The Week in Ransomware – April 21st 2023 – Macs in the Crosshairs

A lot of news broke this week related to ransomware, with the discovery of LockBit testing macOS encryptors to an outage on NCR, causing massive headaches for restaurants.

By far, the biggest news was the discovery of a by MalwareHunterTeam. While quite buggy and , LockBit confirmed to BleepingComputer that it is being actively developed.

Some interesting research on ransomware was also released this week, including:

Finally, we learned about some ransomware attacks, with and in a cyberattack.

Contributors and those who provided new ransomware information and stories this week include , , , , , , , , , , , , , , , , , , , , , , , , , and .

April 15th 2023

Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.

NCR is suffering an outage on its Aloha point of sale platform after being hit by an ransomware attack claimed by the BlackCat/ALPHV gang.

April 16th 2023

The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to ever specifically target macOS.

In this blog post we’ll tear apart the sample, showing that ultimately, while yes it can indeed run on Apple Silicon, that is basically the extent of it’s impact. Thus macOS users have nothing to worry about …for now!

“Brief analysis of 3.0 for macOS ARM M1/M2 It’s using simple XOR routine to decrypt all config data. XOR key is static value ’57′”

April 17th 2023

Ex-Conti ransomware members have teamed up with the FIN7 threat actors to distribute a new malware family named ‘Domino’ in attacks on corporate networks.

found a new Phobos ransomware variant that appends the .sdk extension.

PCrisk found a new VoidCrypt ransomware variant that appends the .Recov extension and drops a ransom note named Dectryption-guide.txt.

found a new CrossLock ransomware that appends the .crlk extension and drops the —CrossLock_readme_To_Decrypt—.txt ransom note.

PCrisk found a new STOP ransomware variant that appends the .coty extension.

April 18th 2023

On April 16th, Twitter user @malwrhunterteam tweeted details of a sample of the LockBit ransomware compiled for Apple’s macOS arm64 architecture. LockBit claims to be “the oldest ransomware affiliate program on the planet”, and news that one of the major cybercrime outfits in the ransomware landscape was now targeting macOS devices has predictably raised concerns about the ransomware threat on Mac devices.

A ransomware called BabLock (aka Rorschach) has recently been making waves due to its sophisticated and fast-moving attack chain that uses subtle yet effective techniques. Although primarily based on LockBit, the ransomware is a hodgepodge of other different ransomware parts pieced together into what we now call BabLock (detected as Ransom.Win64.LOCKBIT.THGOGBB.enc). Note, however, that we do not believe that this ransomware originates from the threat actors behind LockBit, which is now in its third iteration.

PCrisk found new MedusaLocker ransomware variants that append the .skynetlock and .tangem extensions.

April 19th 2023

March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% compared to March 2022.

The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks.

Attackers are hacking into poorly secured and Interned-exposed Microsoft SQL (MS-SQL) servers to deploy Trigona ransomware payloads and encrypt all files.

Fortra has completed its investigation into the exploitation of CVE-2023-0669, a zero-day flaw in the GoAnywhere MFT solution that the Clop ransomware gang exploited to steal data from over a hundred companies.

Threat actors use a new hacking tool dubbed AuKill to disable Endpoint Detection & Response (EDR) Software on targets’ systems before deploying backdoors and ransomware in Bring Your Own Vulnerable Driver (BYOVD) attacks.

April 20th 2023

London-based professional outsourcing giant Capita has published an update on the cyber-incident that impacted it at the start of the month, now admitting that hackers exfiltrated data from its systems.

AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed since September last year.

PCrisk found new MedusaLocker ransomware variant that appends the .attackuk extension.

That’s it for this week! Hope everyone has a nice weekend!