For the past two weeks, he’s been busy with ransomware news, ranging from gang shutdowns and the release of a master decryption key, to threat actors turning to Microsoft Exchange exploits. to violate networks.
The biggest news is the stopping of the Ragnarok ransomware operation and the publication of a master decryptor on their site. Using the published keys, Emsisoft was able to create its own decryptor.
We have also seen ransomware gangs, such as LockFile and Conti, start using the recently revealed Microsoft Exchange ProxyShell vulnerabilities.
The FBI and CISA have also been busy, posting notices of ransomware attacks over holiday weekends, gangs targeting food and farm organizations, information on the 1% group, and IOCs for Hive Ransomware.
A malicious actor has published the full source code of Babuk Ransomware, allowing any aspiring malicious actor to start their own ransomware operation. Unfortunately, this leak will lead many threat actors around the world to create their own Ransomware-as-a-Service.
Finally, the leaked Conti training material and a Pysa data exfiltration script gave us insight into how ransomware gangs conduct their attacks and what data they target.
Contributors and those who provided new ransomware information and stories this week include: @VK_Intel, @fwosar, @struppigel, @malwrhunterteam, @PolarToffee, @Ionut_Ilascu, @BleepinComputer, @ demonslay335, @LawrenceAbrams, @jontvdw, @OvenObytes, @DanielGallagher, @Seifree, @serghei, @malwareforme, @vxunderground, @AltShiftPrtScn, @thepacketrat, @TalosSecurity, @GossiTheDog, @pcrisk, @ fbgwls245, @ ddd1ms, and @darktracer_int.
- August 21, 2021
- 23 Aug 2021
- August 24, 2021
- August 26, 2021
- August 27, 2021
- August 28, 2021
- August 30, 2021
- August 31, 2021
- September 1, 2021
- Sep 2, 2021
September 3, 2021
- Conti ransomware now hijacks Exchange servers with ProxyShell exploits
- Babuk ransomware full source code leaked on hacker forum
- Babuk, BlackMatter and Groove share the same data breach site
- Mount Locker, Astro Team and XING Locker share the same Tor site
- New variant of STOP ransomware
- It’s all for this week ! Hope everyone has a good weekend!
August 21, 2021
Microsoft Exchange Servers Hacked By New LockFile Ransomware
A new ransomware gang known as LockFile is encrypting Windows domains after hacking Microsoft Exchange servers using recently revealed ProxyShell vulnerabilities.
23 Aug 2021
FBI: OnePercent Group Ransomware Targets U.S. Organizations Since November 2020
The Federal Bureau of Investigation (FBI) has shared information about a threat actor known as OnePercent Group that has been actively targeting U.S. organizations in ransomware attacks since at least November 2020.
Nokia Affiliate Reveals Data Breach After Conti Ransomware Attack
SAC Wireless, a US-based subsidiary of Nokia, has exposed a data breach following a ransomware attack where Conti operators successfully breached its network, stole data and encrypted systems.
PCR risk found a new variant of STOP ransomware that adds the .orkf extension.
PCRisk has found a new variant of the Dharma ransomware that adds the .dts extension.
August 24, 2021
Ransomware gang script shows exactly what files they are looking for
A PowerShell script used by the Pysa ransomware operation gives us insight into the types of data they are trying to steal in a cyber attack.
dnwls0719 found a BlackKingdom variant that adds the .svyx extension.
August 26, 2021
Ragnarok ransomware releases master decryptor after shutdown
The Ragnarok ransomware gang appears to have quit smoking and released the master key that can decrypt files locked with their malware.
The Federal Bureau of Investigation (FBI) has released some technical details and indicators of compromise associated with Hive ransomware attacks.
PCRisk has found new variants of the Dharma ransomware that adds the .6ix9 and .TCYO extensions.
PCRisk has found a new variant of the Phobos ransomware that adds the .PERDAK extension.
August 27, 2021
Boston Public Library reveals cyberattack and system-wide technical failure
The Boston Public Library (BPL) today revealed that its network was hit by a cyberattack on Wednesday, resulting in a system-wide technical outage.
PCRisk has found a new variant of the Dharma ransomware that adds the .RZA extension.
dnwls0719 found new ransomware called HQ_52_42 which adds the .HQ_52_42 extension.
August 28, 2021
dnwls0719 found a new ransomware called SanwaiWare 2021 which adds the .sanwai extension.
August 30, 2021
PCRisk has found a new variant of STOP ransomware that adds the .lqqw extension.
dnwls0719 found a new ransomware called Loki Locker which adds the .Loki extension.
August 31, 2021
FBI, CISA: Ransomware attack risk increases on holidays and weekends
The FBI and CISA urged organizations not to lower their defenses against ransomware attacks on weekends or holidays in a joint cybersecurity advisory released earlier today.
September 1, 2021
LockBit gang leaks Bangkok Airways data, hits Accenture customers
Bangkok Airways, a major Thai airline, confirmed it was the victim of a cyberattack earlier this month that compromised passenger personal data.
In this article, we have mentioned that BlackMatter and Babuk use the same web server to share the leaked files.
Sep 2, 2021
Conti ransomware translated playbook provides insight into attacks
Almost a month after a disgruntled Conti affiliate leaked the gang’s attack manual, security researchers shared a translated variant that clarifies any misinterpretation caused by the machine translation.
FBI Warns of Ransomware Gangs Targeting Food and Farm Organizations
The FBI says ransomware gangs are actively targeting and disrupting the operations of food and agriculture organizations, causing financial loss and directly affecting the food supply chain.
September 3, 2021
Conti ransomware now hijacks Exchange servers with ProxyShell exploits
Conti ransomware gang hacks Microsoft Exchange servers and breaches corporate networks using recently disclosed ProxyShell vulnerability exploits.
Babuk ransomware full source code leaked on hacker forum
A malicious actor has disclosed the full source code of the Babuk ransomware on a Russian-speaking hacking forum.
Dark Tracer found that all three ransomware groups use the same Tor data breach site. They are not believed to be affiliated other than the fact that they may be part of the same cartel.
DarkTracer discovered that Astro Team, Mount Locker, and XING Locker share the same Tor network infrastructure. Astro Team and MountLocker are believed to be affiliated with each other.
Dmitry smilyanets noted that threat actors worldwide will likely launch their own ransomware operations based on the source code of the leaked Babuk ransomware.
PCRisk has found a new variant of STOP ransomware that adds the .efdc extension.