Governments struck back this week against members of ransomware operations, imposing sanctions on one threat actor and sentencing another to prison.
On Tuesday, the Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich Ermakov, a Russian national believed to be responsible for the 2022 Medibank hack and a member of the REvil ransomware group.
In a report by Intel471, we learn that Ermakov had extensive involvement in cybercrime, including as a ransomware operator and affiliate. The threat actor is also believed to be involved in both legitimate and criminal software development.
On Thursday, the US government also sentenced Russian national Vladimir Dunaev to five years and four months in prison for helping to create and distribute the TrickBot malware and working with ransomware operations.
“Dunaev was a malware developer for the Trickbot Group, overseeing the creation of internet browser injection, machine identification, and data harvesting codes used by the Trickbot malware,” reads the complaint against Dunaev and his co-conspirators.
The DOJ press release also states that Dunaev also developed ransomware and helped deploy it to attack American hospitals, schools, and businesses in the USA.
Unfortunately, we also learned about numerous large-scale attacks this week, including an Akira attack on Tietoevry, an attack on water services giant Veolia North America, and an attack on fintech firm Equilend, which LockBit claimed.
loanDepot also shared more information about the impact of its January 6th ransomware attack, stating that it exposed the data of 16.6 million people.
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @LawrenceAbrams, @serghei, @BleepinComputer, @Seifreed, @Ionut_Ilascu, @demonslay335, @fwosar, @malwrhunterteam, @NCSC, @TrendMicro, @Intrinsec, @Fortinet, @pcrisk, and @rivitna2.
January 20th 2024
Researchers link 3AM ransomware to Conti, Royal cybercrime gangs
Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang.
January 21st 2024
Tietoevry ransomware attack causes outages for Swedish firms, cities
Finnish IT services and enterprise cloud hosting provider Tietoevry has suffered an Akira ransomware attack impacting cloud hosting customers in one of its data centers in Sweden.
January 22nd 2024
loanDepot cyberattack causes data breach for 16.6 million people
Mortgage lender loanDepot says that approximately 16.6 million people had their personal information stolen in a ransomware attack disclosed earlier this month.
Cactus Ransomware technical analysis
On January 20th the Cactus ransomware group attacked a number of victims across varying industries. The attacks were disclosed on their leak site with the accompanying victim data. The ransomware group has routinely put pressure on victims by releasing personal information about employees of the victim organization; this has included drivers licenses, passports, pictures and other personal identification.
New Phobos ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .gotmydatafast extension.
New Frivinho Ransomware
PCrisk found a new ransomware that appends the .Frivinho0 extension and drops a ransom note named PLS_READ_ME.txt.
New Chaos Ransomware variant
PCrisk found a new ransomware that appends the .backoff extension and drops a ransom note named read_it.txt.
January 23rd 2024
Water services giant Veolia North America hit by ransomware attack
Veolia North America, a subsidiary of transnational conglomerate Veolia, disclosed a ransomware attack that impacted systems part of its Municipal Water division and disrupted its bill payment systems.
Kasseika ransomware uses antivirus driver to kill other antiviruses
A recently uncovered ransomware operation named ‘Kasseika’ has joined the club of threat actors that employs Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software before encrypting files.
US, UK, Australia sanction REvil hacker behind Medibank data breach
The Australian, US, and UK governments have announced sanctions for Aleksandr Gennadievich Ermakov, a Russian national considered responsible for the 2022 Medibank hack and a member of the REvil ransomware group.
Threat Assessment: BianLian
Unit 42 researchers have been tracking the BianLian ransomware group, which has been in the top 10 of the most active groups based on leak site data we’ve gathered. From that leak site data, we’ve primarily observed activity affecting the healthcare and manufacturing sectors and industries, and impacting organizations mainly in the United States (US) and Europe (EU).
January 24th 2024
UK says AI will empower ransomware over the next two years
The United Kingdom’s National Cyber Security Centre (NCSC) warns that artificial intelligence (AI) tools will have an adverse near-term impact on cybersecurity, helping escalate the threat of ransomware.
Global fintech firm EquiLend offline after recent cyberattack
New York-based global financial technology firm EquiLend says its operations have been disrupted after some systems were taken offline in a Monday cyberattack.
Medibank’s Attacker: IT Businessman, Claimed Psychologist and Alleged Cybercriminal
Ermakov’s identity was uncovered by the Australian Signals Directorate (ASD) and the Australian Federal Police (AFP). According to a Jan. 23, 2024, exclusive interview with Australia’s Channel 9, ASD Acting Director-General Abi Bradshaw said the investigation met dead ends at times. But the ASD drew on help from other Five Eyes intelligence partners (the NSA, FBI and GCHQ in the U.K.) as well as data from private industry including Microsoft, which wrote about its role here. Bradshaw says Microsoft’s data reinforced the government’s confidence in Ermakov’s real-world identification.
New Phobos ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .rdptest extension.
New LockXX ransomware
rivitna found the new LockXX ransomware that appends the .lockxx extension and drops a ransom note named lockxx.recovery_data.hta.
January 25th 2024
Russian TrickBot malware dev sentenced to 64 months in prison
Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the Trickbot malware used in attacks against hospitals, companies, and individuals worldwide.
Another Phobos Ransomware Variant Launches Attack – FAUST
Recently, FortiGuard Labs uncovered an Office document containing a VBA script aimed at propagating the FAUST ransomware, another variant of Phobos. The attackers utilized the Gitea service to store several files encoded in Base64, each carrying a malicious binary. When these files are injected into a system’s memory, they initiate a file encryption attack. Figure 1 shows the attack chain.
January 26th 2024
Ransomware Roundup – Albabat
This edition of the Ransomware Roundup covers the Albabat ransomware.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .cdcc and .cdxx extensions.