The Week in Ransomware – July 1st 2022 – Bug Bounties
It has been relatively busy this week with new ransomware attacks unveiled, a bug bounty program introduced, and new tactics used by the threat actors to distribute their encryptors.
This week’s big news was the release of LockBit 3.0, which includes a new bug bounty reward program where the threat actors pay between $1,000 to $1 million for submitted bugs and new ways of enhancing their operation.
We also learned that a LockBit affiliate is distributing the ransomware through fake copyright infringement emails, Word docs are used to install AstraLocker directly, and the Black Basta gang is exploiting the PrintNightmare vulnerabilities.
Finally, we also learned about various attacks this week, including those on Macmillan, Fitzgibbon Hospital, Med. University of Innsbruck, and TB Kawashima. Threat actors also claimed to have attacked AMD, who are investigating the claims, and Walmart, who says the attack never occurred.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @fwosar, @struppigel, @BleepinComputer, @serghei, @Ionut_Ilascu, @DanielGallagher, @malwrhunterteam, @LawrenceAbrams, @VK_Intel, @billtoulas, @jorntvdw, @malwareforme, @FourOctets, @demonslay335, @Seifreed, @ReversingLabs, @ValeryMarchive, @TrendMicro, @kisa118, @ahnlab, @PogoWasRight, @Amigo_A_, @Kangxiaopao, and @pcrisk.
June 25th 2022
TB Kawashima, part of the Japanese automotive component manufacturer Toyota Boshoku of the Toyota Group of companies, announced that one of its subsidiaries has been hit by a cyberattack.
June 26th 2022
LockBit ransomware affiliates are using an interesting trick to get people into infecting their devices by disguising their malware as copyright claims.
Amigo-A found a new ransomware that appends the .damacrypt extension.
June 27th 2022
The LockBit ransomware operation has released ‘LockBit 3.0,’ introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options.
The Vice Society ransomware gang has claimed responsibility for last week’s cyberattack against the Medical University of Innsbruck, which caused severe IT service disruption and the alleged theft of data.
On Saturday, DataBreaches received information pointing to an attack on Fitzgibbon Hospital in Missouri. The group claiming responsibility call themselves “Daixin Team.” It is not a name known to DataBreaches previously. Their onion site contained files allegedly from Fitzgibbon that they uploaded for the public to grab.
xiaopao found the BlueSky ransomware that appends the .bluesky extension and drops the DECRYPT FILES BLUESKY #.html and # DECRYPT FILES BLUESKY #.txt ransom notes.
PCrisk found new STOP ransomware variants that append the .llee, .lltt, and .lloo extensions.
PCrisk found a new Dharma ransomware variant that appends the .edw extension.
PCrisk found a new Loki Locker ransomware variant that appends the .PayForKey extension.
PCrisk found a new Chaos-based Warlocks Ransomware that appends the .warlocks extension and drops a ransom note named read_it.txt.
June 28th 2022
Semiconductor giant AMD says they are investigating a cyberattack after the RansomHouse gang claimed to have stolen 450 GB of data from the company last year.
The Korea Internet & Security Agency (KISA) is distributing the Hive ransomware integrated recovery tool that can decrypt files encrypted with versions 1 through 4.
Canadian Netwalker ransomware affiliate Sebastien Vachon-Desjardins pleaded guilty to hacking charges brought by the US DOJ.
Amigo-A found the new Babuk-based RedTeam ransomware that appends .REDTM and drops a ransom note named HowToDecryptYourFiles.txt.
June 29th 2022
American retailer Walmart has denied being hit with a ransomware attack by the Yanluowang gang after the hackers claimed to encrypt thousands of computers.
PCrisk found a new Chaos-based Warlocks Ransomware that appends the .baal extension and drops a ransom note named readme-warning.txt.
June 30th 2022
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.
Publishing giant Macmillan was forced to shut down their network and offices while recovering from a security incident that appears to be a ransomware attack.
More than 420 victims were claimed on the LockBit 2.0 showcase in the first half. The true total could be significantly higher. And the success rate – with ransom payment, therefore – could be record high.
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
We look into a recent attack orchestrated by the Black Basta ransomware group that used the banking trojan QakBot as a means of entry and movement and took advantage of the PrintNightmare vulnerability to perform privileged file operations.