The Week in Ransomware – April 29th 2022 – New Operations Emerge
This week we have discovered numerous new ransomware operations that have begun operating, with one appearing to be a rebrand of previous operations.
The Quantum ransomware gang has seen an uptick in victims, with a report showing that the gang deploys the encryptor in rapid attacks.
We also learned of a new ransomware gang called Black Basta that has quickly accumulated victims while, for the most part, staying under the radar until this week.
Some of Black Basta’s recent victims are the American Dental Association and Deutsche Windtechnik.
This week’s other news is discovering that the Onyx ransomware purposely destroys files larger than 2MB, making it pointless to pay a ransom.
Finally, Austin Peay State University suffered a ransomware attack and used the unusual tactic of blasting the news on Twitter that students and faculty should shut down their computers.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @LawrenceAbrams, @PolarToffee, @demonslay335, @serghei, @billtoulas, @malwareforme, @DanielGallagher, @FourOctets, @VK_Intel, @BleepinComputer, @Ax_Sharma, @Ionut_Ilascu, @malwrhunterteam, @struppigel, @jorntvdw, @Seifreed, @CheckPointSW, @vinopaljiri, @TheDFIRReport, @LabsSentinel, @pcrisk, and @Amigo_A_.
April 25th 2022
The Quantum ransomware, a strain first discovered in August 2021, were seen carrying out speedy attacks that escalate quickly, leaving defenders little time to react.
PCrisk found a new ransomware that appends the .parker extension and drops a ransom note named RESTORE_FILES_INFO.txt.
April 26th 2022
The American Dental Association (ADA) was hit by a weekend cyberattack, causing them to shut down portions of their network while investigating the attack.
Coca-Cola, the world’s largest soft drinks maker, has confirmed in a statement to BleepingComputer that it is aware of the reports about a cyberattack on its network and is currently investigating the claims.
PCrisk found new STOP ransomware variants that append the .jhgn, .jhbg, and .dewd extensions.
April 27th 2022
A new Onyx ransomware operation is destroying files larger than 2MB instead of encrypting them, preventing those files from being decrypted even if a ransom is paid.
A new ransomware gang known as Black Basta has quickly catapulted into operation this month, breaching at least twelve companies in just a few weeks.
During a recent investigation, our DFIR team discovered an interesting technique used by LockBit Ransomware Group to load a Cobalt Strike Beacon Reflective Loader. In this particular case, LockBit managed to side-load Cobalt Strike Beacon through a signed VMware xfer logs command line utility.
PCrisk found a new ransomware variant that appends the .axxes extension and drops ransom notes named RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt.
April 28th 2022
Researchers analyzing the collateral consequences of a ransomware attack include costs that are roughly seven times higher than the ransom demanded by the threat actors.
Austin Peay State University (APSU) confirmed yesterday that it had been a victim of a ransomware attack.
Amigo-A found a new ransomware that appends the .@PIPIKAKI extension and drops a ransom note named WE CAN RECOVER YOUR DATA.txt.