The Week in Ransomware – September 18th 2020 – Schools Under Attack
With schools worldwide back in session, ransomware operations are barraging them with cyberattacks that disrupt the start of the school year.
Over the past few weeks, we have seen a steady barrage of attacks against K-12 schools, colleges, and universities where ransomware operators target exposed remote desktop servers and network devices’ vulnerabilities.
To warn education institutions of these attacks, the U.K. National Cyber Security Centre (NCSC) has offered guidance on the steps organizations should perform to harden their defenses.
There have also been disastrous consequences to the attackers on universities, as one attacks thought they encrypted a university, but instead hit an affiliated hospital.
This mistake led to a disruption of emergency care services, which may have caused a patient’s death who had a life-threatening condition.
Thx to this week’s contributors: @LawrenceAbrams, @VK_Intel, @FourOctets, @malwrhunterteam, @jorntvdw, @struppigel, @DanielGallagher, @PolarToffee, @serghei, @fwosar, @malwareforme, @demonslay335, @Seifreed, @Ionut_Ilascu, @NCSC, @SophosLabs, @threatresearch, @AltShiftPrtScn, @Ax_Sharma, @TU_CARE, @Kangxiaopao, @emsisoft, @MarceloRivero, @JakubKroustek, @JAMESWT_MHT, @fbgwls245, and @GrujaRS.
September 12th 2020
Fairfax County Public Schools (FCPS), the 10th largest school division in the US, was recently hit by ransomware according to an official statement published on Friday evening.
September 14th 2020
Xiaopao found new Xorist Ransomware variant that append the .BD extension.
Xiaopao found new Dharma Ransomware variant that append the .chuk extension.
Emsisoft has released a decryptor for the Crypt32 ransomware.
Marcelo Rivero found a new Dharma Ransomware variant that appends the .AHP extension to encrypted files.
Emsisoft has released a decryptor for the Cyborg ransomware that supports the .petra, .EncryptedFilePayToGetBack, .Cyborg1, and .LockIt extensions.
Michael Gillespie found a new Nefilim variant that appends the .MEFILIN extension and drops a ransom note named MEFILIN-README.txt.
Michael Gillespie found a new STOP variant that appends the .npph extension to encrypted files.
September 15th 2020
Michael Gillespie found a new ransomware called Zeoticus 2.0 that appends the extension “[email protected]” and drops a ransom note named README.html.
JAMESWT found the new Demonware python ransomware.
GrujaRS found a new PewPew Ransomware that appends the .abkir extension and wipes files.
September 16th 2020
University Hospital New Jersey (UHNJ) has suffered a massive 48,000 document data breach after a ransomware operation leaked their stolen data.
The LockBit ransomware gang has launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying a ransom.
Jakub Kroustek found a new variant of the Dharma ransomware that appends the .TEREN extension.
Michael Gillespie found a new Xorist Ransomware variant that appends the .YOURPCISHACK16024752552658 extension to encrypted files.
dnwls0719 found a new DesuCrypt variant that calls itself DogeCrypt and appends the .DogeCrypt extension.
September 17th 2020
The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine.
A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack.
Xiaopao found new Xorist variant that append the .TAKAextension.
Xiaopao found new BlackHeart variant that .Alix1011RVA extension and drops a ransom note named ReadME-Alix1011RVA.
Xiaopao found a new Dharma ransomware variant that appends the .lina extension to encrypted files.
MalwareHunterTeam found a new ransomware that targets Vietnam.
September 18th 2020
The U.K. National Cyber Security Centre (NCSC), has issued an alert about a surge in ransomware incidents targeting educational institutions, urging them to follow the recently updated recommendations for mitigating malware attacks.
IPG Photonics, a leading U.S. developer of fiber lasers for cutting, welding, medical use, and laser weaponry has suffered a ransomware attack that is disrupting their operations.