The Week in Ransomware - December 15th 2023 - Ransomware Drama - BleepingComputer
2023-12-18 11:49 (EST)
Todays column brings you two weeks of information on the latest ransomware attacks and research after we skipped last weeks article.
The big news over the past two weeks is the continued drama plaguing BlackCat/ALPHV after their infrastructure suddenly stopped working for almost five days. Multiple sources told BleepingComputer that this outage was related to a law enforcement operation, but BlackCat claims the outages were caused by a hardware/hosting issue.
However, BleepingComputer has learned that some of the BlackCat/ALPHV affiliates are not buying the explanation and have started to contact victims directly via email to perform negotiations outside of the ransomware operations Tor negotiation sites.
It is unclear if that is because they are working on their final victims under this operation before they switch to another gang or if they feel the ALPHV operation has been compromised in some manner.
Whatever the reasons, the LockBit operation is taking advantage of the drama. The cybercrime gang has told BleepingComputer that they see this as a Christmas gift and have started recruiting ALPHVs affiliates.
In other news, we learned about numerous ransomware attacks over the past two weeks, including:
Finally, law enforcement has had some confirmed actions this week, including arresting a money launderer linked to Hive ransomware and a Russian pleading guilty to running a crypto exchange used by ransomware gangs.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @demonslay335, @billtoulas, @fwosar, @Seifreed, @serghei, @BleepinComputer, @LawrenceAbrams, @Ionut_Ilascu, @ValeryMarchive, @BushidoToken, @azalsecurity, @SentinelOne, @g0njxa, @AlvieriD, @ShadowStackRE, @AShukuhi, @BrettCallow, @GossiTheDog, @vmiss33, @pcrisk, and @RESecurity.
December 3rd 2023
A sample of the Qilin ransomware gangs VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date.
December 4th 2023
Tipalti says they are investigating claims that the ALPHV ransomware gang breached its network and stole 256 GB of data, including data for Roblox and Twitch.
PCrisk found a new Phobos ransomware variant that appends the .elpy and drops ransom notes named info.txt and info.hta.
PCrisk found the encryptor for the new RA World operation, which appends the .RAWLD extension and drops a ransom note named Data breach warning.txt.
PCrisk found a new Xorist variant that appends the .xro extension and drops a ransom note named HOW TO DECRYPT FILES.txt.
December 5th 2023
IT services and business consulting company HTC Global Services has confirmed that they suffered a cyberattack after the ALPHV ransomware gang began leaking screenshots of stolen data.
December 6th 2023
Qilin ransomware has built a highly configurable malware family that makes use of the local ESXi tooling to increase the success rate of encrypting and ransoming their victim.
Austal USA, a shipbuilding company and a contractor for the U.S. Department of Defense (DoD) and the Department of Homeland Security (DHS) confirmed that it suffered a cyberattack and is currently investigating the impact of the incident.
PCRisk found new STOP ransomware variants that append the .nbwr and .nbzi extensions.
PCrisk found a new Phobos ransomware variant that appends the .GrafGrafel and drops ransom notes named info.txt and info.hta.
December 7th 2023
Russian national Anatoly Legkodymov pleaded guilty to operating the Bitzlato cryptocurrency exchange that helped ransomware gangs and other cybercriminals launder over $700 million.
December 8th 2023
A law enforcement operation is rumored to be behind an outage affecting ALPHV ransomware gangs websites over the last 30 hours.
Kentucky health system Norton Healthcare has confirmed that a ransomware attack in May exposed personal information belonging to patients, employees, and dependents.
PCrisk found a new HiddenTear ransomware variant that appends the .funny extension and drops a ransom note named readme.txt.
December 11th 2023
Toyota Financial Services (TFS) is warning customers it suffered a data breach, stating that sensitive personal and financial data was exposed in the attack.
Cold storage and logistics giant Americold has confirmed that over 129,000 employees and their dependents had their personal information stolen in an April attack, later claimed by Cactus ransomware.
PCRisk found new STOP ransomware variants that append the .hhuy and .hhaz extensions.
December 12th 2023
Ransomware operator Rhysida has posted limited data that appears to back up its claim that it has successfully hacked video game developer Insomniac Games.
December 13th 2023
The LockBit ransomware operation is now recruiting affiliates and developers from the BlackCat/ALPHV and NoEscape after recent disruptions and exit scams.
French authorities arrested a Russian national in Paris for allegedly helping the Hive ransomware gang with laundering their victims ransom payments.
ShadowStackRE has published a technical analysis of the Rhysida ransomware encryptor.
In this post, we highlight recent Mallox activity, explain the group’s initial access methods and provide a high-level analysis of recent Mallox payloads to help defenders better understand and defend against this persistent threat.
December 14th 2023
Kraft Heinz has confirmed that their systems are operating normally and that there is no evidence they were breached after an extortion group listed them on a data leak site.
December 15th 2023
Based on a recent Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency (LEA) and one of the leading investment organizations in Singapore, Resecurity, Inc. (USA) has uncovered a meaningful link between three major ransomware groups. Resecurity’s HUNTER (HUMINT) unit spotted the BianLian, White Rabbit, and Mario ransomware gangs collaborating in a joint extortion campaign targeting publicly-traded financial services firms.
PCRisk found new STOP ransomware variants that append the .ljuy and .ljaz extensions.
Thats it for this week! Hope everyone has a nice weekend!
