The Week in Ransomware, December 9th 2022 Wide Impact

This week was filled with news about significant attacks that have had a large impact on many organisations.

Rackspace experienced a major outage in their Microsoft Exchange hosted environment last week. Customers were unable to access their emails. Rackspace confirmed that the outage was caused by a ransomware attack.

Rackspace did not provide any information about the attack including ransomware operations behind them or if data was stolen by the threat actors.

Today, however, they about targeted phishing email and asked them to keep an eye out for any suspicious activity in their bank accounts and credit reports. The ransomware attack may have stolen data.

A second resulted in a number of outages that affected its customers. Many of these are government agencies.

The ransomware attack on Paris’ Andre-Mignot Teaching Hospital has caused significant disruption and some patients were rerouted elsewhere.

This week, we also witnessed some fascinating research from cybersecurity companies and the U.S. Government.

Brian Krebs also had an very informative report about new techniques used by Venus and Clop ransomware groups to hack networks and persuade victims to pay.

This week’s ransomware stories and contributors include @struppigel and @PolarToffee.

December 5, 2022

Ransomware attacks on Saturday night forced the Paris suburbs’ Andre-Mignot hospital to close its computer and phone systems.

We discussed Cryptonite, a freely available and open-source ransomware programkit in the Ransomware Roundup last issue. We also found a Cryptonite example in nature that does not offer the decryption windows, but instead acts as a wiper. Recent reports have shown an increase in ransomware that has been converted into malware to wipe out data, mostly as part of a political campaign. We will now take a close look at Cryptonite’s wiper malware sample.

Mercury IT was the victim of a ransomware attack. Mercury IT offers a variety of IT services for customers in New Zealand.

found a HiddenTear variant valled Puspa2 that appends the .puspa2#mejukeni7sala029 extension and drops a ransom note named XXX_HELLO’S_READ_ME._txt.

PCrisk discovered new STOP ransomware variations that add the .mppn and .mbtf extensions in encrypted files.

December 6, 2022

Rackspace, a Texas-based provider of cloud computing services, has today confirmed that an ransomware attack was behind the ongoing Hosted Exchange outage. It is being described as “isolated disruption”

Vice Society, a ransomware group that targeted schools in high profile attacks this year, is known as Vice Society. Unlike many other ransomware groups such as LockBit that follow a typical ransomware-as-a-service (RaaS) model, Vice Society’s operations are different in that they’ve been known for using forks of pre-existing ransomware families in their attack chain that are sold on DarkWeb marketplaces. Vice Society has not developed their own payload, but they have used the HelloKitty (aka FiveHands and Zeppelin) ransomware strains.

Morphisec discovered a new variant of Babuk ransomware during November while investigating an event prevention. Babuk first appeared in 2021 when it started targeting businesses and using double-extortion to steal data. A threat actor released the entire source code of Babuk to a Russian-speaking hacking site later in the year.

PCrisk discovered a new variant of ransomware that adds the .OBZextension to the ransom note ReadMe.txt.

December 8, 2022

CommonSpirit Health confirmed that the ransomware attackers had accessed 623,774 patient’s personal information during an October ransomware attack.

Today, the U.S. Department of Health and Human Services (HHS), issued an updated warning to healthcare providers about ongoing attacks by a relatively recent operation known as the Royal ransomware Gang.

Ransomware organizations are always inventing new ways to infect victims and convince them to pay. However, a few strategies that were tested recently appear particularly devious. First, the ransomware group targets healthcare providers that provide consultations via the Internet. The second involves sending booby-trapped records to the patient. The third is carefully editing emails of executives at public companies in order to create the appearance that they were part in insider trading.

December 9, 2022

Rackspace, a cloud computing company, warned its customers Thursday about increased risk of phishing attacks after a ransomware attack on Microsoft Exchange hosted environments.

We saw an explosion of activity over the weekend around typosquat in popular requests package. The following information was embedded in the malware packages:

Phylum discovered a NPM/PyPi campaign in which python package distributions were distributing Linux malware and Windows malware. BleepingComputer confirmed that the ransomware does not encrypt any files, but simply drops a ransom notice and alters the desktop wallpaper.

BleepingComputer was told by the actor responsible that they were just playing around with encryption and would not add it to their system.

PCrisk found a new MedusaLocker variant that appends the .allock[number] extension and drops a ransom note named how_to_back_files.html.

PCrisk discovered a new VoidCrypt variation that adds the .Juli Extension and drops a ransom notice named lock-info.txt.

This concludes this week. We wish everyone a happy weekend.