This week’s ransomware news has been dominated by a Royal ransomware attack on the City of Dallas that took down part of the IT infrastructure.
The attack occurred early Monday, affecting the Dallas Police dispatch system and the public library’s computer network. Additional systems, including the City’s website, were shut down as time passed.
On Wednesday, the City’s network printers began printing ransom notes from the attack. BleepingComputer obtained a screenshot of this note, allowing us to identify that the .
While it may seem counterintuitive to target a local government, Bill Siegel of ransomware incident response firm told BleepingComputer that approximately 35% of public sector cases they handled paid a ransom.
This includes local governments, schools, police, or other publicly funded entities.
“Historical, public sector victims pay ransoms in 35% of cases we have handled. That is 10 percentage points less that the broad, all industry average as of Q1 2023 (45%),” Siegel told BleepingComputer.
“I would add that the actual rate is likely even lower as public sector victims are much less likely to engage external IR help, especially if they are very small, so there are likely a large volume of incidents where the public sector victim just deals with the impact and does not even bother considering engaging the cyber criminal responsible.”
Regarding other ransomware attacks this week, we learned about:
Law enforcement also had a victory this week when the used to launder ransomware payments and stolen cryptocurrency.
Finally, an interesting report was released by WithSecure regarding for initial access to corporate networks.
Contributors and those who provided new ransomware information and stories this week include: , , , , , , , , , , , , , , , and .
April 29th 2023
Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs.
May 1st 2023
The ALPHV ransomware operation, aka BlackCat, has published screenshots of internal emails and video conferences stolen from Western Digital, indicating they likely had continued access to the company’s systems even as the company responded to the breach.
May 2nd 2023
The FBI and Ukrainian police have seized nine cryptocurrency exchange websites that facilitated money laundering for scammers and cybercriminals, including ransomware actors.
found new STOP ransomware variants that append the .saba, .sato, and .fofd extensions.
PCrisk found a new Dharma Ransomware variant that appends the .h3r extension.
PCrisk found a new Phobos Ransomware variant that appends the .BOOM extension.
PCrisk found a new Xorist Ransomware variant that appends the .CrypBits256PT2 extension and drops a ransom note named HOW TO DECRYPT FILES.txt.
PCrisk found a new MedusaLocker Ransomware variant that appends the .attacksystem extension.
PCrisk found a new ransomware that appends the .zhong extension and drops a ransom note named Restore.txt.
May 3rd 2023
Pediatric mental health provider Brightline is warning patients that it suffered a data breach impacting 783,606 people after a ransomware gang stole data using a zero-day vulnerability in its Fortra GoAnywhere MFT secure file-sharing platform.
The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack’s spread.
PCrisk found the new Rec_rans Ransomware that appends the .rec_rans extension and drops a ransom note named HOW_TO_RECOVERY_FILES.txt.
, , and found the new BlackSuit ransomware that targets Windows and VMware ESXi. It appends the .blacksuit extension and drops a ransom note named README.BlackSuit.txt.
May 4th 2023
The Avos ransomware gang hijacked Bluefield University’s emergency broadcast system, “RamAlert,” to send students and staff SMS texts and email alerts that their data was stolen and would soon be released.
PCrisk found a new Xorist ransomware variant that appends the .btc-Apt2 extension and drops a ransom note name HOW TO DECRYPT FILES.txt.
May 5th 2023
Canadian diversified software company Constellation Software confirmed on Thursday that some of its systems were breached by threat actors who also stole personal information and business data.