The Week in Ransomware – March 25th 2022 – Critical Infrastructure
With the US providing military aid to Ukraine and its sanctions damaging the Russian economy, the US government disclosed this week that there is intelligence that Russia is preparing for potential cyberattacks against US interests.
As part of this disclosure, the White House released a cybersecurity checklist that all organizations should read and apply to the networks to help defend against attacks.
This warning come as the FBI discloses that Avoslocker ransomware has been targeting US critical infrastructure, and that ransomware in general has targeted 649 critical infrastructure organizations in 2021.
Law enforcement has not been standing still, with an Estonian ransomware operator sentenced to 66 months in prison and two indictments against four Russian government employees for attacks on critical infrastructure in the past.
The Conti Leaks Twitter account continues to leak data from the Conti ransomware operation, this week leaking new source code from January 2021 for the ransomware’s encryptors and decryptors.
This week’s other big cyber news is about the Lapsus$ extortion gang attacks. While they are not ransomware, they are an extortion gang that was widely covered by the media this week, so they deserve some mention in today’s article.
After their most recent disclosure of the attack on Okta, the UK police have stated that they arrested seven people for suspected ties to the extortion gang.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @serghei, @PolarToffee, @jorntvdw, @Seifreed, @VK_Intel, @fwosar, @DanielGallagher, @malwrhunterteam, @demonslay335, @malwareforme, @FourOctets, @billtoulas, @struppigel, @Ionut_Ilascu, @BleepinComputer, @splunk, @ContiLeaks, @Tesorion_NL, @coveware, @pcrisk, @vxunderground, @cPeterr, @Secureworks, and @_CERT_UA.
March 19th 2022
The Federal Bureau of Investigation (FBI) warns of AvosLocker ransomware being used in attacks targeting multiple US critical infrastructure sectors.
Check out my analysis of LockBit ransomware v2.0 where I analyze all of its functionalities in IDA!
March 20th 2022
A Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation in revenge for the cybercriminals siding with Russia on the invasion of Ukraine.
March 21st 2022
In early March 2022 we came across a new variant of the Lorenz ransomware. The sample we analyzed dates back to March 2, 2022. Files encrypted by this variant are different from the previous one. This blog contains our findings on the new variant. Furthermore, we explain a serious bug in the ransomware that makes the attacker unable to recover any encrypted files. Finally, we announce that decryption is still possible without paying the ransom, or to be more specific, only possible without paying the ransom.
PCrisk found new STOP ransomware variants that append the .mmuz, .hfgd, and .rguy extensions.
March 22nd 2022
Moscow-based meat producer and distributor Miratorg Agribusiness Holding has suffered a major cyberattack that encrypted its IT systems, according to a report from Rosselkhoznadzor – the Russian federal veterinary and phytosanitary supervision service.
ELTA, the state-owned provider of postal services in Greece, has disclosed a ransomware incident detected on Sunday that is still keeping most of the organizations services offline.
The White House is urging U.S. organizations to shore up their cybersecurity defenses after new intelligence suggests that Russia is preparing to conduct cyberattacks in the near future.
The 2021 Internet Crime Report (pdf)includes information from 847,376 complaints of suspected internet crime—a 7% increase from 2020—and reported losses exceeding $6.9 billion. State-specific statistics have also been released and can be found within the 2021 Internet Crime Report and in the accompanying 2021 State Reports.
On March 17, 2022, the government team responding to computer emergencies in Ukraine CERT-UA discovered several ZIP archives, one of which was called “Virus … extremely dangerous !!!. Zip”. Each of the archives contains an obfuscated .NET program. As a result of the analysis, the identified programs are classified as DoubleZero – a malicious destructor program developed using the C # programming language.
PCrisk found new STOP ransomware variants that append the .kkia and .ssoi extensions.
March 23rd 2022
Researchers have conducted a technical experiment, testing ten ransomware variants to determine how fast they encrypt files and evaluate how feasible it would be to timely respond to their attacks.
The Federal Bureau of Investigation (FBI) says ransomware gangs have breached the networks of at least 649 organizations from multiple US critical infrastructure sectors last year, according to the Internet Crime Complaint Center (IC3) 2021 Internet Crime Report.
PCrisk found a new STOP ransomware variant that appends the .pphg extension.
Since February 27, 2022, the Twitter @ContiLeaks account and other online personas have been leaking communications containing details about threat actors and their operations. The leaks include more than 160,000 messages exchanged among nearly 500 threat actors between January 2020 and March 2022. The messages reveal close relationships among multiple threat groups and details about the GOLD ULRICK and GOLD BLACKBURN threat groups’ operations. Leaked source code and tool repositories offer unprecedented insights into previously unknown threat actors.
March 24th 2022
March 25th 2022
Maksim Berezan, an Estonian man linked to multimillion-dollar ransomware attacks, was sentenced on Friday to 66 months in prison for his involvement in online fraud schemes.
While these risks are very real, the socio-economic shock to the Russian economy as a result of sanctions, presents a far larger long term risk, and has us at Coveware much more worried. The severity of the sanctions that continue to pile up have created an environment that could lead to an explosion in the volume of people that turn to ransomware as a means to support themselves
PCrisk found a new STOP ransomware variant that appends the .wdlo extension.
The LockBit operator known as ‘LockBitSupp’ has put a bounty of $1 million on his own head to anyone who can locate them.