The Week in Ransomware – January 27th 2023 – ‘We hacked the hackers’

For the most part, this week has been relatively quiet regarding ransomware attacks and researcher — that is, until the FBI announced the disruption of the Hive ransomware operation.

Hive ransomware launched in June 2021 and quickly became one of the most active and prominent ransomware operations.

Launched as a Ransomware-as-a-Service, the Hive operators were responsible for developing the ransom and maintaining data leak/negotiation sites. At the same time, affiliates were recruited to conduct attacks and deploy the encryptors.

As part of this arrangement, the operators kept 20% of all ransom payments, and the affiliates earned the rest.

Yesterday, an international law enforcement operation and disclosed that they had secretly hacked the organization’s servers in July 2022.

For the past six months, the police have monitored their communications, intercepted decryption keys, and helped victims with free decryptors.

While no arrests were made, this was a massive blow to a prominent player in this cybercrime space while preventing $100 million in ransom payments.

BleepingComputer also reported this week on for initial access to corporate networks.

This same access broker previously for attacks.

Be careful out there, and always click on legitimate links in search results for software developers rather than using Google ads.

Contributors and those who provided new ransomware information and stories this week include: , , , , , , , , , , , , , , , and .

January 23rd 2023

found new Dharma ransomware variants that append the .nlb and .r0n extensions to encrypted files.

PCrisk found a new STOP ransomware variant that appends the .mztu extension.

PCrisk found a new VoidCrypt ransomware variant that appends the .MrWhite extension and drops a ransom note named Dectryption-guide.txt.

January 24th 2023

A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims’ passwords, and ultimately breach networks for ransomware attacks.

Most reports have the threat actor focusing its efforts on the and the industries. However, through Trend Micro’s telemetry data, we have evidence that the group is also targeting the manufacturing sector, which means that they have capability and desire to penetrate different industries — most likely accomplished via the purchasing of compromised credentials from underground channels.

PCrisk found a new MedusaLocker ransomware variant that appends the .filesencrypted extension.

January 26th 2023

The Hive ransomware operation’s Tor payment and data leak sites were seized as part of an international law enforcement operation after the FBI infiltrated the gang’s infrastructure last July.

Security researchers discovered a new ransomware strain they named Mimic that leverages the APIs of the ‘Everything’ file search tool for Windows to look for files targeted for encryption.

The U.S. Department of State today offered up to $10 million for information that could help link the Hive ransomware group (or other threat actors) with foreign governments.

PCrisk found a new Phobos variant that appends the .unknown extension.

January 27th 2023

PCrisk found a new ransomware variant that appends the .sickfile extension and drops a ransom note named how_to_back_files.html.

PCrisk found a new Mallox variant that appends the .bitenc extension.

That’s it for this week! Hope everyone has a nice weekend!