Ransomware gangs continue to prioritize targeting VMware ESXi servers, with almost every active ransomware gang creating custom Linux encryptors for this purpose.
This week, BleepingComputer analyzed the Linux encryptor for Abyss Locker and illustrated how it was specifically designed to encrypt ESXi virtual machines.
Quite a bit of research was released this week as well, with cybersecurity firms and researchers releasing reports on:
Hospitals run by Prospect Medical Holdings were also impacted this week by a ransomware attack on the parent company. However, it is unclear what gang is behind the attack.
Finally, Argentina’s Comprehensive Medical Care Program (PAMI) suffered a ransomware attack that impacted its operations.
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @Seifreed, @malwrhunterteam, @demonslay335, @serghei, @malwareforme, @LawrenceAbrams, @BleepinComputer, @Ionut_Ilascu, @Fortinet, @malvuln, @Intel_by_KELA, @DragosInc, @MrJamesSullivan, @pcrisk, and @juanbrodersen.
July 29th 2023
The Abyss Locker operation is the latest to develop a Linux encryptor to target VMware’s ESXi virtual machines platform in attacks on the enterprise.
Security researcher Malvuln has released a tool called RansomLord that exploits DLL hijacking vulnerabilities in ransomware encryptors to terminate the processes before encryption starts. It is not 100% guaranteed to work, so all users should read the projects readme.
July 31st 2023
The second quarter of 2023 proved to be an exceptionally active period for ransomware groups, posing significant threats to industrial organizations and infrastructure. The rise in ransomware attacks on industrial targets and their consequential impacts highlights the rapid growth of ransomware ecosystems and the adoption of different tactics, techniques, and procedures (TTPs) by these groups to achieve their objectives. In Q2, Dragos observed that out of the 66 groups we monitor, 33 continued to impact industrial organizations. These groups continued to employ previously effective tactics, including exploiting zero-day vulnerabilities, leveraging social engineering, targeting public-facing services, and compromising IT service providers.
A study examining the role of cyber insurance in addressing the threats posed by ransomware.
PCrisk found a new Dharma ransomware variant that appends the .Z0V extension and drops a ransom note named Z0V.txt.
PCrisk found new STOP ransomware variants that append the .pouu or .poaz extensions.
August 1st 2023
Despite the decryptor for the Akira ransomware that was released at the end of June 2023, the group still seems to successfully extort victims. In July, we observed 15 new victims of the group, either publicly disclosed or detected by KELA in the course of their negotiations.
The Cyclops ransomware gang has launched a 2.0 version of its RaaS operation named Knight. On July 26, the gang announced on their blog they were “releasing the new panel and program this week”, likely referring to updates to both their ransomware strain and their affiliates’ panel. Recently, Cyclops announced they “upgraded” the operation and called for new affiliates to join the group. A thread advertising Cyclops’ RaaS has been renamed to “[RaaS]Knight”.
Qilin Ransomware Gang Adopts Uncommon Payment System: All Ransom Payments Funneled through Affiliates
In July, KELA observed that actors behind Qilin (Agenda) RaaS program have announced that ransom payments are paid only to their affiliates’ wallets. Apparently, only then a share of profits is transferred to the Qilin RaaS owners. This approach is less common for RaaS programs: usually victims are paying ransom to wallets controlled by RaaS developers/managers, and only then affiliates receive their share of ransom. The “opposite” approach, now adopted by Qilin, is known to be used by LockBit.
PCrisk found new Xorist ransomware variant that appends the .rtg.
PCrisk found new Xorist ransomware variant that appends the .popn and drops a ransom note named _readme.txt.
August 2nd 2023
The PAMI confirmed a ransomware cyberattack: it took down the site, but they assure that “it was mitigated”
The Comprehensive Medical Care Program ( PAMI ) suffered a ransomware cyberattack , a type of virus that encrypts files to demand a ransom in exchange. Official sources confirmed to Clarín that this type of cyberattack was involved and that they are investigating where the intrusion came from. Shifts are maintained and medicines can be bought normally in pharmacies, they assured.
August 3rd 2023
Serco Inc, the Americas division of multinational outsourcing company Serco Group, has disclosed a data breach after attackers stole the personal information of over 10,000 individuals from a third-party vendor’s MoveIT managed file transfer (MFT) server.
This edition of the Ransomware Roundup covers the DoDo and Proton ransomware.
Based on our investigation, we believe an unauthorized party was able to obtain certain files transferred through the MOVEit tool, including files that contained personal data of 3 Maine residents. EY Law then also undertook an extensive analysis of the affected files to determine which individuals and data may have been affected, and to confirm their identities and contact information.
PCrisk found new Phobos ransomware variant that appends the .G-STARS extension.
PCrisk found the new TrashPanda ransomware that appends the .monochromebear extension and drops a ransom note named [random_string]-readme.html.
PCrisk found the new Crybaby python ransomware that appends the .lockedbycrybaby extension.
That’s it for this week! Hope everyone has a nice weekend!