The Week in Ransomware – June 17th 2022 – Have I Been Ransomed?
Ransomware operations are constantly evolving their tactics to pressure victims to pay. For example, this week, we saw a new extortion tactic come into play with the creation of dedicated websites to extort victims with searchable data.
The new extortion tactic was introduced by the ALPHV gang, aka BlackCat, who created a searchable, clearweb site that contained the stolen data for employees and hotel guests for a particular victim.
Using this website, employees of the company could search for their names to see if their data was stolen, including Social Security Numbers, phone numbers, etc.
Also Read: What does the Computer Misuse Act mean?
Other interesting news this week was learning that AvosLocker and Ceber2021 are using recent Atlassian Confluence exploits to gain initial access to corporate networks. We also learned that Hello XD ransomware is dropping a ‘MicroBackdoor’ on devices while encrypting.
Sadly, we also learned of some attacks this week, with RansomHouse extorting Africa’s largest supermarket chain, Shoprite, and a California school district paying a 400k ransom to Quantum.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @jorntvdw, @malwareforme, @VK_Intel, @struppigel, @DanielGallagher, @PolarToffee, @LawrenceAbrams, @Ionut_Ilascu, @fwosar, @billtoulas, @BleepinComputer, @Seifreed, @malwrhunterteam, @FourOctets, @demonslay335, @pcrisk, @proofpoint, @PogoWasRight, @BrettCallow, @Unit42_Intel, and @Amigo_A_.
June 11th 2022
Ransomware gangs are now targeting a recently patched and actively exploited remote code execution (RCE) vulnerability affecting Atlassian Confluence Server and Data Center instances for initial access to corporate networks.
PCrisk found a new STOP ransomware variant that appends the .bbii extension.
June 12th 2022
Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.
June 13th 2022
PCrisk found a new Chaos ransomware variant that calls itself Ritzer Ransomware. The ransomware appends the .ritzer extension and drops a ransom note named read_it.txt.
Amigo-A found a new Venus ransomware variant that appends the .anigma extension and drops a ransom note named README.txt.
June 14th 2022
PCrisk found a new Phobos ransomware variant that appends the .LIZARD extension and drops ransom notes named info.txt and info.hta.
The ALPHV ransomware gang, aka BlackCat, has brought extortion to a new level by creating a dedicated website that allows the customers and employees of their victim to check if their data was stolen in an attack
PCrisk found a ransomware that appends the .sheeva extension and drops a ransom note named sheeva.txt.
June 15th 2022
Shoprite Holdings, Africa’s largest supermarket chain that operates almost three thousand stores across twelve countries in the continent, has been hit by a ransomware attack.
That situation apparently changed at some point thereafter because on June 7, GlennCOE paid $400,000 ransom to Quantum threat actors to get a decryption key and certain assurances.
June 16th 2022
Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for a ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage.
June 17th 2022
Network-attached storage (NAS) vendor QNAP once again warned customers on Friday to secure their devices against a new campaign of attacks pushing DeadBolt ransomware.
PCrisk found a new Phobos ransomware variant that appends the .grt extension and drops a ransom note named info.txt and info.hta.