The Week in Ransomware – July 8th 2022 – One Down, Many to Go

While we continue to see new ransomware operations launch, we also received some good news this week, with another ransomware shutting down.

Earlier this week, the AstraLocker ransomware decided to shut down and release its decryptors after receiving attention from researchers. These decryptors allowed Emsisoft to release their own decryptor today.

Unfortunately, this week we reported on two new enterprise-targeting ransomware operations called RedAlert and 0mega, which both perform double-extortion attacks.

We also learned of the new CheckMate ransomware targeting QNAP devices but not stealing any data.

This week, information about attacks also became public, including IT services giant SHI, Quantum ransomware hitting PFC, and the US government warning that the Maui ransomware is targeting healthcare.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @LawrenceAbrams, @fwosar, @VK_Intel, @demonslay335, @Seifreed, @struppigel, @FourOctets, @malwareforme, @DanielGallagher, @PolarToffee, @serghei, @jorntvdw, @Ionut_Ilascu, @malwrhunterteam, @billtoulas, @PogoWasRight, @ValeryMarchive, @vxunderground, @emsisoft, @Unit42_Intel, @AdvIntel, @CISecurity, @pcrisk, and @Amigo_A_.

July 3rd 2022

LockBit 3.0 borrows code from BlackMatter

Also Read: How long do employers keep employee records after termination?

Took a quick look at LockBit3. Guess the reason they named it "LockBit Black" at first is obvious now: Large portions of the code are ripped straight from BlackMatter/Darkside. Guess it is clear that LockBit got their dirty hands on another group's code.

— Fabian Wosar (@fwosar) July 3, 2022

July 4th 2022

AstraLocker ransomware shuts down and releases decryptors

The threat actor behind the lesser-known AstraLocker ransomware told BleepingComputer they’re shutting down the operation and plan to switch to cryptojacking.

New Sojusz variant

PCrisk found a new Sojusz ransomware variant that appends the .ner extension and drops a ransom note named !!!HOW_TO_DECRYPT!!!.txt.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .ghsd extension.

July 5th 2022

New RedAlert Ransomware targets Windows, Linux VMware ESXi servers

A new ransomware operation called RedAlert, or N13V, encrypts both Windows and Linux VMWare ESXi servers in attacks on corporate networks.

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .LoMiAt extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

July 6th 2022

US govt warns of Maui ransomware attacks against healthcare orgs

The FBI, CISA, and the U.S. Treasury Department issued today a joint advisory warning of North-Korean-backed threat actors using Maui ransomware in attacks against Healthcare and Public Health (HPH) organizations.

Marriott confirms another data breach after hotel got hacked

Hotel giant Marriott International confirmed it was hit by another data breach after an unknown threat actor breached one of its properties and stole 20GB of files.

Also Read: By attending this event you agree to be photographed

Ransomware, hacking groups move from Cobalt Strike to Brute Ratel

Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions.

IT services giant SHI hit by “professional malware attack”

SHI International, a New Jersey-based provider of Information Technology (IT) products and services, has confirmed that a malware attack hit its network over the weekend.

July 7th 2022

QNAP warns of new Checkmate ransomware targeting NAS devices

Network-attached storage (NAS) vendor QNAP warned customers to secure their devices against attacks using Checkmate ransomware to encrypt data.

Quantum ransomware attack affects 657 healthcare orgs

Professional Finance Company Inc. (PFC), a full-service accounts receivables management company, says that a ransomware attack in late February led to a data breach affecting over 600 healthcare organizations.

Breaking Down the BlackCat Ransomware Operation

The BlackCat ransomware group is making quite a name for itself. In a FLASH alert published in April 2022, the FBI revealed that the operation had infected more than 60 victims since first surfacing in mid-November 2021.

Ransomware LockBit: a version 3.0 resulting from a cross with BlackMatter

Examination of the first available samples of version 3.0 of the LockBit ransomware reveals surprising ties to BlackMatter and its predecessor, Darkside. But the union might not really be consented.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .jjww and .jjyy extensions.

New Babuk ransomware variants

PCrisk found new Babuk ransomware variants that append the .again or .FIXED extensions and drop a ransom note named How To Restore Your Files.txt.

July 8th 2022

Free decryptor released for AstraLocker, Yashma ransomware victims

New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom.

New 0mega ransomware targets businesses in double-extortion attacks

A new ransomware operation named ‘0mega’ targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms.

That’s it for this week! Hope everyone has a nice weekend!