The Week in Ransomware – September 16th 2022 – Iranian Sanctions
It has been a fairly quiet week on the ransomware front, with the biggest news being US sanctions on Iranians linked to ransomware attacks.
On Wednesday, the US Treasury Department announced sanctions against Iranians affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) for their breaching of US networks and encrypting devices with DiskCryptor and BitLocker.
Researchers also released some interesting reports this week:
- Ransomware gangs are increasingly using intermitten encryption to encrypt systems faster.
- The Lorenz Ransomware group is using vulnerabilities in Mitel phone systems to breach networks.
- Bitdefender released a decryptor for the LockerGoga operation.
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @demonslay335, @serghei, @malwareforme, @malwrhunterteam, @BleepinComputer, @LawrenceAbrams, @Seifreed, @DanielGallagher, @VK_Intel, @FourOctets, @billtoulas, @struppigel, @PolarToffee, @fwosar, @Ionut_Ilascu, @Bitdefender, @AlvieriD, @AWNetworks, @LabsSentinel, @pcrisk, @CISAgov, and @security_score, @censysio, and @juanbrodersen.
September 10th 2022
A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims’ systems faster while reducing the chances of being detected and stopped.
But recently, Censys has observed a massive uptick in Deadbolt-infected QNAP devices. The Deadbolt crew is ramping up their operations, and the victim count is growing daily.
September 12th 2022
Cisco has confirmed that the data leaked yesterday by the Yanluowang ransomware gang was stolen from the company network during a cyberattack in May.
The Lorenz ransomware gang now uses a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises, using their phone systems for initial access to their corporate networks.
PCrisk found new STOP ransomware variants that append the .eemv and .eewt extensions to encrypted files.
PCrisk found the new Scam Ransomware that appends the .scam extension to encrypted files and drops a ransom note named read_it.txt.
PCrisk found the new Babuk ransomware variant that appends the .demon extension to encrypted files and drops a ransom note named How To Recover Your Files.txt.
September 14th 2022
The Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions today against ten individuals and two entities affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks.
The Legislature of the City of Buenos Aires is slowly recovering from the cyberattack it suffered last Sunday : after changing passwords and disconnecting infected computers, they re-enabled WiFi , recovered one computer per area and continued with parliamentary work. However, they do not disclose what information was compromised or what type of attack it was.
This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC.
PCrisk found a new Dharma ransomware variant that appends the .gnik extension to encrypted files.
PCrisk found a new STOP ransomware variant that appends the .eeyu extension to encrypted files.
PCrisk found a new Snatch ransomware variant that appends the .winxvykljw extension to encrypted files.
September 15th 2022
The Hive ransomware gang claimed responsibility for an attack that hit the systems of Bell Canada subsidiary Bell Technical Solutions (BTS).
Quantum ransomware, a rebrand of the MountLocker ransomware, was discovered in August 2021. The malware stops a list of processes and services, and can encrypt the machines found in the Windows domain or the local network, as well as the network shared resources. It logs all of its activities in a file called “.log” and computes a Client Id that is the XOR-encryption of the computer name.
PCrisk found a new STOP ransomware variant that appends the .eebn extension to encrypted files.
PCrisk found the BISAMWARE Ransomware that appends the .BISAMWARE and drops a ransom note named SYSTEM=RANSOMWARE=INFECTED.TXT.
September 16th 2022
Romanian cybersecurity firm Bitdefender has released a free decryptor to help LockerGoga ransomware victims recover their files without paying a ransom.