The Week in Ransomware – November 3rd 2023


Over the past couple of months, ransomware attacks have been escalating as new operations launch, old ones return, and existing operations continue to target the enterprise.

This week, the Toronto Public Library was attacked by the Black Basta ransomware gang, taking many of its online services offline.

Other attacks we learned about this week include ACE Hardware, Mr. Cooper, and the British Library. While these are not confirmed to be ransomware attacks, they share many signs usually associated with such attacks.

Due to the increasing number of attacks, an alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransom demanded.

However, this may be an empty pledge, as federal governments typically do not pay ransomware demands, and it does not prevent local governments from giving into extortion demands.

Microsoft also pledges to bolster security as part of its ‘Secure Future’ initiative by improving the built-in security of its products and platforms to better protect customers against escalating cybersecurity threats.

Finally, new research was released this week about ransomware, including:

Hive’s possible return is particularly interesting, as they were previously disrupted after the FBI hacked Hive’s servers and seized infrastructure.

Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @malwrhunterteam, @demonslay335, @billtoulas, @serghei, @Ionut_Ilascu, @LawrenceAbrams, @fwosar, @BleepinComputer, @SecurityJoes, @rivitna2, @BushidoToken, @AlvieriD, @rapid7, @BradSmi, @uptycs, @pcrisk, @PogoWasRight, and @BrettCallow.

October 28th 2023

Stanford University Investigating “Cybersecurity Incident”

Earlier in the day, the Akira ransomware group had listed Stanford University on its leak site with a note, “Soon the university will be also known for 430Gb of internal data leaked online. Private information, confidential documents etc.”

October 29th 2023

New Hunters International ransomware possible rebrand of Hive

A new ransomware-as-a-service brand named Hunters International has emerged using code used by the Hive ransomware operation, leading to the valid assumption that the old gang has resumed activity under a different flag.

October 30th 2023

New BiBi-Linux wiper malware targets Israeli orgs in destructive attacks

A new malware wiper known as BiBi-Linux is being used to destroy data in attacks targeting Linux systems belonging to Israeli companies.

Toronto Public Library services down following weekend cyberattack

The Toronto Public Library (TPL) is warning that many of its online services are offline after suffering a cyberattack over the weekend, on Saturday, October 28.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .ppvs, .ppvt, and .ppvw extensions.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .BlackHatUP extension and drops a ransom note named read_it.txt.

New Ran Ransomware

PCrisk found a new Ran ransomware that appends the .Ran extension and drops a ransom note named Payment.txt.

October 31st 2023

British Library knocked offline by weekend cyberattack

The British Library has been hit by a major IT outage affecting its website and many of its services following a “cyber incident” that impacted its systems on Saturday, October 28.

Dozens of countries will pledge to stop paying ransomware gangs

An alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransoms demanded by cybercriminal groups.

Step-by-step through the Money Message ransomware

Money Message is an insidious ransomware family known for resisting detection and remediation in various ways. We walk through a recent case

November 1st 2023

Toronto Public Library outages caused by Black Basta ransomware attack

The Toronto Public Library is experiencing ongoing technical outages due to a Black Basta ransomware attack.

Advarra hacked, threat actors threatening to leak data

On or about October 25, Advarra was hacked and data was exfiltrated. According to one of the people involved in the attack, the executives knew about the breach on October 25 but would not pay or even negotiate with them.

Daixin Team claims responsibility for attacks affecting Canadian hospitals, starts leaking data

Daixin Team is now claiming responsibility for — and leaking data from — an attack that has significantly impacted five Canadian hospitals in Ontario.

HC3: Analyst Note – 8Base Ransomware

A recent attack on a U.S.-based medical facility in October 2023 highlights the potential threat of the ransomware gang, 8Base, to the Healthcare and Public Health (HPH) sector. Active since March 2022, 8Base became highly active in the summer of 2023, focusing their indiscriminate targeting on multiple sectors primarily across the United States.

November 2nd 2023

Microsoft pledges to bolster security as part of ‘Secure Future’ initiative

Microsoft announced today the ‘Secure Future Initiative,’ pledging to improve the built-in security of its products and platforms to better protect customers against escalating cybersecurity threats.

Boeing confirms cyberattack amid LockBit ransomware claims

Aerospace giant Boeing is investigating a cyberattack that impacted its parts and distribution business after the LockBit ransomware gang claimed that they breached the company’s network and stole data.

HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks

The HelloKitty ransomware operation is exploiting a recently disclosed Apache ActiveMQ remote code execution (RCE) flaw to breach networks and encrypt devices.

Mortgage giant Mr. Cooper hit by cyberattack impacting IT systems

U.S. mortgage lending giant Mr. Cooper was breached in a cyberattack that caused the company to shut down IT systems, including access to their online payment portal.

BlackCat ransomware claims breach of healthcare giant Henry Schein

The BlackCat (ALPHV) ransomware gang claims it breached the network of healthcare giant Henry Schein and stole dozens of terabytes of data, including payroll data and shareholder information.

November 3rd 2023

GhostSec: From Fighting ISIS to Possibly Targeting Israel with RaaS

The hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework called GhostLocker. They provide comprehensive assistance to customers interested in acquiring this service through a dedicated Telegram channel. Presently, GhostSec is focusing its attacks on Israel. This move represents a surprising departure from their past activities and stated agenda.

That’s it for this week! Hope everyone has a nice weekend!





Source link