Ransomware gangs continue to pummel the enterprise, with attacks causing disruption in business operations and resulting in data breaches if a ransom is not paid.
This week, we learned of three attacks impacting well-known companies, with BianLian claiming the attack on Air Canada and ALPHV claiming an attack on state courts across Northwest Florida (part of the First Judicial Circuit) last week.
A cyberattack on Simpson Manufacturing caused the company to shut down IT systems, but it has not been confirmed as a ransomware attack.
In other news, a threat actor released the source code for the first version of Hello Kitty ransomware, claiming to be developing a new one that will rival LockBit.
Finally, researchers and government agencies released some interesting news this week:
- A new Q3 2023 Ransomware Trends Summary shows that ransomware continues to explode, with Q3 being the most successful quarter ever recorded.
- The FBI shared technical details, defense tips, and IOCs for the AvosLocker ransomware, which has not been active lately.
- Ransomware attacks have now started to target unpatched WS_FTP servers. However, these attacks are more encryption-focused rather than for data theft.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @demonslay335, @billtoulas, @Ionut_Ilascu, @serghei, @BleepinComputer, @malwrhunterteam, @Seifreed, @LawrenceAbrams, @SophosXOps, @3xp0rtblog, @AlvieriD, @pcrisk, @cyber_int, and @LikelyMalware.
October 8th 2023
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .mlwq and .mlrd extensions to encrypted files.
October 9th 2023
ALPHV ransomware gang claims attack on Florida circuit court
The ALPHV (BlackCat) ransomware gang has claimed an attack that affected state courts across Northwest Florida (part of the First Judicial Circuit) last week.
HelloKitty ransomware source code leaked on hacking forum
A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .mlza and .mlap extensions to encrypted files.
New Hazard ransomware variant
PCrisk found a Hazard ransomware variant that appends the .hazard18 (the digit may be different per victim) and drops a ransom note named HOW_TO_BACK_FILES.html.
New MedusaLocker ransomware variant
PCrisk found a MedusaLocker ransomware variant that appends the .locknet and drops a ransom note named HOW_TO_BACK_FILES.html.
October 10th 2023
Air Europa data breach: Customers warned to cancel credit cards
Spanish airline Air Europa, the country’s third-largest airline and a member of the SkyTeam alliance, warned customers on Monday to cancel their credit cards after attackers accessed their card information in a recent data breach.
October 11th 2023
BianLian extortion group claims recent Air Canada breach
The BianLian extortion group claims to have stolen 210GB of data after breaching the network of Air Canada, the country’s largest airline and a founding member of Star Alliance.
Simpson Manufacturing shuts down IT systems after cyberattack
Simpson Manufacturing disclosed via a SEC 8-K filing a cybersecurity incident that has caused disruptions in its operations, which are expected to continue.
Distribution of Magniber Ransomware Stops (Since August 25th)
Through a continuous monitoring process, AhnLab Security Emergency response Center (ASEC) is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which abuses typos in domain addresses. After the blocking rules of the injection technique used by Magniber were distributed, ASEC published a post about the relevant information on August 10th.
Ransomware Trends 2023, Q3 Report
Q3 will be remembered as a new record for the ransomware industry as it was the most successful quarter ever recorded.
October 12th 2023
FBI shares AvosLocker ransomware technical details, defense tips
The U.S. government has updated the list of tools AvosLocker ransomware affiliates use in attacks to include open-source utilities along with custom PowerShell, and batch scripts.
Ransomware attacks now target unpatched WS_FTP servers
Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks.