The Week in Ransomware – September 8th 2023


It started as a slow ransomware news week but slowly picked up pace with the Department of Justice announcing indictments on TrickBot and Conti operations members.

On Thursday, the US announced sanctions and three indictments against nine Russian nationals who are alleged members of the TrickBot and Conti ransomware operations for attacks on more than 900 victims worldwide.

“The defendants charged in these three indictments across three different jurisdictions allegedly used their cyber knowledge and capabilities to victimize people and businesses around the world without regard for the damage they caused,” said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal Division

The individuals were allegedly involved in a wide variety of roles in the Conti ransomware operation, including overall managing of the cybercrime operation, crypting malware so it was undetectable, managing infrastructure, and developing malware, including the TrickBot botnet.

In other news, Cisco confirmed that ransomware gangs are exploiting a zero-day in Cisco VPN appliances after BleepingComputer’s, SentinelOnes, and Rapid7’s reporting on its abuse by the Akira ransomware operation.

Finally, Ragnar Locker claimed an August attack on Israel’s Mayanei Hayeshua hospital, claiming to have stolen 1 TB of data.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @VK_Intel, @jorntvdw, @LawrenceAbrams, @PolarToffee, @FourOctets, @struppigel, @DanielGallagher, @malwareforme, @Ionut_Ilascu, @demonslay335, @billtoulas, @serghei, @fwosar, @malwrhunterteam, @Seifreed, @cloudsek, @SecurityAura, @SentinelOne, and @pcrisk.

September 4th 2023

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .rzkd and .rzml extensions.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .sub_to_crypto_nwo extension and drops a ransom note named Windows!System32.txt.

New Rival ransomware

PCrisk found a new ransomware named Rival that appends the .rival and drops a ransom note named FILES ENCRYPTED.txt.

September 6th 2023

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .rzew extension.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .sb4 extension.

September 7th 2023

US and UK sanction 11 TrickBot and Conti cybercrime gang members

The USA and the United Kingdom have sanctioned eleven Russian nationals associated with the TrickBot and Conti ransomware cybercrime operations.

Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies

Three indictments in three different federal jurisdictions have been unsealed charging multiple Russian cybercrime actors involved in the Trickbot malware and Conti ransomware schemes.

September 8th 2023

Cisco warns of VPN zero-day exploited by ransomware gangs

Cisco is warning of a CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) that is actively exploited by ransomware operations to gain initial access to corporate networks.

Ragnar Locker claims attack on Israel’s Mayanei Hayeshua hospital

The Ragnar Locker ransomware gang has claimed responsibility for an attack on Israel’s Mayanei Hayeshua hospital, threatening to leak 1 TB of data allegedly stolen during the cyberattack.

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .hgml and .hgkd extensions.

That’s it for this week! Hope everyone has a nice weekend!





Source link