Business suffered a cyberattack last week impacting cloud and hosting services in the company’s business division.

Decryptor for Babuk ransomware variant released after hacker arrested

Researchers from Cisco Talos working with the Dutch police obtained a decryption tool for the Tortilla variant of Babuk ransomware and shared intelligence that led to the arrest of the ransomware’s operator.

Hackers target Microsoft SQL servers in Mimic ransomware attacks

A group of financially motivated Turkish hackers targets Microsoft SQL (MSSQL) servers worldwide to encrypt the victims’ files with Mimic (N3ww4v3) ransomware.

Ransomware victims targeted by fake hack-back offers

Some organizations victimized by the Royal and Akira ransomware gangs have been targeted by a threat actor posing as a security researcher who promised to hack back the original attacker and delete stolen victim data.

Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign

A threat actor we track under the Intrusion set Water Curupira (known to employ the Black Basta ransomware) has been actively using Pikabot. a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.

New Phobos variant

PCrisk found a new Phobos variant that appends the .2700 extension and drops a ransom note named +README-WARNING+.txt.

New Abyss ransomware

PCrisk found a new ransomware that appends the .abyss extension and drops a ransom note named WhatHappened.txt.

January 10th 2024

Fidelity National Financial: Hackers stole data of 1.3 million people

Fidelity National Financial (FNF) has confirmed that a November cyberattack (claimed by the BlackCat ransomware gang) has exposed the data of 1.3 million customers.

January 11th 2024

Finland warns of Akira ransomware wiping NAS and tape backup devices

The Finish National Cybersecurity Center (NCSC-FI) is informing of increased Akira ransomware activity in December, targeting companies in the country and wiping backups.

Medusa Ransomware Turning Your Files into Stone

Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. Medusa threat actors use this site to disclose sensitive data from victims unwilling to comply with their ransom demands.

New Phobos variant

PCrisk found a new Phobos variant that appends the .mango extension and drops a ransom note named +README-WARNING+.txt.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .cdtt and .cdpo extensions.

New Ping ransomware

PCrisk found a new ransomware that appends the .pings extension and drops a ransom note named FILE RECOVERY.txt.

January 12th 2024

New Dharma variant

PCrisk found a new Dharma ransomware variant that appends the .AeR extension and drops ransom notes named info.txt and info.hta.

New Xorist variant

PCrisk found a new Xorist variant that appends the .CoV extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

That’s it for this week! Hope everyone has a nice weekend!





Source link