The Week in Ransomware – July 8th 2022 – One Down, Many to Go
While we continue to see new ransomware operations launch, we also received some good news this week, with another ransomware shutting down.
Earlier this week, the AstraLocker ransomware decided to shut down and release its decryptors after receiving attention from researchers. These decryptors allowed Emsisoft to release their own decryptor today.
We also learned of the new CheckMate ransomware targeting QNAP devices but not stealing any data.
This week, information about attacks also became public, including IT services giant SHI, Quantum ransomware hitting PFC, and the US government warning that the Maui ransomware is targeting healthcare.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @LawrenceAbrams, @fwosar, @VK_Intel, @demonslay335, @Seifreed, @struppigel, @FourOctets, @malwareforme, @DanielGallagher, @PolarToffee, @serghei, @jorntvdw, @Ionut_Ilascu, @malwrhunterteam, @billtoulas, @PogoWasRight, @ValeryMarchive, @vxunderground, @emsisoft, @Unit42_Intel, @AdvIntel, @CISecurity, @pcrisk, and @Amigo_A_.
July 3rd 2022
LockBit 3.0 borrows code from BlackMatter
July 4th 2022
The threat actor behind the lesser-known AstraLocker ransomware told BleepingComputer they’re shutting down the operation and plan to switch to cryptojacking.
PCrisk found a new Sojusz ransomware variant that appends the .ner extension and drops a ransom note named !!!HOW_TO_DECRYPT!!!.txt.
PCrisk found a new STOP ransomware variant that appends the .ghsd extension.
July 5th 2022
A new ransomware operation called RedAlert, or N13V, encrypts both Windows and Linux VMWare ESXi servers in attacks on corporate networks.
PCrisk found a new Xorist ransomware variant that appends the .LoMiAt extension and drops a ransom note named HOW TO DECRYPT FILES.txt.
July 6th 2022
The FBI, CISA, and the U.S. Treasury Department issued today a joint advisory warning of North-Korean-backed threat actors using Maui ransomware in attacks against Healthcare and Public Health (HPH) organizations.
Hotel giant Marriott International confirmed it was hit by another data breach after an unknown threat actor breached one of its properties and stole 20GB of files.
Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions.
SHI International, a New Jersey-based provider of Information Technology (IT) products and services, has confirmed that a malware attack hit its network over the weekend.
July 7th 2022
Network-attached storage (NAS) vendor QNAP warned customers to secure their devices against attacks using Checkmate ransomware to encrypt data.
Professional Finance Company Inc. (PFC), a full-service accounts receivables management company, says that a ransomware attack in late February led to a data breach affecting over 600 healthcare organizations.
The BlackCat ransomware group is making quite a name for itself. In a FLASH alert published in April 2022, the FBI revealed that the operation had infected more than 60 victims since first surfacing in mid-November 2021.
Examination of the first available samples of version 3.0 of the LockBit ransomware reveals surprising ties to BlackMatter and its predecessor, Darkside. But the union might not really be consented.
PCrisk found new STOP ransomware variants that append the .jjww and .jjyy extensions.
PCrisk found new Babuk ransomware variants that append the .again or .FIXED extensions and drop a ransom note named How To Restore Your Files.txt.
July 8th 2022
New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom.
A new ransomware operation named ‘0mega’ targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms.