SS7
The Week in Ransomware – May 12th 2023 – New Gangs Emerge
May
This week we have multiple reports of new ransomware families targeting the enterprise, named Cactus and Akira, both increasingly active as they target the enterprise.
The and has been found to exploit VPN vulnerabilities to gain access to corporate networks.
The encryptor requires an encryption key to be passed on the command line to decrypt the configuration file used by the malware. If the proper configuration key is not passed, the encryptor will terminate, and nothing will be encrypted.
This method is to evade detection by security researchers and antivirus software.
BleepingComputer also , a new operation launched in March that quickly amassed sixteen victims on its data leak site.
The Akira operation uses a retro-looking data leak site that requires you to enter commands as if you’re using a Linux shell.
Source: BleepingComputer
We also learned about new attacks and significant developers in previous ones.
On May 7th, multinational automation firm , disrupting their network and factories.
ABB is the developer of numerous SCADA and industrial control systems (ICS) for energy suppliers and manufacturing, raising concerns about whether data was stolen and what it contained.
News also came out last week that the Money Message ransomware operation published source code belonging to MSI, which .
Binarly could be used to digitally sign UEFI malware that can bypass Intel Boot Guard on MSI devices.
Finally, researchers and law enforcement released new reports:
Contributors and those who provided new ransomware information and stories this week include: , , , , , , , , , , , , , , , , , , , , , , , and .
May 7th 2023
The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms.
A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of “large commercial entities.”
found a new STOP ransomware variant that appends the .qore extension.
May 8th 2023
Intel is investigating the leak of alleged private keys used by the Intel Boot Guard security feature, potentially impacting its ability to block the installation of malicious UEFI firmware on MSI devices.
May 9th 2023
PCrisk found a new GlobeImposter ransomware variant that appends the .Suffering extension and drops a ransom note named how_to_back_files.html.
PCrisk found a new ransomware variant that appends the .Solix extension.
PCrisk found a new ransomware variant that appends the .newlocker extension and drops a ransom note named HOW_TO_RECOVER_DATA.html.
PCrisk found a new ransomware variant that appends the .BrightNight extension and drops a ransom note named README.txt.
PCrisk found a new STOP ransomware variant that appends the .gash extension.
May 10th 2023
A new ‘White Phoenix’ ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption.
PCrisk found a new Xorist ransomware variant that appends the .SIGSCH extension and drops a ransom note named README_SIGSCH.txt.
PCrisk found a new Xorist ransomware variant that appends the .zipp3rs extension.
May 11th 2023
An increasing number of ransomware operations are adopting the leaked Babuk ransomware source code to create Linux encryptors targeting VMware ESXi servers.
Swiss multinational company ABB, a leading electrification and automation technology provider, has suffered a Black Basta ransomware attack, reportedly impacting business operations.
PCrisk found a new STOP ransomware variant that appends the .gatz extension.
May 12th 2023
The FBI and CISA issued a joint advisory to warn that the Bl00dy Ransomware gang is now also actively exploiting a PaperCut remote-code execution vulnerability to gain initial access to networks.