The Week in Ransomware - October 20th 2023 - Fighting Back - Bleeping Computer
2023-10-21 15:28 (EST)
This was a bad week for ransomware, with the Trigona ransomware suffering a data breach and law enforcement disrupting the RagnarLocker ransomware operation.
Last week, Ukrainian hacktivists known as the Ukrainian Cyber Alliance hacked the Trigona gangs servers by exploiting a vulnerability in their Confluence server.
This ultimately allowed the activists to breach other sites run by Trigona to take data, copies of internal chats, and the website source code. They then wiped Trigonas Tor negotiation and data leak sites, defacing them with the message below.
Trigona defacement
Source: BleepingComputer
Trigona later admitted they were breached and said they plan on launching new sites on October 22nd.
On Thursday, the RagnarLocker data leak site and negotiation site also began to show a new message, this time a seizure banner by law enforcement from France, the Czech Republic, Germany, Italy, Latvia, the Netherlands, Spain, Sweden, Japan, Canada, and the United States.
As part of this international law enforcement operation, police arrested a malware developer linked with the RagnarLocker ransomware gang and seized the groups dark websites
RagnarLocker seizure banner
Source: BleepingComputer
This is a significant action as RagnarLocker is one of the oldest, still-active ransomware operations, having conducted attacks against 168 international companies globally since 2020
In other news, we learned more about cyberattacks against various companies, with a BlackBasta attack against TV advertising firm Ampersand and Kwik Trip finally confirming they suffered a cyberattack, though it was not confirmed to be ransomware.
Finally, cybersecurity researchers released interesting reports on ransomware, including:
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @serghei, @fwosar, @Ionut_Ilascu, @billtoulas, @Seifreed, @demonslay335, @malwrhunterteam, @BleepinComputer, @vx_herm1t, @AlvieriD, @AShukuhi, @pcrisk, @rivitna2, @BushidoToken, @ResilienceSays, @SophosXOps, @Unit42_Intel, @jgreigj, @azalsecurity, @AShukuhi, @Cynet360, @FalconFeedsio, and @cyber_int.
October 15th 2023
Colonial Pipeline said there has been no disruption to pipeline operations or their systems after a ransomware gang made several threats on Friday afternoon.
October 16th 2023
PCrisk found new STOP ransomware variants that append the .ptqw and .pthh extensions.
PCrisk found a new MedusaLocker variant that appends the .crypto1317 extension and drops a ransom note named How_to_back_files.html.
PCrisk found a new Chaos variant that appends the .MesaCorp extension and drops a ransom note named read_it.txt.
October 17th 2023
Kwik Trip has released another statement on an ongoing outage, all but confirming it suffered a cyberattack that has led to IT system disruptions.
A television advertising sales and technology company jointly owned by the three largest U.S. cable operators was hit with a ransomware attack in recent weeks that affected operations.
PCrisk found a new Dharma ransomware variant that appends the .2023 extension.
PCrisk found a new Dharma ransomware variant that appends the .ptrz extension.
PCrisk found a new ransomware named EarthGrass that appends the .34r7hGr455 extnesion and drops a ransom note named Read ME (Decryptor).txt.
PCRisk found the new KeyLocker ransomware that appends the .keylock extension and drops a ransom note named README-id-[username].txt.
October 18th 2023
A group of cyber activists under the Ukrainian Cyber Alliance (UCA) banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available.
The first half of 2023 has once again seen an upheaval in the cybercrime industry. From Russian firms potentially licensing out advanced malware to affiliate partners in the US and UK, to attacks against relatively unknown third-party SaaS suppliers scaling to thousands of victim organizations at once, cybercrime actors are once again adeptly reacting to a shift in their market. As companies become more resistant to paying extortions, Resilience is seeing a move towards going after bigger fish and swimming upstream to hit vendors and bypass security controls. This has significant implications for those defending their organizations and trying to limit financial losses from these actors.
Over the past week, an establishment of a new ransomware franchise has emerged named GhostLocker. Ghost Locker is a new Ransomware-as-a-Service (Raas) established by several hacktivist groups led by GhostSec.
A new pro-Palestinian hacktivist group called Soldiers Of Solomon claim to be deploying a new Crucio Ransomware.
October 19th 2023
The Ragnar Locker ransomware operations Tor negotiation and data leak sites were seized Thursday morning as part of an international law enforcement operation.
The BlackCat/ALPHV ransomware operation has begun to use a new tool named Munchkin that utilizes virtual machines to deploy encryptors on network devices stealthily.
In September and early October, we saw several efforts by a previously unknown actor to leverage vulnerabilities in obsolete, unsupported versions of Adobe’s ColdFusion Server software to gain access to the Windows servers they ran on and pivot to deploying ransomware. None of these attacks were successful, but they provided telemetry that allowed us to associate them with a single actor or group of actors, and to retrieve the payloads they attempted to deploy.
A new version of the Akira ransomware called “Megazord” emerged around August 2023. It changes the names of your files by adding “.Powerrangers” at the end. Several static and code similarities suggest that Megazord could be an attempt to give Akira a new look. Such alteration might be an attempt to rebrand the Akira ransomware since it has become familiar to widespread recognition throughout the cybersecurity community.
As seen by AzAl Security, the Trigona ransomware operation has responded to UCAs takedown of their sites, claiming to return on the 22nd.
October 20th 2023
Two weeks into an ongoing IT outage, Kwik Trip finally confirmed that its investigating a cyberattack impacting the convenience store chains internal network since October 9.
Law enforcement agencies arrested a malware developer linked with the Ragnar Locker ransomware gang and seized the groups dark web sites in a joint international operation.
PCrisk found new STOP ransomware variants that append the .ithh, .itqw, and .itrz extensions.
rivitna discovered the new Hunters International ransomware, which appears to be using an encryptor from the Hive operation.
Thats it for this week! Hope everyone has a nice weekend!
