The Week in Ransomware – October 22nd 2021 – Striking Back
Between law enforcement operations, REvil’s second shut down, and ransomware gangs’ response to the hacking of their servers, it has been quite the week.
This week’s biggest news is the Reuters report that international law enforcement operation took over REvil’s Tor infrastructure, which ultimately led to the shutdown of the ransomware again last Sunday.
DarkSide also appears to have reacted to the law enforcement operation by attempting to cash out $7 million in Bitcoin sitting in a wallet.
This week we also learned of an attack on the Sinclair Broadcast Group that disrupted the broadcasting of shows and newscasts. This attack was conducted by a new Evil Corp ransomware known as Macaw Ransomware who has been seen demanding a $40 million ransom from an unidentified victim.
Interesting research we saw this week is that the Karma Ransomware is a rebrand of Nemty and how FIN7 created a fake company to hire legitimate security professionals to conduct ransomware attacks unknowingly.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @malwareforme, @FourOctets, @BleepinComputer, @VK_Intel, @fwosar, @struppigel, @PolarToffee, @LawrenceAbrams, @billtoulas, @Seifreed, @demonslay335, @jorntvdw, @Ionut_Ilascu, @DanielGallagher, @serghei, @Trustwave, @josephmenn, @Bing_Chris, @coveware, @uuallan, @GelosSnake, @elliptic, @SentinelOne, @geminiadvisory, @ddd1ms, @GelosSnake, @siri_urz, and @fbgwls245.
October 17th 2021
The REvil ransomware operation has likely shut down once again after an unknown person hijacked their Tor payment portal and data leak blog.
dnwls0719 found the J3ster that appends the .j3ster extension to encrypted files and drops a ransom note named j3ster readme.txt.
October 18th 2021
TV stations owned by the Sinclair Broadcast Group broadcast television company went down over the weekend across the US, with multiple sources telling BleepingComputer a ransomware attack caused the downtime.
A joint announcement from the Ministry of Health and the National Cyber Directorate in Israel describes a spike in ransomware attacks over the weekend that targeted the systems of nine health institutes in the country.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) published today an advisory with details about how the BlackMatter ransomware gang operates.
October 19th 2021
Threat analysts at Sentinel Labs have found evidence of the Karma ransomware being just another evolutionary step in the strain that started as JSWorm, became Nemty, then Nefilim, Fusion, Milihpen, and most recently, Gangbang.
A free decryptor for the BlackByte ransomware has been released, allowing past victims to recover their files for free.
October 20th 2021
S!Ri found the in-development Foxxy Ransomware that appends the .foxxy extension to encrypted files.
Allan Liska’s book on ransomware is available for pre-order on Amazon!
October 21st 2021
Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.
The FIN7 hacking group is attempting to join the highly profitable ransomware space by creating fake cybersecurity companies that conduct network attacks under the guise of pentesting.
Reuters: Governments turn tables on ransomware gang REvil by pushing it offline
The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.
As of publication we are well into National Cyber Security Awareness month and this past quarter has seen an unprecedented amount of domestic and international activity from government and law enforcement to counter the operations of ransomware actors. Despite these initiatives, ransomware actors continue peppering enterprises with more attacks than ever. What we are doing is not working, at least not yet. Why?
October 22nd 2021
Almost $7 million worth of Bitcoin in a wallet controlled by DarkSide ransomware operators has been moved in what looks like a money laundering rollercoaster.
The Groove ransomware gang is calling on other extortion groups to attack US interests after law enforcement took down REvil’s infrastructure last week.
The Italian data protection authority Garante per la Protezione dei Dati Personali (GPDP) has announced an investigation into a data breach of the country’s copyright protection agency.
dnwls0719 found a new STOP ransomware variant that appends the .zaps extension to encrypted files.