It’s been quite a busy week with ransomware, with law enforcement making arrests, data erasure attacks, and the return of Qlocker ransomware.
The biggest news this week is Russia’s arrest of fourteen suspected members of the REvil ransomware operation. Additionally, a senior Biden administration official said one of the fourteen suspects is responsible for Colonial Pipeline ransomware attack.
Europol also conducted a law enforcement operation against VPNLab, a platform commonly used by ransomware gangs. Law enforcement seized 15 servers used by the VPNLab.net service and destroyed its main site, rendering the platform unavailable.
While it has been a good week for law enforcement, unfortunately new attacks have been uncovered.
Microsoft has revealed attacks against Ukrainian organizations using data-erasing malware disguised as ransomware. This malware is called “WhisperGate” and has been attributed by Ukrainian officials as being run by or at the behest of the Russian government.
For consumers and small businesses, we have seen the unfortunate return of Qlocker, a notorious ransomware that encrypted thousands of QNAP NAS devices last year.
Finally, in research published by security companies, we have learned that White Rabbit ransomware is linked to FIN8 hackers, a new analysis of the BlackCat/ArchV and Avadon ransomware operations and the FBI linking Diavol to the TrickBot group.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @VK_Intel, @billtoulas, @struppigel, @Ionut_Ilascu, @malwareforme, @jorntvdw, @Seifreed, @FourBytes, @PolarToffee, @DanielGallagher, @malwhunterteam, @fwosar, @LawrenceAbrams, @BleepinComputer, @demonslay335, @fbgwls245, @Friend_A_,@JakubKroustek, @pcrisk, @TrendMicro, @LabsSentinel, @MsftSecIntel, @Mandiant, and @GrujaRS.
- January 15, 2022
- January 16, 2022
- January 17, 2022
- January 18, 2022
- January 19, 2022
- January 20, 2022
- January 21, 2022
January 15, 2022
Qlocker Ransomware Returns to Target QNAP NAS Devices Worldwide
The threat actors behind Qlocker ransomware are once again targeting QNAP network-attached storage (NAS) devices exposed to the Internet around the world.
Russia indicts 8 suspected REvil ransomware gang members
Eight members of the REvil ransomware operation who were detained by Russian officers are currently facing criminal charges for their illegal activity.
January 16, 2022
Microsoft: Fake ransomware targets Ukraine in data erasure attacks
Microsoft warns of destructive data-erasing malware disguised as ransomware being used in attacks against several organizations in Ukraine.
January 17, 2022
Risk found two new STOP ransomware variants that add the .vfgj and .fhkf expansions.
dnwls0719 found a new Chaos ransomware variant that adds the .THE extension.
January 18, 2022
A new ransomware family called “White Rabbit” has recently appeared in the wild and, according to recent research results, may be a side operation of the FIN8 hacking group.
Fashion giant Moncler confirms data breach after ransomware attack
Italian luxury fashion giant Moncler has confirmed that it suffered a data breach after files were stolen by the AlphV/BlackCat ransomware operation in December and released on the dark web today.
Europol closes VPN service used by ransomware groups
Law enforcement authorities in 10 countries have shut down VPNLab.net, a VPN service provider used by ransomware operators and malware actors.
Black cat (a.k.a AlphaVM, AlphaV) is a newly created RaaS (Ransomware as a Service) with payloads written in Rust. While BlackCat isn’t the first ransomware written in the Rust language, it joins a small (but growing) part of the malware landscape using this popular cross-platform language.
dnwls0719 found a new variant of Dharma ransomware that adds the .MTX extension.
January 19, 2022
Marketing giant RRD confirms data theft in Conti ransomware attack
RR Donnelly has confirmed that threat actors stole data in a cyberattack in December, confirmed by BleepingComputer to be a Conti ransomware attack.
This blog post explores the activity, similarities and overlaps between several ransomware families related to the AVADDON ransomware, serving as a case study for understanding how ransomware operators think and continue to profit in a cybercrime ecosystem in constant evolution.
PCrisk has found a new variant of Dharma ransomware that adds the .cip extension.
January 20, 2022
The FBI has officially linked the Diavol ransomware operation to the TrickBot group, the malware developers behind the notorious TrickBot banking trojan.
Jakub Kroustek found a new STOP ransomware variant that adds the .Manufacture extension.
Friend-A spotted the new Trap ransomware that adds the .trap extension and drops a ransom note named RESTORE.txt.
GrujaRS found a new Makop ransomware variant that adds the .factfull extension.
January 21, 2022
PCrisk has found a new Phobos ransomware variant that adds the .ELBOW extension.