The Week In Ransomware – July 24th 2020 – Navigation Failure
This week has been quite busy with a new enterprise targeting ransomware called Exorcist and attacks against large companies.
The biggest news this week is the attack on Garmin who suffered a worldwide outage since July 23rd. Today, BleepingComputer has been able to confirm that Garmin suffered a WastedLocker Ransomware attack.
There was also interesting analysis released this week on the Lazarus APT group, Maze, and WastedLocker from various security firms.
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @BleepinComputer, @FourOctets, @malwareforme, @demonslay335, @struppigel, @serghei, @malwrhunterteam, @DanielGallagher, @LawrenceAbrams, @fwosar, @PolarToffee, @VK_Intel, @Seifreed, @Ionut_Ilascu, @LabsSentinel, @campuscodi, @Arete_Advisors, @3xp0rtblog, @JAMESWT_MHT, @Amigo_A_, @MarceloRivero, @kaspersky, and @leotpsc.
July 18th 2020
Since January 2020, the Arete IR practice has responded to forty-one (41) Sodinokibi engagements. The industry has seen two big changes with Sodinokibi/REvil from their shift to exfiltrating data as of January 2020, and more, recently with their move to only accepting payments in Monero cryptocurrency (XMR).
July 20th 2020
Lorien Health Services in Maryland announced that it was the victim of a ransomware incident in early June. Data was stolen and then encrypted during the incident.
A ransomware gang has infected the internal network of Telecom Argentina, one of the country’s largest internet service providers, and is now asking for a $7.5 million ransom demand to unlock encrypted files.
Michael Gillespie found a new ransomware/wiper that appends the .mechu4Po and .Ieph0uxo extensions or drops a ransom note named !!!ПРОЧИТАТЬ!!!.txt / README.txt.
Michael Gillespie announced that ID Ransomware can now detect 900 ransomware families.
Michael Gillespie found a new Matrix ransomware variant that appends the .RE78P and drops the RE78P_README.rtf ransom note.
July 21st 2020
MalwareHunterTeam found a new ransomware called Exorcist that is targeting enterprise networks and is promoted on hacker forums.
Vitali Kremez posted a brief analysis of the Exorcist ransomware and how it avoids CIS countries.
July 22nd 2020
A recently discovered malware framework known as MATA and linked to the North Korean-backed hacking group known as Lazarus was used in attacks targeting corporate entities from multiple countries since April 2018 for ransomware deployment and data theft.
Affiliate involved in Maze ransomware operations profiled from the actor perspective while also detailing their involvement in other groups.
New in-dev Davinci ransomware
July 23rd 2020
Wearable device maker Garmin shut down some of its connected services and call centers on Thursday following what the company called a worldwide outage, now confirmed to be caused by a WastedLocker ransomware attack.
The UK National Cyber Security Centre (NCSC) today highlighted the increasing risks posed by ransomware attacks, phishing campaigns, and Business Email Compromise (BEC) fraud schemes targeting sports organizations and teams, including Premier League football clubs.
JAMESWT found a new bootlocker that shows a link to a RickRoll YouTube Video.
July 24th 2020
Arete Threat Intelligence continues to work with law enforcement contacts to conduct analysis into WastedLocker. The cyber criminals behind this variant have been quick to identify and infect victims’ systems with ransomware resulting in a devastating blow to the victims IT infrastructure and interrupting profitable business operations
Michael Gillespie found a new STOP Ransomware variant that appends the .erif extension to encrypted files.
Karsten Hahn found a new ransomware that threatens “fry” files and append the .silvertor extension to encrypted files.
Karsten Hahn found a new CryptoWire variant called FlyingShip.
That’s it for this week! Hope everyone has a nice weekend!
Also read: 9 Policies For Security Procedures Examples