The Week in Ransomware – June 10th 2022 – Targeting Linux
It has been relatively quiet this week with many companies and researchers at the RSA conference. However, we still had some interesting ransomware reports released this week.
Advanced Intel released a deep dive on BlackCat/AlphV, revealing some of the technical details of the ransomware operation.
We learned that Black Basta is using QBot to spread laterally in breached networks, and a new Linux encryptor was found for the ransomware operation as well.
The Cuba ransomware operation also came back to life, with numerous attacks in March and April.
For the most bizarre news of the week, a ransomware dev is selling their decryptor on the Roblox gaming platform.
Finally, Vice Society claimed the attack on the City of Palermo, Italy, whose online operations are still impacted.
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @VK_Intel, @demonslay335, @DanielGallagher, @Ionut_Ilascu, @LawrenceAbrams, @fwosar, @malwrhunterteam, @jorntvdw, @malwareforme, @FourOctets, @serghei, @PolarToffee, @Seifreed, @struppigel, @BleepinComputer, @TrendMicro, @uptycs, @NCCGroupInfosec, @Intel_by_KELA, @y_advintel, @Avast, @BrettCallow, @ValeryMarchive, and @pcrisk.
Also Read: What it means to get a Data Protection Trustmark Certification
June 6th 2022
QBot now pushes Black Basta ransomware in bot-powered attacks
The Black Basta ransomware gang has partnered with the QBot malware operation to spread laterally through hacked corporate environments.
Italian city of Palermo shuts down all systems to fend off cyberattack
The municipality of Palermo in Southern Italy suffered a cyberattack on Friday, which appears to have had a massive impact on a broad range of operations and services to both citizens and visiting tourists.
Ransomware gangs now give victims time to save their reputation
Threat analysts have observed an unusual trend in ransomware group tactics, reporting that initial phases of victim extortion are becoming less open to the public as the actors tend to use hidden or anonymous entries.
Decrypted: TaRRaK Ransomware
TaRRaK ransomware appeared in June of 2021. This ransomware contains many coding errors, so we decided to publish a small blog about them. Samples of this ransomware were spotted in our user base, so we also created a decryptor for this ransomware.
New VoidCrypt variant
PCrisk found a new VoidCrypt variant that appends the .linda extension.
Also Read: A guide to Singapore’s Do Not Call Registry
New STOP ransomware variant
PCrisk found new STOP ransomware variants that append the .bnrs and .eegf extensions.
June 7th 2022
Linux version of Black Basta ransomware targets VMware ESXi servers
Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers.
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
This report is part one of AdvIntel’s new series on the ALPHV (aka BlackCat) ransomware group. In the upcoming part two, AdvIntel will hold an analytical lens on BlackCat’s organizational, recruitment, and operations process. This part introduces the context and offers a deep dive into the group’s technical capabilities which could herald a new breed of threat actors entering the cybercriminal ecosystem.
June 8th 2022
Cuba ransomware returns to extorting victims with updated encryptor
The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks.
June 9th 2022
Vice Society ransomware claims attack on Italian city of Palermo
The Vice Society ransomware group has claimed responsibility for the recent cyber attack on the city of Palermo in Italy, which has caused a large-scale service outage.
Bizarre ransomware sells decryptor on Roblox Game Pass store
A new ransomware is taking the unusual approach of selling its decryptor on the Roblox gaming platform using the service’s in-game Robux currency.
June 10th 2022
New STOP ransomware variant
PCrisk found new STOP ransomware variants that append the .bbyy and .bbzz extensions.