The Week in Ransomware – January 20th 2023


There has been quite a bit of ransomware news this week, with crypto exchanges being seized for alleged money laundering and researchers providing fascinating reports on the behavior of ransomware operators.

The most fascinating report this week comes from Jon DiMaggio who spent months going undercover to learn more about the LockBit’s ransomware operation and its public representative known as LockBitSupp.

For those who want to learn more about the rise of the most prominent ransomware operation at this time, you should definitely give DiMaggio’s Unlocking LockBit – a Ransomware Story a read.

The US and France also conducted a law enforcement operation where they seized the domain and arrested the operator of the Bizlato crypto exchange for allegedly money laundering crypto proceeds generated from ransomware and illegal drug transaction.

We also learned more about ransomware attacks conducted this week and in the past, including:

However, it’s not all bad news this week, with Avast releasing a free decryptor for the BianLian ransomware.

Furthermore, reports from both Chainalysis and Coveware illustrate that ransomware payments dropped approximately 40% in 2022 as companies refuse to pay and the enterprise invests in stronger security and better backups.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @demonslay335, @malwrhunterteam, @Seifreed, @billtoulas, @PolarToffee, @struppigel, @serghei, @fwosar, @BleepinComputer, @Ionut_Ilascu, @chainalysis, @coveware, @BrettCallow, @jgreigj, @pcrisk, @Avast, and @Jon__DiMaggio.

January 16th 2023

Unlocking LockBit – A Ransomware Story

The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and media outlets have documented many LockBit attacks, while security vendors offer technical assessments explaining how each occurred. Although these provide insight into the attacks, I wanted to know more about the human side of the operation to learn about the insights, motivations, and behaviors of the individuals on the other side of the keyboard

Avast releases free BianLian ransomware decryptor

Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers.

Vice Society ransomware leaks University of Duisburg-Essen’s data

The Vice Society ransomware gang has claimed responsibility for a November 2022 cyberattack on the University of Duisburg-Essen (UDE) that forced the university to reconstruct its IT infrastructure, a process that’s still ongoing.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .poqw and .pouu extensions.

New VoidCrypt ransomware

PCRisk found a new VoidCrypt variant that appends the .gogo extension and drops a ransom note named unlock-info.txt.

January 17th 2023

Ransomware attack on maritime software impacts 1,000 ships

About 1,000 vessels have been affected by a ransomware attack against a major software supplier for ships.

New Phobos ransomware variant

PCRisk found a Phobos variant that appends the .STEEL extension and drops a ransom note named info.txt.

January 18th 2023

Bitzlato crypto exchange seized for ransomware, drugs money laundering

The U.S. Department of Justice arrested and charged Russian national Anatoly Legkodymov, the founder of the Hong Kong-registered cryptocurrency exchange Bitzlato, with helping cybercriminals allegedly launder illegally obtained money.

Ukraine links data-wiping attack on news agency to Russian hackers

The Computer Emergency Response Team of Ukraine (CERT-UA) has linked a destructive malware attack targeting the country’s national news agency (Ukrinform) to Sandworm Russian military hackers.

New Xorist ransomware variant

PCRisk found a Xorist variant that appends the .BoY extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

January 19th 2023

Ransomware profits drop 40% in 2022 as victims refuse to pay

Ransomware gangs extorted from victims about $456.8 million throughout 2022, a drop of roughly 40% from the record-breaking $765 million recorded in the previous two years.

Ransomware gang steals data from KFC, Taco Bell, and Pizza Hut brand owner

Yum! Brands, the fast food brand operator of KFC, Pizza Hut, Taco Bell, and The Habit Burger Grill fast-food restaurant chains, has been targeted by a ransomware attack that forced the closure of 300 locations in the United Kingdom.

Qulliq Energy Corporation impacted by a cybersecurity incident

Qulliq Energy Corporation (QEC) was targeted in an illegal cyberattack on January 15. QEC’s network was breached, and the corporation took immediate actions to contain the situation.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .mzqw and .mzop extensions.

January 20th 2023

LAUSD says Vice Society ransomware gang stole contractors’ SSNs

Los Angeles Unified School District (LAUSD), the second-largest school district in the United States, says the Vice Society ransomware gang has stolen files containing contractors’ personal information, including Social Security Numbers (SSNs).

Improved Security and Backups Result in Record Low Number of Ransomware Payments

Over the last 4 years, the propensity for victims of ransomware to pay a ransom has fallen dramatically, from 85% of victims in Q1 of 2019, to 37% of victims in Q4 of 2022. On an annual basis, 41% of victims paid in 2022 vs. 76% in 2019. Despite the best efforts of the cyber criminals rowing in the opposite direction, shaving 48 whole percentage points of this key indicator has been the result of several factors.

Costa Rica’s Ministry of Public Works and Transport crippled by ransomware attack

Costa Rica’s government has suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by hackers using the Conti ransomware.

That’s it for this week! Hope everyone has a nice weekend!





Source link