The Week in Ransomware – January 21st 2022 – Arrests, Wipers, and More
It has been quite a busy week with ransomware, with law enforcement making arrests, data-wiping attacks, and the return of the Qlocker ransomware.
This week’s biggest news is Russia’s arrest of fourteen suspected members of the REvil ransomware operation. In addition, a senior Biden administration official said that one of the fourteen suspects is responsible for the Colonial Pipeline ransomware attack.
Europol also conducted a law enforcement operation against VPNLab, a platform commonly used by ransomware gangs. Law enforcement operatives seized 15 servers used by the VPNLab.net service and took down its main site, making the platform no longer available.
While it was a good week for law enforcement, sadly, new attacks were discovered.
Microsoft disclosed attacks on Ukrainian organizations using data-wiping malware disguised as ransomware. This malware is named “WhisperGate,” and has been attributed by Ukrainian officials as being conducted by, or at the behest, of the Russian government.
For consumers and small businesses, we saw the unfortunate return of Qlocker, notorious ransomware that encrypted thousands of QNAP NAS devices last year.
Finally, in research released by security companies we learned that White Rabbit ransomware is linked to FIN8 hackers, new analysis of the BlackCat/ArchV and Avaddon ransomware operations, and the FBI linking Diavol to the TrickBot Group.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @VK_Intel, @billtoulas, @struppigel, @Ionut_Ilascu, @malwareforme, @jorntvdw, @Seifreed, @FourOctets, @PolarToffee, @DanielGallagher, @malwrhunterteam, @fwosar, @LawrenceAbrams, @BleepinComputer, @demonslay335, @fbgwls245, @Amigo_A_,@JakubKroustek, @pcrisk, @TrendMicro, @LabsSentinel, @MsftSecIntel, @Mandiant, and @GrujaRS.
January 15th 2022
Threat actors behind the Qlocker ransomware are once again targeting Internet-exposed QNAP Network Attached Storage (NAS) devices worldwide.
Eight members of the REvil ransomware operation that have been detained by Russian officers are currently facing criminal charges for their illegal activity.
January 16th 2022
Microsoft is warning of destructive data-wiping malware disguised as ransomware being used in attacks against multiple organizations in Ukraine.
January 17th 2022
PCrisk found two new STOP ransomware variants that append the .vfgj and .fhkf extensions.
dnwls0719 found a new Chaos ransomware variant that appends the .AZ extension.
January 18th 2022
A new ransomware family called ‘White Rabbit’ appeared in the wild recently, and according to recent research findings, could be a side-operation of the FIN8 hacking group.
Italian luxury fashion giant Moncler confirmed that they suffered a data breach after files were stolen by the AlphV/BlackCat ransomware operation in December and published today on the dark web.
Law enforcement authorities from 10 countries took down VPNLab.net, a VPN service provider used by ransomware operators and malware actors.
BlackCat (aka AlphaVM, AlphaV) is a newly established RaaS (Ransomware as a Service) with payloads written in Rust. While BlackCat is not the first ransomware written in the Rust language, it joins a small (yet growing) sliver of the malware landscape making use of this popular cross-platform language.
dnwls0719 found a new Dharma ransomware variant that appends the .MTX extension.
January 19th 2022
RR Donnelly has confirmed that threat actors stole data in a December cyberattack, confirmed by BleepingComputer to be a Conti ransomware attack.
This blog post explores activity, similarities and overlaps between multiple ransomware families related to AVADDON ransomware, serving as a case study to understand how ransomware operators think and continue to turn a profit in a constantly evolving cybercrime ecosystem.
PCrisk found a new Dharma ransomware variant that appends the .cip extension.
January 20th 2022
The FBI has formally linked the Diavol ransomware operation to the TrickBot Group, the malware developers behind the notorious TrickBot banking trojan.
Jakub Kroustek found a new STOP ransomware variant that appends the .maak extension.
Amigo-A spotted the new Trap ransomware that appends the .trap extension and drops a ransom note named RESTORE.txt.
GrujaRS found a new Makop ransomware variant that appends the .factfull extension.
January 21st 2022
PCrisk found a new Phobos ransomware variant that appends the .ELBOW extension.
That’s it for this week! Hope everyone has a nice weekend!
Outsourced DPO – It is mandatory to appoint a Data Protection Officer. Engage us today.
PDPA Training (SkillsFuture Eligible) – Empower data protection knowledge for your employees.
Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.