The Week in Ransomware – June 17th 2022 – Have I Been Ransomed?
Ransomware operations are constantly evolving their tactics to pressure victims to pay. For example, this week, we saw a new extortion tactic come into play with the creation of dedicated websites to extort victims with searchable data.
The new extortion tactic was introduced by the ALPHV gang, aka BlackCat, who created a searchable, clearweb site that contained the stolen data for employees and hotel guests for a particular victim.
Using this website, employees of the company could search for their names to see if their data was stolen, including Social Security Numbers, phone numbers, etc.
Also Read: What does the Computer Misuse Act mean?
Other interesting news this week was learning that AvosLocker and Ceber2021 are using recent Atlassian Confluence exploits to gain initial access to corporate networks. We also learned that Hello XD ransomware is dropping a ‘MicroBackdoor’ on devices while encrypting.
Sadly, we also learned of some attacks this week, with RansomHouse extorting Africa’s largest supermarket chain, Shoprite, and a California school district paying a 400k ransom to Quantum.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @jorntvdw, @malwareforme, @VK_Intel, @struppigel, @DanielGallagher, @PolarToffee, @LawrenceAbrams, @Ionut_Ilascu, @fwosar, @billtoulas, @BleepinComputer, @Seifreed, @malwrhunterteam, @FourOctets, @demonslay335, @pcrisk, @proofpoint, @PogoWasRight, @BrettCallow, @Unit42_Intel, and @Amigo_A_.
June 11th 2022
Confluence servers hacked to deploy AvosLocker, Cerber2021 ransomware
Ransomware gangs are now targeting a recently patched and actively exploited remote code execution (RCE) vulnerability affecting Atlassian Confluence Server and Data Center instances for initial access to corporate networks.
Also Read: Protection Obligation: What every organization should know
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .bbii extension.
June 12th 2022
Hello XD ransomware now drops a backdoor while encrypting
Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.
June 13th 2022
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that calls itself Ritzer Ransomware. The ransomware appends the .ritzer extension and drops a ransom note named read_it.txt.
New Venus ransomware variant
Amigo-A found a new Venus ransomware variant that appends the .anigma extension and drops a ransom note named README.txt.
June 14th 2022
New Phobos ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .LIZARD extension and drops ransom notes named info.txt and info.hta.
Ransomware gang creates site for employees to search for their stolen data
The ALPHV ransomware gang, aka BlackCat, has brought extortion to a new level by creating a dedicated website that allows the customers and employees of their victim to check if their data was stolen in an attack
New Sheeva ransomware
PCrisk found a ransomware that appends the .sheeva extension and drops a ransom note named sheeva.txt.
June 15th 2022
Extortion gang ransoms Shoprite, largest supermarket chain in Africa
Shoprite Holdings, Africa’s largest supermarket chain that operates almost three thousand stores across twelve countries in the continent, has been hit by a ransomware attack.
Glenn County Office of Education paid $400k ransom after ransomware attack
That situation apparently changed at some point thereafter because on June 7, GlennCOE paid $400,000 ransom to Quantum threat actors to get a decryption key and certain assurances.
June 16th 2022
Microsoft Office 365 feature can help cloud ransomware attacks
Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for a ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage.
June 17th 2022
QNAP ‘thoroughly investigating’ new DeadBolt ransomware attacks
Network-attached storage (NAS) vendor QNAP once again warned customers on Friday to secure their devices against a new campaign of attacks pushing DeadBolt ransomware.
New Phobos ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .grt extension and drops a ransom note named info.txt and info.hta.