The Week in Ransomware – July 21st 2023


This edition of the Week in Ransomware covers the last two weeks of news, as we could not cover it last week, and includes quite a bit of new information, including the return of the Avaddon ransomware gang.

Last month, a new ransomware operation named NoEscape (or No_Escape) was launched that quickly began amassing a stream of new corporate victims.

After the operation’s encryptor was analyzed, it soon became apparent that NoEscape was a rebrand of Avaddon, who shut down their operation in June 2020 after feeling the heat from law enforcement.

However, it looks like the gang never really retired but was simply biding their time until they could return as the new NoEscape operation, likely previously working in other operations.

While the gang has claimed not to have any affiliation with Avaddon, their encryptor is very similar to the former operation’s ransomware, according to ransomware expert Michael Gillespie.

This includes a unique encryption chunking routine only used by Avaddon, similarities in code, the same configuration file format, and many other routines. The only significant change was the switch from AES encryption to Salsa20.

Law enforcement has been busy, arresting a Ukrainian scareware developer after a 10-year hunt and an IT employee sentenced to over three years in prison for impersonating a ransomware gang in an extortion scheme.

In other ransomware reports from BleepingComputer and cybersecurity firms:

Finally, Clop’s data theft attacks using the MOVEit Transfer zero-day continue to be a hot topic in the news, with companies continuing to disclose data breaches as they are added to the gang’s data leak site.

According to a new Coveware report released today, these attacks have been very successful, with the ransomware gang expected to earn $75-100 million in extortion payments.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Seifreed, @BleepinComputer, @malwrhunterteam, @billtoulas, @Ionut_Ilascu, @struppigel, @fwosar, @LawrenceAbrams, @serghei, @chainalysis, @TrendMicro, @Intel_by_KELA, @pcrisk, @SophosXOps, @coveware, @BroadcomSW, @pcrisk, and @azalsecurity.

July 8th 2023

New ‘Big Head’ ransomware displays fake Windows update alert

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word installers.

New Makop Ransomware variant

PCrisk found new Makop ransomware variants that appends the .rajah and drops a ransom note named +README-WARNING+.txt.

New STOP Ransomware variants

PCrisk found new STOP variants that append the .gayn and .gazp extensions.

July 12th 2023

Ransomware payments on record-breaking trajectory for 2023

Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small.

New STOP Ransomware variants

PCrisk found new STOP variants that append the .waqq and .gaqq extensions.

New Chaos ransomware variant

PCRisk found a new Chaos variant that appends the .hackedbySnea575 extension and drops a ransom note named README_txt.txt.

July 14th 2023

Shutterfly says Clop ransomware attack did not impact customer data

Shutterfly, an online retail and photography manufacturing platform, is among the latest victims hit by Clop ransomware.

July 17th 2023

Meet NoEscape: Avaddon ransomware gang’s likely successor

The new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021.

Police arrests Ukrainian scareware developer after 10-year hunt

The Spanish National Police has apprehended a Ukrainian national wanted internationally for his involvement in a scareware operation spanning from 2006 to 2011.

IT worker jailed for impersonating ransomware gang to extort employer

28-year-old Ashley Liles, a former IT employee, has been sentenced to over three years in prison for attempting to blackmail his employer during a ransomware attack.

New STOP Ransomware variants

PCrisk found new STOP variants that append the .miza, .mitu, and .miqe extensions.

New Xorist variant

PCrisk found a new Xorist variant that appends the .PrO extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

July 18th 2023

Cybersecurity firm Sophos impersonated by new SophosEncrypt ransomware

Cybersecurity vendor Sophos is being impersonated by a new ransomware-as-a-service called SophosEncrypt, with the threat actors using the company name for their operation.

FIN8 deploys ALPHV ransomware using Sardonic malware variant

A financially motivated cybercrime gang has been observed deploying BlackCat ransomware payloads on networks backdoored using a revamped Sardonic malware version.

July 19th 2023

Estée Lauder beauty giant breached by two ransomware gangs

Two ransomware actors, ALPHV/BlackCat and Clop, have listed beauty company Estée Lauder on their data leak sites as a victim of separate attacks.

July 20th 2023

Kanti: A NIM-Based Ransomware Unleashed in the Wild

New programming languages often have fewer security measures and less mature detection mechanisms than well-established ones. Threat Actors (TAs) often attempt to bypass traditional security defenses and avoid detection by using a less-known programming language.

New Khronos ransomware

PCrisk found a new Kronos ransomware that appends the .khronos extension and drops a ransom note named info.hta.

July 21st, 2023

Clop gang to earn over $75 million from MOVEit extortion attacks

The Clop ransomware gang is expected to earn between $75-100 million from extorting victims of their massive MOVEit data theft campaign.

Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments

In the second quarter of 2023, the percentage of ransomware attacks that resulted in the victim paying, fell to a record low of 34%. The trend represents the compounding effects that we have noted previously of companies continuing to invest in security, continuity assets, and incident response training. Despite these encouraging statistics, ransomware threat actors and the entire cyber extortion economy, continue to evolve their attack and extortion tactics.

Bl00dy ransomware gang returns

AzAl Security noted that the ransomware gang is recruiting new affiliates, but requires a payment first.

Bl00dy ransomware has now advertised in RAMP forum and is asking 10k USD to join their affiliate program. This is half the price of Lockbits fee. Bl00dy appears to have felt some heat and is looking to be more covert. Notably, the poster appears to be a native English speaker.

New STOP Ransomware variants

PCrisk found new STOP variants that append the .kiqu and .kizu extensions.

New Black Hunt 2.0 ransomware

PCrisk found a new Kronos ransomware that appends the .Hunt2 and drops ransom notes named #BlackHunt_ReadMe.txt and #BlackHunt_ReadMe.hta.

That’s it for this week! Hope everyone has a nice weekend!





Source link