SS7
The Week in Ransomware – March 17th 2023 – Shifting to data extortion
Mar
The fallout from the Clop ransomware attacks on GoAnywhere platforms has become apparent this week, with the threat actors starting to extort victims on their data leak site and companies confirming breaches.
These attacks were claimed by the Clop threat actors, a ransomware gang that historically encrypted devices and stole data to extort victims into paying a ransom. However, more recently, they have been focusing on data extortion instead of encrypting.
Clop had previously claimed to have breached and stolen data from 130 organizations over ten days using the GoAnywhere vulnerabilities.
This week, BleepingComputer was told that , emailing ransom demands, and creating profiles for many victims on their data leak site. At this time, it is not known how much the threat actors are demanding not to publish data.
This has led to numerous data breach disclosures from companies, including , , , and , with likely many more to come.
In addition to the Clop attacks, we learned more about various ransomware attacks, including those on and the
The other significant news this week that will affect ransomware and other cybercrime is the , used by cybercriminals to launder ransom payments, stolen cryptocurrency, and revenue generated on dark web markets.
Finally, some interesting reports were released on , , , BianLian’s shift to , and more!
Contributors and those who provided new ransomware information and stories this week include , , , , , , , , , , , , , , , and .
March 11th 2023
The Clop ransomware gang has begun extorting companies whose data was stolen using a zero-day vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution.
Quietman7 spotted new STOP ransomware variants appending the .craa, .qazx, and .qapo extensions
March 12th 2023
A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands.
Essendant, a wholesale distributor of stationery and office supplies, is experiencing a multi-day systems “outage” preventing customers and suppliers from placing and fulfilling online orders.
Quietman7 spotted a new STOP ransomware variant that appends the .qarj extension.
March 13th 2023
The Housing Authority of the City of Los Angeles (HACLA) is warning of a “data security event” after the LockBit ransomware gang targeted the organization and leaked data stolen in the attack.
found new Dharma ransomware variants appending the .like and .j3rd extensions.
PCrisk found new Chaos ransomware variants appending the .nochi and .Cyber extensions.
The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns being observed steadily since November. The group’s activities have gained attention due to their ongoing use of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads.
March 14th 2023
Cybersecurity company Rubrik has confirmed that its data was stolen using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform.
PCrick spotted a new Phobos ransomware variant that appends the .BACKJOHN extension.
PCrick spotted a new VoidCrypt ransomware variant that appends the .youhau extension and dropping a ransom name named Dectryption-guide.txt.
Microsoft has patched another zero-day bug used by attackers to circumvent the Windows SmartScreen cloud-based anti-malware service and deploy Magniber ransomware payloads without raising any red flags.
March 15th 2023
An international law enforcement operation has seized the cryptocurrency mixing service ‘ChipMixer’ which is said to be used by hackers, ransomware gangs, and scammers to launder their proceeds.
The Federal Bureau of Investigation (FBI) revealed in its 2022 Internet Crime Report that ransomware gangs breached the networks of at least 860 critical infrastructure organizations last year.
LockBit ransomware has claimed a cyber attack on Essendant, a wholesale distributer of office products after a “significant” and ongoing outage knocked the company’s operations offline.
PCrick spotted a new Xorist ransomware variant appending the .DrWeb and dropping ransomnotes named ??? ???????????? ?????.txt.
Toward the latter half of Q4 2022, ReliaQuest discovered a security incident unfolding in a customer’s environment. A threat actor gained initial network access, rapidly escalated their privileges, and moved laterally, quickly establishing a foothold in 77 minutes.
March 16th 2023
A decryption tool for a modified version of the Conti ransomware could help hundreds of victims recover their files for free.
The BianLian ransomware group has shifted its focus from encrypting its victims’ files to only exfiltrating data found on compromised networks and using them for extortion.
Quietman7 spotted new STOP ransomware variants appending the .darz and .dapo extensions
PCrisk found a new ransomware variant that appends the .Merlin extension and drops a ransom note named Merlin_Recover.txt.
PCrick spotted a new Phobos ransomware variant that appends the .usr extension.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.
Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries.
March 17th 2023
PCrick spotted a new STOP ransomware variant that appends the .dazx extension.
Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability.