The Week in Ransomware – September 9th 2022 – Schools Under Fire
Ransomware gangs have been busy this week, launching attacks against NAS devices, one of the largest hotel groups, IHG, and LAUSD, the second largest school district in the USA.
On Saturday, the DeadBolt ransomware operation launched a new attack on QNAP devices using a zero-day vulnerability in Photo Station. That same day, QNAP released security updates to fix the vulnerability, urging customers to install the update and not expose their devices on the Internet.
For IHG, the attack disrupted their online reservation systems; for LAUSD, it impacted the school district’s IT systems.
However, even though the cyberattack impacted LAUSD’s technology infrastructure, the schools opened as usual for Los Angeles students.
Yesterday, the Vice Society ransomware told BleepingComputer that they were behind the attack on LAUSD and claimed to have stolen 500GB of data.
The responsible ransomware gang came as no surprise, as the FBI, CISA, and MS-ISAC released an advisory on Monday warning of the Vice Society targeting school districts.
We also saw some new ransomware research released this week:
- Ransomware gangs DDoS Cobalt Strike servers with Anti-Putin/Anti-Russia messages.
- A Play ransomware analysis.
- Analysis of a new version of BlackCat.
- A Google report on how ex-Conti members are targeting Ukraine.
- Info on a new Monti ransomware operation.
Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @LawrenceAbrams, @FourOctets, @Ionut_Ilascu, @serghei, @billtoulas, @fwosar, @VK_Intel, @struppigel, @BleepinComputer, @malwrhunterteam, @Seifreed, @DanielGallagher, @demonslay335, @jorntvdw, @PolarToffee, @MsftSecIntel, @CISAgov, @FBI, @pmbureau, @AdvIntel, @pcrisk, @PogoWasRight, @cPeterr, @security_score, and @Intel471Inc.
September 3rd 2022
This is my analysis for PLAY Ransomware. I’ll be solely focusing on its anti-analysis and encryption features. There are a few other features such as DLL injection and networking that will not be covered in this analysis.
September 5th 2022
QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station.
PCrisk discovered new STOP ransomware variants that append the .oopu, .oodt, and .oovb extensions.
September 6th 2022
Leading hospitality company InterContinental Hotels Group PLC (also known as IHG Hotels & Resorts) says its information technology (IT) systems have been disrupted since yesterday after its network was breached.
Los Angeles Unified (LAUSD), the second largest school district in the U.S., disclosed that a ransomware attack hit its Information Technology (IT) systems over the weekend.
FBI, CISA, and MS-ISAC warned today of U.S. school districts being increasingly targeted by the Vice Society ransomware group, with more attacks expected after the start of the new school year.
Our Digital Forensics and Incident Response (DFIR) team was engaged in investigating a ransomware infection. We were able to determine that the ransomware involved is a new version of the BlackCat ransomware, based on the fact that the malware added new command line parameters that were not documented before.
September 7th 2022
Google says some former Conti cybercrime gang members, now part of a threat group tracked as UAC-0098, are targeting Ukrainian organizations and European non-governmental organizations (NGOs).
Someone is flooding Cobalt Strike servers operated by former members of the Conti ransomware gang with anti-Russian messages to disrupt their activity.
PCrisk discovered new STOP ransomware variants that append the .mmpu, .mmvb, and .mmdt extensions.
PCrisk found a sample for the new ‘Bl00dy Ransomware’ based on the Babuk ransomware family that appends the .bl00dy and drops the How To Restore Your Files.txt ransom note.
Bl00dy ransomware was first reported on by DataBreaches.net after the threat actors targeted New York medical practices.
Though there is no iron-clad evidence of Conti rebranding as Monti, Conti source was leaked publicly in March 2022. Consequently, it is possible that anybody could use the publicly available source code to create their own ransomware based on Conti. This could be the case with Monti from our analysis of the disassembled code. Monti’s entry point is very similar to Conti’s, as seen below. As such, Monti could be a rebrand of Conti or simply a new ransomware variant that has been developed using the leaked source code mentioned above.
September 8th 2022
Microsoft says an Iranian state-sponsored threat group it tracks as DEV-0270 (aka Nemesis Kitten) has been abusing the BitLocker Windows feature in attacks to encrypt victims’ systems.
PCrisk found a new VoidCrypt variant calling itself ‘Ballacks Ransomware’ that appends the .ballacks extension and drops a ransom note named ReadthisforDecode.txt.
PCrisk found the DoyUk Ransomware that appends the .doyuk extension and drops a ransom note named Restore Your Files.txt.
September 9th 2022
The Vice Society gang has claimed the ransomware attack that hit Los Angeles Unified (LAUSD), the second largest school district in the United States, over the weekend.
PCrisk found the new MLF ransomware that appends the .MLF extension.