It has been a fairly quiet week regarding ransomware, with only a few reports released and no new significant attacks. However, we may have a rebrand in the making, and a ransomware operation is likely behind a new zero-day data-theft campaign, so we have some news to talk about.
Numerous companies had data stolen after threat actors utilized a zero-day vulnerability in the MOVEit Transfer program to breach servers.
While extortion demands have not been sent to victims yet, and no one has claimed responsibility, this attack is similar to previous Clop ransomware attacks using GoAnywhere MFT and Accellion FTA zero-days to steal files.
Therefore, it would not be surprising to learn that Clop is behind the recent MOVEit attacks.
There have also been rumors for weeks that Royal ransomware was rebranding to a new ransomware operation called BlackSuit. This week, Trend Micro analyzed encryptors from both operations and said that they share very strong similarities with each other.
While this is not a strong enough link, the attack on Dallas may have put the Royal ransomware operation in the crosshairs, scaring them into a rebrand.
Finally, IBM released a report about BlackCat/ALPHV’s new ‘Sphynx’ encryptor and other tools used by the operation that is a worthwhile read.
We also learned about some previous ransomware attacks, including @Seifreed, @billtoulas, @Ionut_Ilascu, @struppigel, @BleepinComputer, @serghei, @LawrenceAbrams, @malwrhunterteam, @demonslay335, @fwosar, @rapid7, @HuntressLabs, @GossiTheDog, @IBMSecurity, @TrendMicro, @Avast, @jgreigj, and @pcrisk.
May 29th 2023
MCNA Dental data breach impacts 8.9 million people after ransomware attack
Managed Care of North America (MCNA) Dental has published a data breach notification on its website, informing almost 9 million patients that their personal data were compromised.
May 30th 2023
BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration
BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates’ more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted in the group’s publishing of sensitive data to their leak site including financial and medical information stolen from the victim organizations.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .weon or .werz extension.
New Dharma Variant
PCrisk found a new Dharma ransomware variant that appends the .xCor extension.
May 31st 2023
Investigating BlackSuit Ransomware’s Similarities to Royal
Royal ransomware, which is already one of the most notable ransomware families of 2022, has gained additional notoriety in early May 2023 after it was used to attack IT systems in Dallas, Texas. Around the same period, several researchers on Twitter came across a new ransomware family called BlackSuit that targeted both Windows and Linux users. Additional Twitter posts mentioned connections between BlackSuit and Royal, which piqued our interest. We managed to retrieve and analyze a Windows 32-bit sample of the ransomware from Twitter.
New STOP Variant
PCrisk found a new STOP ransomware variant that appends the .weqp extension.
June 1st 2023
New MOVEit Transfer zero-day mass-exploited in data theft attacks
Hackers are actively exploiting a zero-day vulnerability in the MOVEit Transfer file transfer software to steal data from organizations.
Harvard Pilgrim Health Care ransomware attack hits 2.5 million people
Harvard Pilgrim Health Care (HPHC) has disclosed that a ransomware attack it suffered in April 2023 impacted 2,550,922 people, with the threat actors also stealing their sensitive data from compromised systems.
June 2nd 2023
The rise and fall of ransomware: Insights from Avast’s Q1/2023 Threat Report
Ransomware has been a prominent threat in cybersecurity for more than a decade, but the rates of incidents are showing slight decline. The Avast Q1/2023 Threat Report examines why.
Legal services platform used by SEC, Pentagon investigating ransomware attack claims
A legal document platform used by several arms of the U.S. government is investigating claims by a ransomware group that it has been attacked.