The Week in Ransomware – April 14th 2023 – A Focus on Stolen Data

It has been mostly a quiet week regarding ransomware, with only a few bits of info released on older attacks and some reports released on existing organizations.

This week, theft of customer data remains the focus, with for a ransomware attack in January.

Capita also remains silent on a Black Basta ransomware attack that occurred earlier this month, staying silent as to whether customer data was stolen, even as the .

Other news this week revolves around research released about particular operations, including:

  • DarkAngels ransomware launched a data leak site.
  • Vice Society now uses a custom PowerShell script for data exfiltration.
  • A technical analysis of Trigona, which BleepingComputer on in 2022.
  • Information on the new Kadavro Vector Ransomware.

Finally, we saw LockBit messing around with cybersecurity companies, claiming to have breached DarkTrace. However, the company said this is untrue and that systems were compromised.

Contributors and those who provided new ransomware information and stories this week include , , , , , , , , , , , , , , , and .

April 9th 2023

In terms of Black Basta and Capita, they list Capita as currently being held to extortion – and provide evidence of exfiltrated data. This includes primary and secondary school job applications, a Capita nuclear document, Capita documents marked Confidential, passport scans, security vetting for customers and architecture diagrams.

April 10th 2023

Yum! Brands, the brand owner of the KFC, Pizza Hut, and Taco Bell fast food chains, is now sending data breach notification letters to an undisclosed number of individuals whose personal information was stolen in a January 13 ransomware attack.

Zscaler discovered that DarkAngels ransomware (AKA RansomHouse) launched a data leak site.

April 11th 2023

PCrisk found a new STOP ransomware variant that appends the .kiop extension.

April 14th 2023

Cybersecurity firm Darktrace says it found no evidence that the LockBit ransomware gang breached its network after the group added an entry to their dark web leak platform, implying that they stole data from the company’s systems.

The Vice Society ransomware gang is deploying a new, rather sophisticated PowerShell script to automate data theft from compromised networks.

Zscaler ThreatLabz has been tracking the Trigona ransomware family, which dates back to June 2022. There has been that some of the group’s tactics, techniques, and procedures (TTPs) have overlapped with BlackCat/ALPHV ransomware.

FortiGuard Labs recently came across a ransomware named “Kadavro Vector”, a NoCry ransomware variant that encrypts files on compromised machines and demands a ransom in Monero (XMR) cryptocurrency for file decryption.

That’s it for this week! Hope everyone has a nice weekend!