The Week in Ransomware – May 26th 2023


Ransomware gangs continue to hammer local governments in attacks, taking down IT systems and disrupting city’s online services.

Earlier this month, we saw that with the Royal Ransomware attack on Dallas, and this week the City of Augusta, Georgia, is also suffering a cyberattack.

While the Augusta mayor’s office has disclosed a statement stating that they suffered a cyberattack, they did not share any details on the breach.

“The City of Augusta, GA began experiencing technical difficulties this past Sunday, May 21, 2023, unrelated to last week’s outage, resulting in a disruption to certain computer systems,” reads the City’s statement.

“We began an investigation and determined that we were the victim of unauthorized access to our system.”

However, today, the BlackByte ransomware operation claimed responsibility for the attack on Augusta, leaking data that they claim was stolen during the attack.

Other attacks we learned more about this week include a BlackBasta attack on German arms manufacturer Rheinmetall and ABB confirming data was stolen during an attack earlier this month.

The Cuba ransomware gang also claimed the attack on The Philadelphia Inquirer. However, after the publisher stated the data did not belong to them, Cuba took the Inquirer’s entry from their data leak site.

We also saw some interesting reports released by security firms and researchers:

Finally, ransomware affiliate Bassterlord released a “slightly” edited but highly sought-after version of his ransomware manual version 2.0 that was being sold for $10,000 on hacker forums. 

While some researchers felt the manual lacked detail, threat actors can still use it to gain more knowledge and learn how to breach corporate networks.

While we are not sharing this manual, it is advised that all network defenders and security professionals read the translated versions floating around on Twitter, or some of the linked analyses below, to learn what tactics were being taught.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @malwrhunterteam, @BleepinComputer, @serghei, @billtoulas, @fwosar, @Ionut_Ilascu, @struppigel, @LawrenceAbrams, @Seifreed, @security_score@Unit42_Intel, @_CPResearch_, @pcrisk, @BroadcomSW, @uuallan, @Jon__DiMaggio, @AShukuhi@BushidoToken, @BrettCallow, and @UK_Daniel_Card.

May 22nd 2023

Malicious Windows kernel drivers used in BlackCat ransomware attacks

The ALPHV ransomware group (aka BlackCat) was observed employing signed malicious Windows kernel drivers to evade detection by security software during attacks.

New STOP Ransomware variants

PCrisk found new STOP Ransomware variants that append the .gapo, .gatq, and .gaze extensions.

New MedusaLocker variant

PCrisk found a new MedusaLocker variant that appends the .itlock20 extension (the number may differ) and drops a ransom note named How_to_back_files.html.

May 23rd 2023

A Deep Dive into Medusa Ransomware

Medusa ransomware appeared in June 2021, and it became more active this year by launching the “Medusa Blog” containing data leaked from victims that didn’t pay the ransom. The malware stops a list of services and processes decrypted at runtime and deletes the Volume Shadow
Copies.

IT employee impersonates ransomware gang to extort employer

A 28-year-old United Kingdom man from Fleetwood, Hertfordshire, has been convicted of unauthorized computer access with criminal intent and blackmailing his employer.

Arms maker Rheinmetall confirms BlackBasta ransomware attack

German automotive and arms manufacturer Rheinmetall AG confirms that it suffered a BlackBasta ransomware attack that impacted its civilian business.

Cuba ransomware claims cyberattack on Philadelphia Inquirer

The Cuba ransomware gang has claimed responsibility for this month’s cyberattack on The Philadelphia Inquirer, which temporarily disrupted the newspaper’s distribution and disrupted some business operations.

May 24th 2023

Iranian hackers use new Moneybird ransomware to attack Israeli orgs

A suspected Iranian state-supported threat actor known as ‘Agrius’ is now deploying a new ransomware strain named ‘Moneybird’ against Israeli organizations.

May 25th 2023

New Buhti ransomware gang uses leaked Windows, Linux encryptors

A new ransomware operation named ‘Buhti’ uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.

New STOP Ransomware variants

PCrisk found new STOP Ransomware variants that append the .vapo, .vatq, and .vaze extensions.

New FAST ransomware

PCrisk found a new ransomware that appends the .FAST extension and drops a ransom note named #FILEENCRYPTED.txt.

Really? $10K For THIS? A Look at Version 2.0 of Basterlord’s Manual

Basterlord released the much sought after 2nd version of his manual on Twitter.

May 26th 2023

BlackByte ransomware claims City of Augusta cyberattack

The city of Augusta in Georgia, U.S., has confirmed that the most recent IT system outage was caused by unauthorized access to its network.

US govt contractor ABB confirms ransomware attack, data theft

Swiss tech multinational and U.S. government contractor ABB has confirmed that some of its systems were impacted by a ransomware attack, previously described by the company as “an IT security incident.”

New EXISC ransomware

PCrisk found a new ransomware variant that appends the .EXISC extension and drops a ransom note named Please Contact Us To Restore.txt.

Analysis of “THE MANUAL”

Yesterday Basterlord (an infamous ransomware operator) published a copy of “Networking Manual v2.0” (which I’ll refer to as “the manual”). So I of course thought we should analyze this and look to see what he was selling for $10 thousand dollars!

On-Demand Webinar: The Lord Has Fallen

Join the author of Ransomware Diaries: Volume 2- A Ransomware Hacker Origin Story, Jon DiMaggio, for a dive into the ramifications Bassterlord has faced since his story came out.

That’s it for this week! Hope everyone has a nice weekend!





Source link