The Week in Ransomware – June 10th 2022 – Targeting Linux
It has been relatively quiet this week with many companies and researchers at the RSA conference. However, we still had some interesting ransomware reports released this week.
Advanced Intel released a deep dive on BlackCat/AlphV, revealing some of the technical details of the ransomware operation.
The Cuba ransomware operation also came back to life, with numerous attacks in March and April.
For the most bizarre news of the week, a ransomware dev is selling their decryptor on the Roblox gaming platform.
Finally, Vice Society claimed the attack on the City of Palermo, Italy, whose online operations are still impacted.
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @VK_Intel, @demonslay335, @DanielGallagher, @Ionut_Ilascu, @LawrenceAbrams, @fwosar, @malwrhunterteam, @jorntvdw, @malwareforme, @FourOctets, @serghei, @PolarToffee, @Seifreed, @struppigel, @BleepinComputer, @TrendMicro, @uptycs, @NCCGroupInfosec, @Intel_by_KELA, @y_advintel, @Avast, @BrettCallow, @ValeryMarchive, and @pcrisk.
June 6th 2022
The Black Basta ransomware gang has partnered with the QBot malware operation to spread laterally through hacked corporate environments.
The municipality of Palermo in Southern Italy suffered a cyberattack on Friday, which appears to have had a massive impact on a broad range of operations and services to both citizens and visiting tourists.
Threat analysts have observed an unusual trend in ransomware group tactics, reporting that initial phases of victim extortion are becoming less open to the public as the actors tend to use hidden or anonymous entries.
TaRRaK ransomware appeared in June of 2021. This ransomware contains many coding errors, so we decided to publish a small blog about them. Samples of this ransomware were spotted in our user base, so we also created a decryptor for this ransomware.
PCrisk found a new VoidCrypt variant that appends the .linda extension.
Also Read: A guide to Singapore’s Do Not Call Registry
PCrisk found new STOP ransomware variants that append the .bnrs and .eegf extensions.
June 7th 2022
Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers.
This report is part one of AdvIntel’s new series on the ALPHV (aka BlackCat) ransomware group. In the upcoming part two, AdvIntel will hold an analytical lens on BlackCat’s organizational, recruitment, and operations process. This part introduces the context and offers a deep dive into the group’s technical capabilities which could herald a new breed of threat actors entering the cybercriminal ecosystem.
June 8th 2022
The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks.
June 9th 2022
The Vice Society ransomware group has claimed responsibility for the recent cyber attack on the city of Palermo in Italy, which has caused a large-scale service outage.
A new ransomware is taking the unusual approach of selling its decryptor on the Roblox gaming platform using the service’s in-game Robux currency.
June 10th 2022
PCrisk found new STOP ransomware variants that append the .bbyy and .bbzz extensions.