This version of the Week in Ransomware covers the final two weeks of reports, as we couldn’t cowl it final week, and consists of fairly a bit of recent info, together with the return of the Avaddon ransomware gang.
Final month, a brand new ransomware operation named NoEscape (or No_Escape) was launched that shortly started amassing a stream of recent company victims.
After the operation’s encryptor was analyzed, it quickly grew to become obvious that NoEscape was a rebrand of Avaddon, who shut down their operation in June 2020 after feeling the warmth from legislation enforcement.
Nevertheless, it seems just like the gang by no means actually retired however was merely biding their time till they may return as the brand new NoEscape operation, probably beforehand working in different operations.
Whereas the gang has claimed to not have any affiliation with Avaddon, their encryptor is similar to the previous operation’s ransomware, in response to ransomware professional Michael Gillespie.
This features a distinctive encryption chunking routine solely utilized by Avaddon, similarities in code, the identical configuration file format, and many different routines. The one important change was the change from AES encryption to Salsa20.
Regulation enforcement has been busy, arresting a Ukrainian scareware developer after a 10-year hunt and an IT worker sentenced to over three years in jail for impersonating a ransomware gang in an extortion scheme.
In different ransomware experiences from BleepingComputer and cybersecurity corporations:
Lastly, Clop’s knowledge theft assaults utilizing the MOVEit Switch zero-day proceed to be a sizzling subject within the information, with corporations persevering with to reveal knowledge breaches as they’re added to the gang’s knowledge leak website.
Based on a brand new Coveware report launched right this moment, these assaults have been very profitable, with the ransomware gang anticipated to earn $75-100 million in extortion funds.
Contributors and people who offered new ransomware info and tales this week embrace: @demonslay335, @Seifreed, @BleepinComputer, @malwrhunterteam, @billtoulas, @Ionut_Ilascu, @struppigel, @fwosar, @LawrenceAbrams, @serghei, @chainalysis, @TrendMicro, @Intel_by_KELA, @pcrisk, @SophosXOps, @coveware, @BroadcomSW, @pcrisk, and @azalsecurity.
July eighth 2023
New ‘Massive Head’ ransomware shows pretend Home windows replace alert
Safety researchers have dissected a just lately emerged ransomware pressure named ‘Massive Head’ which may be spreading by way of malvertising that promotes pretend Home windows updates and Microsoft Phrase installers.
New Makop Ransomware variant
PCrisk discovered new Makop ransomware variants that appends the .rajah and drops a ransom observe named +README-WARNING+.txt.
New STOP Ransomware variants
PCrisk discovered new STOP variants that append the .gayn and .gazp extensions.
July twelfth 2023
Ransomware funds on record-breaking trajectory for 2023
Knowledge from the primary half of the yr signifies that ransomware exercise is on observe to interrupt earlier data, seeing an increase within the variety of funds, each massive and small.
New STOP Ransomware variants
PCrisk discovered new STOP variants that append the .waqq and .gaqq extensions.
New Chaos ransomware variant
PCRisk discovered a brand new Chaos variant that appends the .hackedbySnea575 extension and drops a ransom observe named README_txt.txt.
July 14th 2023
Shutterfly says Clop ransomware assault didn’t influence buyer knowledge
Shutterfly, a web based retail and pictures manufacturing platform, is among the many newest victims hit by Clop ransomware.
July seventeenth 2023
Meet NoEscape: Avaddon ransomware gang’s probably successor
The brand new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and launched its decryption keys in 2021.
Police arrests Ukrainian scareware developer after 10-year hunt
The Spanish Nationwide Police has apprehended a Ukrainian nationwide needed internationally for his involvement in a scareware operation spanning from 2006 to 2011.
IT employee jailed for impersonating ransomware gang to extort employer
28-year-old Ashley Liles, a former IT worker, has been sentenced to over three years in jail for making an attempt to blackmail his employer throughout a ransomware assault.
New STOP Ransomware variants
PCrisk discovered new STOP variants that append the .miza, .mitu, and .miqe extensions.
New Xorist variant
PCrisk discovered a brand new Xorist variant that appends the .PrO extension and drops a ransom observe named HOW TO DECRYPT FILES.txt.
July 18th 2023
Cybersecurity agency Sophos impersonated by new SophosEncrypt ransomware
Cybersecurity vendor Sophos is being impersonated by a brand new ransomware-as-a-service known as SophosEncrypt, with the risk actors utilizing the corporate identify for his or her operation.
FIN8 deploys ALPHV ransomware utilizing Sardonic malware variant
A financially motivated cybercrime gang has been noticed deploying BlackCat ransomware payloads on networks backdoored utilizing a revamped Sardonic malware model.
July nineteenth 2023
Estée Lauder magnificence large breached by two ransomware gangs
Two ransomware actors, ALPHV/BlackCat and Clop, have listed magnificence firm Estée Lauder on their knowledge leak websites as a sufferer of separate assaults.
July twentieth 2023
Kanti: A NIM-Based mostly Ransomware Unleashed within the Wild
New programming languages typically have fewer safety measures and fewer mature detection mechanisms than well-established ones. Risk Actors (TAs) typically try to bypass conventional safety defenses and keep away from detection through the use of a less-known programming language.
New Khronos ransomware
PCrisk discovered a brand new Kronos ransomware that appends the .khronos extension and drops a ransom observe named data.hta.
July twenty first, 2023
Clop gang to earn over $75 million from MOVEit extortion assaults
The Clop ransomware gang is predicted to earn between $75-100 million from extorting victims of their large MOVEit knowledge theft marketing campaign.
Ransom Monetization Charges Fall to Document Low Regardless of Leap In Common Ransom Funds
Within the second quarter of 2023, the proportion of ransomware assaults that resulted within the sufferer paying, fell to a report low of 34%. The development represents the compounding results that we now have famous beforehand of corporations persevering with to put money into safety, continuity belongings, and incident response coaching. Regardless of these encouraging statistics, ransomware risk actors and your complete cyber extortion economic system, proceed to evolve their assault and extortion ways.
Bl00dy ransomware gang returns
AzAl Safety famous that the ransomware gang is recruiting new associates, however requires a fee first.
Bl00dy ransomware has now marketed in RAMP discussion board and is asking 10k USD to hitch their associates program. That is half the worth of Lockbits payment. Bl00dy seems to have felt some warmth and is seeking to be extra covert. Notably, the poster seems to be a local English speaker.
New STOP Ransomware variants
PCrisk discovered new STOP variants that append the .kiqu and .kizu extensions.
New Black Hunt 2.0 ransomware
PCrisk discovered a brand new Kronos ransomware that appends the .Hunt2 and drops ransom notes named #BlackHunt_ReadMe.txt and #BlackHunt_ReadMe.hta.
That is it for this week! Hope everybody has a pleasant weekend!
