The Week in Ransomware – March 18th 2022 – Targeting the Auto Industry
This week, the automotive industry has been under attack, with numerous companies exhibiting signs of breaches or ransomware activity.
It started with a ransomware attack on Denso, the world’s largest automotive components manufacturer, who was hit by the new Pandora ransomware operation. Pandora is believed to be a rebrand of the Root ransomware operation.
Dragos Inc. later reported increased Emotet activity targeting the automotive industry, which usually leads to Conti ransomware attacks.
BleepingComputer has also been tracking a ransomware attack this week against Snap-On, a manufacturer of tools for the transportation industry.
We first learned of the attack after one of their subsidiaries, Mitchell 1, suffered an outage of their automotive repair software that a source told us was caused by a ransomware attack.
Yesterday, Conti claimed responsibility for the attack on Snap-on.
Good news this week is the release of a decryptor for the Diavol ransomware, an operation run by the TrickBot Group.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @Ionut_Ilascu, @DanielGallagher, @BleepinComputer, @Seifreed, @VK_Intel, @serghei, @demonslay335, @malwrhunterteam, @fwosar, @jorntvdw, @malwareforme, @FourOctets, @struppigel, @PolarToffee, @billtoulas, @S0ufi4n3, @Intel471Inc, @3xp0rtblog, @pancak3lullz, @Arkbird_SOLG, @LabsSentinel, @radvadva, @ESETresearch, @BrettCallow, @benoitsevens, @vladhiewsha, @pcrisk, @Arete_Advisors, @vxunderground, @f0wlsec, @herrcore, @DragosInc, @petrovic082, @sysopfb, and @emsisoft.
March 14th 2022
Automotive parts manufacturer DENSO has confirmed that it suffered a cyberattack on March 10th after a new Pandora ransomware operation began leaking data allegedly stolen during the attack.
Newly discovered data-destroying malware was observed earlier today in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks.
MalwareHunterTeam found a new ransomware named IceFire that appends the .iFire extension and drops a ransom note named iFire-readme.txt.
PCrisk found new STOP ransomware variants that append the .kqgs, .uigd, .xcbg, or .bpqd extensions.
Petrovic found the new Acepy ransomware that appends the .acepy extension to encrypted files.
March 15th 2022
The ransomware space was very active in the last quarter of 2021, with threat analysts observing 722 distinct attacks deploying 34 different variants.
March 16th 2022
PCRisk found a new Babuk ransomware variant that appends the .chernobyl extension.
PCrisk found a new STOP ransomware variant that appends the .vlff extension.
The BlackCat ransomware gang (aka ALPHV) has updated their ransomware executable to require the passcode used during encrypted to extract its config.
Some lowlife conducted a cyberattack on a children’s hospital. While it has not been confirmed if this is a ransomware attack, it would not be surprising if it was.
There is a new BlackCat ransomware sample out and it the config is now protected using a command line supplied ACCCESS_TOKEN. The token is used to generate an AES key which is then used to decrypt the encrypted config.
Today we are going to be looking at “Pandora Ransomware”, a novel Ransomware strain that has been monitored for a couple of days, e.g. by MalwareHunterTeam, but at first no sample was available.
March 17th 2022
Google’s Threat Analysis Group has exposed the operations of a threat actor group dubbed “EXOTIC LILY,” an initial access broker linked to the Conti and Diavol ransomware operations.
As discovered by 3xp0rt, someone leaked more information about the Conti ransomware gang on the XSS forum. This leak contained URLs to the ransomware gang’s rocket chat servers and information about members.
PCrisk found a new STOP ransomware variant that appends the .eyrv extension.
March 18th 2022
Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom.
In February 2022, Arete investigated a Surtr ransomware incident where the ransomware author(s) paid tribute to the now defunct REvil (aka Sodinokibi) group by making a registry key change to the infected host.
Snap-on hit by Conti ransomware
The Snap-on company suffered a Conti ransomware attack that caused business disruption, including an over 4-day outage for the Mitchell1 automotive repair software, which is commonly used in repair shops.