The Week in Ransomware - June 18th 2021 - Law enforcement strikes back

3 years ago 214
BOOK THIS SPACE FOR AD
ARTICLE AD

Ransomware

Compared to the last few weeks, it has been a relatively quiet week with no ransomware attacks causing widespread disruption.

It was a good week for law enforcement, with Ukrainian police arresting members of the Clop ransomware gang and the South Korean police arresting computer repairment installing ransomware.

We also saw some interesting research released on LockBit and the Hades ransomware, as well as an updated Avaddon Ransomware decryptor that can decrypt more victims' files.

Finally, President Biden met with Russian President Putin to discuss the recent cyberattacks. Whether something changes from that meeting is too soon to tell.

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @malwareforme, @PolarToffee, @fwosar, @BleepinComputer, @LawrenceAbrams, @serghei, @VK_Intel, @struppigel, @demonslay335, @malwrhunterteam, @FourOctets, @Ionut_Ilascu, @jorntvdw, @Seifreed, @TrendMicroRSRCH, @IntelAdvanced, @y_advintel, @ZeroLogon, @campuscodi, @GrujaRS, @emsisoft, @LittleRedBean2, , @PogoWasRight, @chum1ng0, @PRODAFT, @Secureworks, and @ValeryMarchive.

June 14th 2021

REvil ransomware hits US nuclear weapons contractor

US nuclear weapons contractor Sol Oriens has suffered a cyberattack allegedly at the hands of the REvil ransomware gang, which claims to be auctioning data stolen during the attack.

G7 leaders ask Russia to hunt down ransomware gangs within its borders

G7 (Group of 7) leaders have asked Russia to urgently disrupt ransomware gangs believed to be operating within its borders, following a stream of attacks targeting organizations from critical sectors worldwide.

Fujifilm resumes normal operations after ransomware attack

Japanese multinational conglomerate Fujifilm says that it has resumed normal business and customer operations following a ransomware attack that forced it to shut the entire network on June 4.

Theoretically untouchable, but still struck down with Avaddon

The reasons for Avaddon's disappearance are not known at this point. Perhaps the international pressure had become too strong for the operators. Unless some errors have started to show a little too much.

June 15th 2021

Avaddon ransomware's exit sheds light on victim landscape

A new report analyzes the recently released Avaddon ransomware decryption keys to shed light on the types of victims targeted by the threat actors and potential revenue they generated throughout their operation.

Paradise Ransomware source code released on a hacking forum

The complete source code for the Paradise Ransomware has been released on a hacking forum allowing any would-be cyber criminal to develop their own customized ransomware operation.

Updated Avaddon decryptor released

Emsisoft released an updated Avaddon decryptor to support more victims.

Hades Ransomware Operators Use Distinctive Tactics and Infrastructure

Hades ransomware has been on the scene since December 2020, but there has been limited public reporting on the threat group that operates it. Secureworks® incident response (IR) engagements in the first quarter of 2021 provided Secureworks Counter Threat Unit™ (CTU) researchers with unique insight into the group’s use of distinctive tactics, techniques, and procedures (TTPs).

June 16th 2021

Ukraine arrests Clop ransomware gang members, seizes servers

Ukrainian law enforcement arrested cybercriminals associated with the Clop ransomware gang and shut down infrastructure used in attacks targeting victims worldwide since at least 2019.

South Korean police arrest computer repairmen who made and distributed ransomware

South Korean authorities have filed charges today against nine employees of a local computer repair company for creating and installing ransomware on their customers’ computers.

MA: UMass Lowell closed due to cybersecurity incident

The University of Massachusetts Lowell (UMass Lowell) has suffered a cybersecurity breach that has caused school closures for the past two days. The incident was first announced on June 15 as an “IT outage:”

SCOOP: UnitingCare paid hundreds of thousands of dollars to REvil for decryption key and deletion of files

On April 25, UnitingCare Queensland (UCQ) was the victim of a ransomware attack that impacted multiple Queensland hospitals and aged care centres. The next day, they posted a notice on their web site informing people as to what was happening and its impact. And on May 5, they posted a second update where they revealed that it was REvil (Sodinokibi) threat actors who had attacked them. That update described steps they had taken since the incident to safely recover and restore services.

June 17th 2021

Carnival Cruise hit by data breach, warns of data misuse risk

In December 2020, Carnival was hit by a second (previously undisclosed) ransomware attack with "investigation and remediation phases" still ongoing, according to a 10-Q form filed with the SEC in April 2021.

June 18th 2021

Fake DarkSide gang targets energy, food industry in extortion emails

Threat actors impersonate the now-defunct DarkSide Ransomware operation in fake extortion emails sent to companies in the energy and food sectors.

LockBit RaaS In-Depth Analysis

The PRODAFT Threat Intelligence (PTI) Team has published this report to provide in-depth knowledge about the threat actors who operate LockBit ransomware. The PTI Team has managed to extract decryption tools for most of the victims who were affected by the LockBit. All affiliates of the ransomware group, including the developer, were also identified during the investigation of the PTI Team. This report answers questions such as : How do they select their targets ? How many targets did they breach ? How does the network operate ? Who are the affiliates ?

New STOP Ransomware variant

GrujaRS found a new STOP ransomware variant that appends the .iqll extension to encrypted files.

New STOP Ransomware variant

LittleRedBean found a new STOP ransomware variant that appends the .sspq extension to encrypted files.

That's it for this week! Hope everyone has a nice weekend!

Read Entire Article