The Week in Ransomware – March 24th 2023


This week’s news has been dominated by the Clop ransomware gang extorting companies whose GoAnywhere services were breached using a zero-day vulnerability.

Over the past month, one hundred new companies have been added to Clop’s data leak site, with the extortion gang threatening to leak data if a ransom is not paid.

While it is not confirmed if all of these companies were breached using the GoAnywhere zero-day, BleepingComputer has confirmed this week that Saks Fifth Avenue, the City of Toronto, Procter & Gamble, Virgin Red, and the UK Pension Protection Fund are related to the vulnerability.

In strange news this week, the City of Oakland is suddenly being extorted on the LockBit data leak site, when a few weeks ago, they were claimed by a Play ransomware attack. It is unclear if LockBit is helping Play extort the City.

There also appears to be a spat brewing between the Monti ransomware gang and Donut Leaks.

Finally, we saw some reports on ransomware released this week about the ACL scareware pretending to be ransomware and a write-up on the DarkPower gang.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @Seifreed, @fwosar,  @malwrhunterteam, @LawrenceAbrams, @serghei, @demonslay335, @billtoulas, @PogoWasRight, @cyfirma@pcrisk, @Trellix, and @jgreigj.

March 19th 2023

MONTI ransomware gang leaks Donut Leaks

In one of the more intriguing listings of this week, the MONTI ransomware group has added another group, Donut Leaks, to their leak site.

March 20th 2023

ALC Scareware Pretends to be a Ransomware

Research team at CYFIRMA recently discovered a malicious sample in wild which pretends to be a ransomware named as ALC Ransomware. Our research team analysed and found it to be a scareware in actual, as it is not encrypting files on the victim machine.

New STOP Ransomware variant

PCrisk found a new STOP ransomware variant that appends the .darj extension to encrypted files.

March 21st 2023

LockBit ransomware gang now also claims City of Oakland breach

Another ransomware operation, the LockBit gang, now threatens to leak what it describes as files stolen from the City of Oakland’s systems.

Clop ransomware claims Saks Fifth Avenue, retailer says mock data stolen

The Clop ransomware gang claims to have attacked Saks Fifth Avenue on its dark web leak site.

March 22nd 2023

Dole discloses employee data breach after ransomware attack

Fresh produce giant Dole Food Company has confirmed threat actors behind a February ransomware attack have accessed the information of an undisclosed number of employees.

New STOP Ransomware variant

PCrisk found a new STOP ransomware variant that appends the .tywd extension to encrypted files.

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .Rans-A extension and drops ransom notes named HOW TO DECRYPT FILES.txt.

March 23rd 2023

City of Toronto confirms data theft, Clop claims responsibility

City of Toronto is among Clop ransomware gang’s latest victims hit in the ongoing GoAnywhere hacking spree.

Tennessee city hit with ransomware attack

Oak Ridge, Tennessee said city officials are working with law enforcement and cybersecurity experts to deal with a ransomware attack affecting its technology systems.

New STOP Ransomware variant

PCrisk found a new STOP ransomware variant that appends the .tyos extension to encrypted files.

March 24th 2023

Procter & Gamble confirms data theft via GoAnywhere zero-day

Consumer goods giant Procter & Gamble has confirmed a data breach affecting an undisclosed number of employees after its GoAnywhere MFT secure file-sharing platform was compromised in early February.

That’s it for this week! Hope everyone has a nice weekend!





Source link