The Week in Ransomware – November 17th 2023


Ransomware gangs target exposed Citrix Netscaler devices using a publicly available exploit to breach large organizations, steal data, and encrypt files.

The threat actors exploit the Citrix Bleed vulnerability (CVE-2023-4966), which was disclosed last month and continues to be abused in attacks.

Security researcher Kevin Beaumont, who has been tracking the attacks, has found that many recent victims also utilized vulnerable Citrix Netscaler devices at the time of the attack, allowing initial access to the corporate network.

Some companies that recently suffered a cyberattack and utilized vulnerable Citrix Netscaler devices include Toyota Financial Services, Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing.

DP World running Citrix server vulnerable to Citrix Bleed flaw
DP World running Citrix server vulnerable to Citrix Bleed flaw
Source: Kevin Beaumont

While it is known that affiliates for the LockBit and Medusa ransomware gangs are behind some of these attacks, it is likely widely being exploited by other criminal operations.

In other news, the BlackCat ransomware gang took the bold step of filing an SEC complaint on one of its victims for not disclosing they suffered a cyberattack.

The threat actors tried to get the company into trouble for a new SEC rule that requires publicly traded companies to report cyberattacks within four days if they have a material impact. However, this rule does not go into effect until December 15th, 2023.

While many ransomware gangs have threatened to report cyberattacks to the SEC if a ransom was not paid, this could be the first publicly disclosed use of the extortion strategy.

We also learned more about recent attacks and tactics used by ransomware threat actors, which are highlighted below:

Contributors and those who provided new ransomware information and stories this week include: @serghei, @demonslay335, @billtoulas, @fwosar, @Seifreed, @malwrhunterteam, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @GossiTheDog, @BrettCallow, @PogoWasRight, @pcrisk, @NCCGroupInfosec,

November 13th 2023

FBI: Royal ransomware asked 350 victims to pay $275 million

The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022.

Don’t throw a hissy fit; defend against Medusa

Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups’ activity increased with the launch of the ‘Medusa Blog’. This platform serves as a tool for leaking data belonging to victims.

Key Ransomware Indicator Up 56% Year-on-Year: October Data

In October attacks fell by 15.12% from the prior month according to the volume of victims posted on ransomware leak sites, but remained high from a year-on-year perspective with a 54.67% increase over October 2022. Last month also marked the tenth consecutive with a YoY increase in ransomware victims posted to leak sites, and the eighth consecutive with a count above 300.

New 1337 Ransomware

PCrisk found a new 1337 Ransomware that appends the .1337 extension and drops a ransom note named yourhope.txt.

November 14th 2023

LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed

The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the systems of large organizations, steal data, and encrypt files.

New GlobeImposter variant

PCrisk found a new GlobeImposter variant that appends the .Pig865qq extension.

November 15th 2023

Ransomware gang files SEC complaint over victim’s undisclosed breach

The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack.

Toronto Public Library confirms data stolen in ransomware attack

The Toronto Public Library (TPL) confirmed that the personal information of employees, customers, volunteers, and donors was stolen from a compromised file server during an October ransomware attack.

FBI and CISA warn of opportunistic Rhysida ransomware attacks

The FBI and CISA warned today of Rhysida ransomware gang’s opportunistic attacks targeting organizations across multiple industry sectors.

New ransomware variant

PCrisk found a new ransomware variant that appends the .shanova extension and drops a ransom note named read_it.txt.

November 16th 2023

FBI shares tactics of notorious Scattered Spider hacker collective

The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency released an advisory about the evasive threat actor tracked as Scattered Spider, a loosely knit hacking collective that now collaborates with the ALPHV/BlackCat Russian ransomware operation.

Toyota confirms breach after Medusa ransomware threatens to leak data

Toyota Financial Services (TFS) has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .eqza and .eqew extensions.

November 17th 2023

British Library: Ongoing outage caused by ransomware attack

The British Library confirmed that a ransomware attack is behind a major outage that is still affecting services across several locations.

Yamaha Motor confirms ransomware attack on Philippines subsidiary

Yamaha Motor’s Philippines motorcycle manufacturing subsidiary was hit by a ransomware attack last month, resulting in the theft and leak of some employees’ personal information.

That’s it for this week! Hope everyone has a nice weekend!





Source link