SCAMMERS ALERT READ THIS ASAP!
SS7

The Week in Ransomware – April 28th 2023 – Clop at it again

Posted on by ss7
28
Apr

It has been a very quiet week for ransomware news, with only a few reports released and not much info about cyberattacks.

However, an item of interest was Microsoft linking the recent  operation.

Clop claims to have started exploiting PaperCut servers on April 13th, the same day Microsoft began seeing active exploitation of the vulnerabilities.

The ransomware operation told BleepingComputer that they utilized these exploits for initial access to corporate networks rather than to steal archived documents on the server.
Other ransomware reports released this week include:

Finally, we learned that .

Contributors and those who provided new ransomware information and stories this week include: , , , , , , , , , , , , , , , , , , , , , and .

April 24th 2023

Yellow Pages Group, a Canadian directory publisher has confirmed to BleepingComputer that it has been hit by a cyber attack.

found a new Dharma ransomware variant that appends the .rea extension.

PCrisk found a new Xorist ransomware variant that appends the .VoNiX extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

April 25th 2023

The story I will tell you is not mine, but it is the account of a man who was once no different than you or me. Unfortunately, poor decisions and hardships in his life pushed him to a dark place, from which he never returned.

This is Bassterlord’s story.

PCrisk found a new STOP ransomware variant that appends the .foza extension.

April 26th 2023

?Microsoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the vulnerabilities to steal corporate data.

PCrisk found a new Xorist ransomware variant that appends the .attack7 (number may change) extension and drops a ransom note named how_to_back_files.html.

PCrisk found a new STOP ransomware variant that appends the .foty extension.

April 27th 2023

RTM Locker is the latest enterprise-targeting ransomware operation found to be deploying a Linux encryptor that targets virtual machines on VMware ESXi servers.

FortiGuard Labs recently came across a new ransomware variant called UNIZA. Like other ransomware variants, it encrypts files on victims’ machines in an attempt to extort money. It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.

PCrisk found a new Chaos ransomware variant that appends the .devinn extension and drops a ransom note named unlock_here.txt.

That’s it for this week! Hope everyone has a nice weekend!

ss7