The Week in Ransomware - December 1st 2023 - Police hits affiliates - Bleeping Computer
2023-12-08 13:29 (EST)
An international law enforcement operation claims to have dismantled a ransomware affiliate operation in Ukraine, which was responsible for attacks on organizations in 71 countries.
The threat actors are said to be affiliates of numerous ransomware operations, including LockerGoga, MegaCortex, HIVE, and Dharma. This cybercriminal operation is said to have led to the loss of hundreds of millions of euros.
The law enforcement operation occurred on November 21st, with coordinated raids in 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia. As a result of the operation, police arrested the groups alleged ringleader and four of his accomplices.
Of particular interest is that Norway was involved in the operation, making cybersecurity researchers believe that this affiliate group may have been behind the Norsk Hydro attack, which involved the LockerGoga ransomware.
However, a threat actor disputed those rumors on the Russian-speaking XSS hacking forum, claiming that the affiliate group had nothing to do with the attack. The threat actor further claims to be the one who gave a police drone the finger in the below video of the law enforcement operation.
In other news, ransomware attacks have been surging, with further information about attacks being disclosed this week.
This includes attacks on the Ethyrial: Echoes of Yore game developer, Ardent Health Services, Slovenias largest power provider HSE, and a re-encryption of healthcare giant Henry Schein as punishment for allegedly not paying the ransom.
We also learned that the attack on DP World did not involve encryption. However, it could have been a ransomware attack that was stopped before encryptors were deployed.
Finally, researchers released some interesting information about ransomware, including Cactus ransomware exploiting Qlik Sense flaws to breach networks, and Black Basta ransomware believed to have made over $100 million.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @billtoulas, @serghei, @Seifreed, @BleepinComputer, @demonslay335, @fwosar, @pcrisk, @CorvusInsurance, @elliptic, @AWNetworks, @ShadowStackRE, @ddd1ms, @3xp0rtblog, @jgreigj, and @BrettCallow.
November 27th 2023
American healthcare company Henry Schein has reported a second cyberattack this month by the BlackCat/ALPHV ransomware gang, who also breached their network in October.
A ransomware attack on the "Ethyrial: Echoes of Yore" MMORPG last Friday destroyed 17,000 player accounts, deleting their in-game items and progress in the game.
Ardent Health Services, a healthcare provider operating 30 hospitals across six U.S. states, disclosed today that its systems were hit by a ransomware attack on Thursday.
Slovenian power company Holding Slovenske Elektrarne (HSE) has suffered a ransomware attack that compromised its systems and encrypted files, yet the company says the incident did not disrupt electric power production.
The LostTrust ransomware family has a fairly small victim pool and has compromised victims earlier this year. The encryptor has similar characteristcs to the MetaEncryptor ransomware family including code flow and strings which indicates that the encryptor is a variant from the original MetaEncryptor source.
PCrisk found a new Chaos variant that appends the .MuskOff extension and drops a ransom note named read_it.txt.
November 28th 2023
In cooperation with Europol and Eurojust, law enforcement agencies from seven nations have arrested in Ukraine the core members of a ransomware group linked to attacks against organizations in 71 countries.
The Qilin ransomware group has claimed responsibility for a cyber attack on Yanfeng Automotive Interiors (Yanfeng), one of the worlds largest automotive parts suppliers.
International logistics giant DP World has confirmed that data was stolen during a cyber attack that disrupted its operations in Australia earlier this month. However, the company says no ransomware payloads or encryption was used in the attack.
November 29th 2023
Russia-linked ransomware gang Black Basta has raked in at least $100 million in ransom payments from more than 90 victims since it first surfaced in April 2022, according to joint research from Corvus Insurance and Elliptic.
PCrisk found new STOP ransomware variants that append the .jawr and .jazi extensions.
PCrisk found a new Phobos variant that appends the .LEAKDB extension and drops a ransom notes named info.txt and info.hta.
November 30th 2023
Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks.
December 1st 2023
About 60 credit unions are dealing with outages due to a ransomware attack on a widely-used technology provider.
PCrisk found a new MedusaLocker variant that appends the .doctorhelp extension and drops a ransom note named How_to_back_files.html.
PCrisk found a new Darhma variant that appends the .intel extension.
Thats it for this week! Hope everyone has a nice weekend!
