The Week in Ransomware – July 1st 2022 – Bug Bounties
It has been relatively busy this week with new ransomware attacks unveiled, a bug bounty program introduced, and new tactics used by the threat actors to distribute their encryptors.
This week’s big news was the release of LockBit 3.0, which includes a new bug bounty reward program where the threat actors pay between $1,000 to $1 million for submitted bugs and new ways of enhancing their operation.
We also learned that a LockBit affiliate is distributing the ransomware through fake copyright infringement emails, Word docs are used to install AstraLocker directly, and the Black Basta gang is exploiting the PrintNightmare vulnerabilities.
Finally, we also learned about various attacks this week, including those on Macmillan, Fitzgibbon Hospital, Med. University of Innsbruck, and TB Kawashima. Threat actors also claimed to have attacked AMD, who are investigating the claims, and Walmart, who says the attack never occurred.
Also Read: Is it Illegal to Email Someone Without Their Permission?
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @fwosar, @struppigel, @BleepinComputer, @serghei, @Ionut_Ilascu, @DanielGallagher, @malwrhunterteam, @LawrenceAbrams, @VK_Intel, @billtoulas, @jorntvdw, @malwareforme, @FourOctets, @demonslay335, @Seifreed, @ReversingLabs, @ValeryMarchive, @TrendMicro, @kisa118, @ahnlab, @PogoWasRight, @Amigo_A_, @Kangxiaopao, and @pcrisk.
June 25th 2022
Automotive fabric supplier TB Kawashima announces cyberattack
TB Kawashima, part of the Japanese automotive component manufacturer Toyota Boshoku of the Toyota Group of companies, announced that one of its subsidiaries has been hit by a cyberattack.
June 26th 2022
Fake copyright infringement emails install LockBit ransomware
LockBit ransomware affiliates are using an interesting trick to get people into infecting their devices by disguising their malware as copyright claims.
New Damacrypt ransomware
Amigo-A found a new ransomware that appends the .damacrypt extension.
June 27th 2022
LockBit 3.0 introduces the first ransomware bug bounty program
The LockBit ransomware operation has released ‘LockBit 3.0,’ introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options.
Also Read: Top 11 Ultimate Cold Calling Guidelines To Boost Your Sales
Vice Society claims ransomware attack on Med. University of Innsbruck
The Vice Society ransomware gang has claimed responsibility for last week’s cyberattack against the Medical University of Innsbruck, which caused severe IT service disruption and the alleged theft of data.
MO: Fitzgibbon Hospital hit by ransomware, sensitive data leaked
On Saturday, DataBreaches received information pointing to an attack on Fitzgibbon Hospital in Missouri. The group claiming responsibility call themselves “Daixin Team.” It is not a name known to DataBreaches previously. Their onion site contained files allegedly from Fitzgibbon that they uploaded for the public to grab.
New BlueSky ransomware
xiaopao found the BlueSky ransomware that appends the .bluesky extension and drops the DECRYPT FILES BLUESKY #.html and # DECRYPT FILES BLUESKY #.txt ransom notes.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .llee, .lltt, and .lloo extensions.
New Dharma ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .edw extension.
New Loki Locker ransomware variant
PCrisk found a new Loki Locker ransomware variant that appends the .PayForKey extension.
New Warlocks Ransomware
PCrisk found a new Chaos-based Warlocks Ransomware that appends the .warlocks extension and drops a ransom note named read_it.txt.
June 28th 2022
AMD investigates RansomHouse hack claims, theft of 450GB data
Semiconductor giant AMD says they are investigating a cyberattack after the RansomHouse gang claimed to have stolen 450 GB of data from the company last year.
Hive Ransomware Decryptor released (Version 1~Version 4)
The Korea Internet & Security Agency (KISA) is distributing the Hive ransomware integrated recovery tool that can decrypt files encrypted with versions 1 through 4.
Netwalker affiliate pleads guilty
Canadian Netwalker ransomware affiliate Sebastien Vachon-Desjardins pleaded guilty to hacking charges brought by the US DOJ.
New RedTeam ransomware
Amigo-A found the new Babuk-based RedTeam ransomware that appends .REDTM and drops a ransom note named HowToDecryptYourFiles.txt.
June 29th 2022
Walmart denies being hit by Yanluowang ransomware attack
American retailer Walmart has denied being hit with a ransomware attack by the Yanluowang gang after the hackers claimed to encrypt thousands of computers.
New Baal Ransomware
PCrisk found a new Chaos-based Warlocks Ransomware that appends the .baal extension and drops a ransom note named readme-warning.txt.
June 30th 2022
AstraLocker 2.0 infects users directly from Word attachments
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.
Macmillan shuts down systems after likely ransomware attack
Publishing giant Macmillan was forced to shut down their network and offices while recovering from a security incident that appears to be a ransomware attack.
Ransomware LockBit: a hundred victims per month in the first half
More than 420 victims were claimed on the LockBit 2.0 showcase in the first half. The true total could be significantly higher. And the success rate – with ransom payment, therefore – could be record high.
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
We look into a recent attack orchestrated by the Black Basta ransomware group that used the banking trojan QakBot as a means of entry and movement and took advantage of the PrintNightmare vulnerability to perform privileged file operations.