The Week in Ransomware – August 19th 2022 – Evolving Extortion Tactics
This week saw the return of the BlackByte ransomware operation, which launched a new data leak site using extortion tactics similar to LockBit 3.0.
This week’s attacks were on Argentina’s Judiciary of Córdoba, a UK water supplier (though Clop attributed to the wrong company), and LockBit claiming to be behind the attack on Entrust.
Finally, researchers found a new variant of the SOVA Android malware that includes a ransomware feature to encrypt mobile devices.
While Entrust has not responded to our queries about the attack, sources have told us that LockBit conducted the attack.
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @LawrenceAbrams, @PolarToffee, @BleepinComputer, @Seifreed, @jorntvdw, @fwosar, @serghei, @struppigel, @FourOctets, @demonslay335, @malwrhunterteam, @Ionut_Ilascu, @malwareforme, @VK_Intel, @DanielGallagher, @juanbrodersen, @AlvieriD, @Cyberknow20, @Intel_by_KELA, @MauroEldritch, @luisezegarra, @Cleafy, and @pcrisk.
Also Read: February 2022 PDPC Incidents and Undertaking
August 13th 2022
SOVA malware adds ransomware feature to encrypt Android devices
The SOVA Android banking trojan continues to evolve with new features, code improvements, and the addition of a new ransomware feature that encrypts files on mobile devices.
August 15th 2022
Argentina’s Judiciary of Córdoba hit by PLAY ransomware attack
Argentina’s Judiciary of Córdoba has shut down its IT systems after suffering a ransomware attack, reportedly at the hands of the new ‘Play’ ransomware operation.
August 16th 2022
Hackers attack UK water supplier but extort wrong company
South Staffordshire Water, a company supplying 330 million liters of drinking water to 1.6m consumers daily, has issued a statement confirming IT disruption from a cyberattack.
IceFire Ransomware launches data leak site
New STOP ransomware variants
PCrisk found a bunch of new STOP ransomware variants that append the .qqlc, .qqlo, and .qqmt extensions.
Also Read: PDPA compliance and progressive HR practices: Why this tandem makes sense
New VoidCrypt variants
PCRisk found new VoidCrypt variants that append the .dark and .Angry extensions and drops a ransom note named unlock-info.txt.
New VoidCrypt variants
PCRisk found a new Chaos ransomware variant that appends the .sex extension and drops a ransom note named read_it.txt.
August 17th 2022
BlackByte ransomware gang is back with new extortion tactics
The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit.
Videos from SANS Ransomware Summit
SANS has published the videos from their ransomware summit.
Alleged Russian Money Launderer Extradited from the Netherlands to U.S.
According to court documents, Dubnikov and his co-conspirators laundered the proceeds of ransomware attacks on individuals and organizations throughout the United States and abroad. Specifically, Dubnikov and his accomplices laundered ransom payments extracted from victims of Ryuk ransomware attacks.
August 18th 2022
LockBit claims ransomware attack on security giant Entrust
The LockBit ransomware gang has claimed responsibility for the June cyberattack on digital security giant Entrust.
August 19th 2022
Córdoba: chaos in the Justice after the ransomware attack
The ransomware attack suffered by the Judiciary of Córdoba last Friday left the Justice of that province in limbo. Since then, the systems team has been working amid the chaos to recover the sequestered information: password changes, USB port blockages, suspension of Exchange email and interruption of communications between users to prevent the spread of the virus.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .qqri extension.