SS7
Ransomware Week – December 16th, 2022 Losing Trust
Malware developers and threat actors are increasingly using compromised codes-signing certificates in order to avoid detection by security software.
Microsoft revealed this trend during the when it was disclosed by Microsoft that developer account had been compromised in order to sign malicious kernel-mode drivers for the Windows Hardware Developer Program.
These drivers were signed by Microsoft and allowed to be loaded in Windows.
The drivers were part of the toolkit that included STONESTOP (loader), and POORTRY(driver) malware. They disabled Windows services and protected security software.
Coordination reports by and showed that malware was being used to infect accounts. This includes the Hive ransomware operation and the Cuban ransomware.
, which threat actors used in their malware distribution campaigns.
This week’s research also includes:
There were also quite some cyberattacks and information about them this week. However, only a handful of these were confirmed as ransomware.
A is one of the ransomware threats. The Play ransomware operation claimed the and the (one of the biggest energy suppliers to Colombia).
This week’s ransomware stories and contributors include @struppigel and @VK_Intel.
December 11, 2022
Researchers have observed a rise in malware-infected devices with TrueBot, a Russian hacking group called Silence.
December 12, 2022
Play ransomware claimed the responsibility for an attack on Antwerp, Belgium.
Azov is different from other ransomware. It modifies certain 64-bit executables in order to run its code. This behavior was the norm for malware proliferation before the internet. It is still a popular definition of “computer viruses” and is resented by all.
discovered new STOP ransomware variations that add the .manw, and .maos extensions.
December 13, 2022
California’s Department of Finance has been targeted by a cyberattack claimed now by LockBit ransomware.
Microsoft has suspended several Microsoft Hardware Developer accounts following ransomware attacks and cyberattacks on drivers who signed into their profiles.
BianLian ransomware was a Golang malware which targeted multiple industries in 2022. Ransomware used anti-analysis methods that included API calls. This would most likely cause a crash to some automated analysis systems/sandboxes. After the encryption has been completed, the malware will delete all the drives on its target machine.
PCrisk discovered a new STOP ransomware variant, which appends the .matuextension.
PCrisk discovered a new Dharma ransomware version that adds the .hebem extension to the ransom note info.txt.
PCrisk discovered a Lucknite ransomware. It adds the .lucknite extension to the ransom note and leaves a ransom message named README.txt.
PCrisk discovered a new Chaos ransomware variant. It adds the .xllm extension to the ransom note read_it.txt.
December 14, 2022
Microsoft fixed the security flaw used by threats actors to bypass Windows SmartScreen and provide Magniber ransomware or Qbot malware payloads.
In the early 2022, the Royal ransomware organization was formed and continues to grow since then. The ransomware it uses to spread its ransomware through various TTPs has affected multiple organisations around the world. Based on the similarities that researchers found between Royal ransomware, and other ransomware operations, it is possible that this group may be made up of ex-members of other ransomware organizations.
Many ransomware cases were reported by Korean businesses in the second quarter of 2022. This ransomware attack is unusual in that the attacker penetrated a server database (DB), with a weak security system and distributed ransomware. He encrypted the file’s extension, added a string called “.masscan”, and then encrypted it.
PCrisk discovered a new Blocky ransomware. It locks the extension, and then drops a ransom note called READ_IT.txt.
PCrisk discovered a new ransomware. It appends the extension to theextension, and drops a ransom notice named UNLOCKFILES.txt.
December 16th, 2022
Empresas Publicas de Medellin, a Colombian energy company, was hit by a ransomware called BlackCat/ALPHV on Monday. This attack disrupted the company’s operations as well as shut down its online services.
This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. This blog post will discuss Agenda, also known as Qilin, another ransomware organization that uses this language.
PCrisk discovered new STOP ransomware variants, which append the .btnw and .btos as well as the .bttu extensions.
This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. This blog post will discuss Agenda, also known as Qilin, another ransomware organization that uses this language.