The Week in Ransomware – September 9th 2022 – Schools Under Fire
Ransomware gangs have been busy this week, launching attacks against NAS devices, one of the largest hotel groups, IHG, and LAUSD, the second largest school district in the USA.
On Saturday, the DeadBolt ransomware operation launched a new attack on QNAP devices using a zero-day vulnerability in Photo Station. That same day, QNAP released security updates to fix the vulnerability, urging customers to install the update and not expose their devices on the Internet.
On Monday, both InterContinental Hotels Group (IHG) and Los Angeles Unified (LAUSD) school district were hit by ransomware attacks that disrupted the organizations’ technical operations.
For IHG, the attack disrupted their online reservation systems; for LAUSD, it impacted the school district’s IT systems.
Also Read: 6 document shredder machine Singapore services for your business
However, even though the cyberattack impacted LAUSD’s technology infrastructure, the schools opened as usual for Los Angeles students.
Yesterday, the Vice Society ransomware told BleepingComputer that they were behind the attack on LAUSD and claimed to have stolen 500GB of data.
The responsible ransomware gang came as no surprise, as the FBI, CISA, and MS-ISAC released an advisory on Monday warning of the Vice Society targeting school districts.
We also saw some new ransomware research released this week:
- Ransomware gangs DDoS Cobalt Strike servers with Anti-Putin/Anti-Russia messages.
- A Play ransomware analysis.
- Analysis of a new version of BlackCat.
- A Google report on how ex-Conti members are targeting Ukraine.
- Info on a new Monti ransomware operation.
Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @LawrenceAbrams, @FourOctets, @Ionut_Ilascu, @serghei, @billtoulas, @fwosar, @VK_Intel, @struppigel, @BleepinComputer, @malwrhunterteam, @Seifreed, @DanielGallagher, @demonslay335, @jorntvdw, @PolarToffee, @MsftSecIntel, @CISAgov, @FBI, @pmbureau, @AdvIntel, @pcrisk, @PogoWasRight, @cPeterr, @security_score, and @Intel471Inc.
September 3rd 2022
PLAY Ransomware analysis
This is my analysis for PLAY Ransomware. I’ll be solely focusing on its anti-analysis and encryption features. There are a few other features such as DLL injection and networking that will not be covered in this analysis.
Also Read: 10 Principles On How To Build A Good Governance Model
September 5th 2022
QNAP patches zero-day used in new Deadbolt ransomware attacks
QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station.
New STOP Ransomware variants
PCrisk discovered new STOP ransomware variants that append the .oopu, .oodt, and .oovb extensions.
September 6th 2022
InterContinental Hotels Group cyberattack disrupts booking systems
Leading hospitality company InterContinental Hotels Group PLC (also known as IHG Hotels & Resorts) says its information technology (IT) systems have been disrupted since yesterday after its network was breached.
Second largest U.S. school district LAUSD hit by ransomware
Los Angeles Unified (LAUSD), the second largest school district in the U.S., disclosed that a ransomware attack hit its Information Technology (IT) systems over the weekend.
FBI warns of Vice Society ransomware attacks on school districts
FBI, CISA, and MS-ISAC warned today of U.S. school districts being increasingly targeted by the Vice Society ransomware group, with more attacks expected after the start of the new school year.
TTPs Associated With a New Version of the BlackCat Ransomware
Our Digital Forensics and Incident Response (DFIR) team was engaged in investigating a ransomware infection. We were able to determine that the ransomware involved is a new version of the BlackCat ransomware, based on the fact that the malware added new command line parameters that were not documented before.
September 7th 2022
Google says former Conti ransomware members now attack Ukraine
Google says some former Conti cybercrime gang members, now part of a threat group tracked as UAC-0098, are targeting Ukrainian organizations and European non-governmental organizations (NGOs).
Ransomware gang’s Cobalt Strike servers DDoSed with anti-Russia messages
Someone is flooding Cobalt Strike servers operated by former members of the Conti ransomware gang with anti-Russian messages to disrupt their activity.
New STOP Ransomware variants
PCrisk discovered new STOP ransomware variants that append the .mmpu, .mmvb, and .mmdt extensions.
Bl00dy ransomware sample found
PCrisk found a sample for the new ‘Bl00dy Ransomware’ based on the Babuk ransomware family that appends the .bl00dy and drops the How To Restore Your Files.txt ransom note.
Bl00dy ransomware was first reported on by DataBreaches.net after the threat actors targeted New York medical practices.
Conti vs. Monti: A Reinvention or Just a Simple Rebranding?
Though there is no iron-clad evidence of Conti rebranding as Monti, Conti source was leaked publicly in March 2022. Consequently, it is possible that anybody could use the publicly available source code to create their own ransomware based on Conti. This could be the case with Monti from our analysis of the disassembled code. Monti’s entry point is very similar to Conti’s, as seen below. As such, Monti could be a rebrand of Conti or simply a new ransomware variant that has been developed using the leaked source code mentioned above.
September 8th 2022
Microsoft: Iranian hackers encrypt Windows systems using BitLocker
Microsoft says an Iranian state-sponsored threat group it tracks as DEV-0270 (aka Nemesis Kitten) has been abusing the BitLocker Windows feature in attacks to encrypt victims’ systems.
New Ballacks Ransomware
PCrisk found a new VoidCrypt variant calling itself ‘Ballacks Ransomware’ that appends the .ballacks extension and drops a ransom note named ReadthisforDecode.txt.
New DoyUk ransomware
PCrisk found the DoyUk Ransomware that appends the .doyuk extension and drops a ransom note named Restore Your Files.txt.
September 9th 2022
Vice Society claims LAUSD ransomware attack, theft of 500GB of data
The Vice Society gang has claimed the ransomware attack that hit Los Angeles Unified (LAUSD), the second largest school district in the United States, over the weekend.
New MLF ransomware
PCrisk found the new MLF ransomware that appends the .MLF extension.