The Week in Ransomware - February 2nd 2024 - No honor among thieves
Attacks on hospitals continued this week, with ransomware operations disrupting patient care as they force organization to respond to cyberattacks.
While many, like LockBit, claim to have policies in place to avoid encryping hospitals, we continue to see affiliates targeting healthcare with complete disregard to the disruption they are causing patients in trying to receive care.
LockBit says that affiliates can only steal data and not encrypt hospitals, yet they purposely ignore the fact that attacking an organization will cause them to turn off IT system to prevent the spread of the attack.
For hospitals, this means that they no longer have access to medical charts, can't prescribe electronic prescriptions, respond to patients through online portals, or in some cases, access medical diagnostic reports.
It feels like we hear of a new attacks on hospitals every week, learning this week about an attack on Lurie Children's Hospital in Chicago and an attack on Saint Anthony Hospital in December, with the latter claimed by LockBit.
Ransomware gangs are fond of saying, "It’s not personal, it’s business. We just care about your money."
However, having to postpone your child's heart surgery, sure feels personal.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @BleepinComputer, @billtoulas, @demonslay335, @serghei, @fwosar, @CyberArk, @coveware, @pcrisk, @USGAO, @Jon__DiMaggio, @ThierryBreton, @Truesec, @Analyst1, @AhnLab_SecuInfo, @RakeshKrish12, @Netenrich, @jgreigj, and @AJVicens.
January 27th 2024
Ottawa-based cyberfraudster sentenced to 2 years
An Ottawa man convicted on charges related to a ransomware attack affecting hundreds of victims was sentenced to two years behind bars on Friday.
January 29th 2024
Ransomware payments drop to record low as victims refuse to pay
The number of ransomware victims paying ransom demands has dropped to a record low of 29% in the final quarter of 2023, according to ransomware negotiation firm Coveware.
Energy giant Schneider Electric hit by Cactus ransomware attack
Energy management and automation giant Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data, according to people familiar with the matter.
Akira Ransomware and exploitation of Cisco Anyconnect vulnerability CVE-2020-3259
In several recent incident response missions, the Truesec CSIRT team made forensic observations indicating that the old vulnerability CVE-2020-3259 is likely to be actively exploited by the Akira ransomware group.
Unveiling Alpha Ransomware: A Deep Dive into Its Operations
Alpha ransomware, a distinct group not to be confused with ALPHV ransomware, has recently emerged with the launch of its Dedicated/Data Leak Site (DLS) on the Dark Web and an initial listing of six victims’ data. As a developing story, I will continue to provide updates.
New Phobos ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .Ebaka extension.
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that appends the .NOOSE extension and drops a ransom ntoe named OPEN_ME.txt.
New Secles ransomware
PCrisk found a new ransomware that appends the .secles extension and drops a ransom note named ReadMe.txt.
January 30th 2024
Online ransomware decryptor helps recover partially encrypted files
CyberArk has created an online version of 'White Phoenix,' an open-source ransomware decryptor targeting operations using intermittent encryption.
Critical Infrastructure Protection:Agencies Need to Enhance Oversight of Ransomware Practices and Assess Federal Support
Most federal agencies that lead and manage risk for 4 critical sectors—manufacturing, energy, healthcare and public health, and transportation systems—have assessed or plan to assess risks associated with ransomware. But agencies haven't fully gauged the use of leading cybersecurity practices or whether federal support has mitigated risks effectively in the sectors.
Ransomware Diaries Volume 4: Ransomed and Exposed – The Story of RansomedVC
RansomedVC stands out as one of the most unconventional ransomware operations I’ve investigated. Its leadership strategically employs propaganda, influence campaigns, and misinformation tactics to gain fame and notoriety within the criminal community. While I may have my assessment of RansomedVC, I cannot deny the effectiveness of its tactics. It also rubbed many people the wrong way, including other criminals.
Trigona Ransomware Threat Actor Uses Mimic Ransomware
AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. Like past cases, the recently detected attack targets MS-SQL servers and is notable for exploiting the Bulk Copy Program (BCP) utility in MS-SQL servers during the malware installation process.
Ransomware’s PLAYing a Broken Game
The Play ransomware group is one of the most successful ransomware syndicates today. All it takes is a quick peek with a disassembler to know why this group has become infamous. This is because reverse engineering the malware would be a Sisyphean task full of anti-analysis techniques. That said, it might come as a surprise that the malware crashes quite frequently when running. In this blog post, we will cover some of the anti-analysis techniques used by Play and look at the process the malware uses to encrypt network drives and how that can cause the malware to crash.
New Silent Anonymous ransomware
PCrisk found a new ransomware called Silent Anonymous that appends the .SILENTATTACK extension and drops a ransom note named Silent_Anon.txt.
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that appends the .slime extension.
January 31st 2024
Johnson Controls says ransomware attack cost $27 million, data stolen
Johnson Controls International has confirmed that a September 2023 ransomware attack cost the company $27 million in expenses and led to a data breach after hackers stole corporate data.
EU and United States enhance cooperation on cybersecurity
Together with our American partners, we are acting with speed and ambition to counter the growing threat from malicious cyber actors on all fronts. Firstly, with the Joint Cyber Safe Product Action Plan in place, we will now work concretely together to foster a transatlantic market for trusted digital products and promote our high cybersecurity standards globally. Furthermore, we make a firm commitment that neither the EU institutions, bodies and agencies, nor our Member States' national government authorities, will pay ransom to such cyber criminals.
Pentagon investigating theft of sensitive files by ransomware group
The ransomware group ALPHV is threatening to leak data obtained from a Virginia IT services company that contracts with the U.S. military.
December cyberattack on Chicago community hospital claimed by LockBit gang
A recently announced cyberattack on a large community hospital in Chicago was claimed by the LockBit ransomware gang.
New Phobos ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .dx31 extension.
February 2nd 2024
BTC-e server admin indicted for laundering ransom payments, stolen crypto
Aliaksandr Klimenka, a Belarusian and Cypriot national, has been indicted in the U.S. for his involvement in an international cybercrime money laundering operation.
Interpol operation Synergia takes down 1,300 servers used for cybercrime
An international law enforcement operation code-named 'Synergia' has taken down over 1,300 command and control servers used in ransomware, phishing, and malware campaigns.
New Dharma ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .Mr extension and drops a ransom note named info-MIRROR.txt.