The fallout from the Clop ransomware attacks on GoAnywhere platforms has become apparent this week, with the threat actors starting to extort victims on their data leak site and companies confirming breaches.
These attacks were claimed by the Clop threat actors, a ransomware gang that historically encrypted devices and stole data to extort victims into paying a ransom. However, more recently, they have been focusing on data extortion instead of encrypting.
Clop had previously claimed to have breached and stolen data from 130 organizations over ten days using the GoAnywhere vulnerabilities.
This week, BleepingComputer was told that Clop had begun extorting victims, emailing ransom demands, and creating profiles for many victims on their data leak site. At this time, it is not known how much the threat actors are demanding not to publish data.
This has led to numerous data breach disclosures from companies, including Community Health Systems (CHS), Hatch Bank, Rubrik, and Hitachi Energy, with likely many more to come.
In addition to the Clop attacks, we learned more about various ransomware attacks, including those on Essendant and the LA housing authority.
The other significant news this week that will affect ransomware and other cybercrime is the seizure of the ChipMixer platform, used by cybercriminals to launder ransom payments, stolen cryptocurrency, and revenue generated on dark web markets.
Finally, some interesting reports were released on Trigona, LockBit 3.0, CatB, BianLian's shift to pure data extortion, and more!
Contributors and those who provided new ransomware information and stories this week include @LawrenceAbrams, @Seifreed, @Ionut_Ilascu, @Ax_Sharma, @malwrhunterteam, @struppigel, @BleepinComputer, @serghei, @fwosar, @billtoulas, @demonslay335, @kaspersky, @pcrisk, @ReliaQuest, @BrettCallow, and @Unit42_Intel.
March 11th 2023
Clop ransomware gang begins extorting GoAnywhere zero-day victims
The Clop ransomware gang has begun extorting companies whose data was stolen using a zero-day vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution.
New STOP ransomware variants
Quietman7 spotted new STOP ransomware variants appending the .craa, .qazx, and .qapo extensions
March 12th 2023
Medusa ransomware gang picks up steam as it targets companies worldwide
A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands.
Staples-owned Essendant facing multi-day "outage," orders frozen
Essendant, a wholesale distributor of stationery and office supplies, is experiencing a multi-day systems "outage" preventing customers and suppliers from placing and fulfilling online orders.
New STOP ransomware variant
Quietman7 spotted a new STOP ransomware variant that appends the .qarj extension.
March 13th 2023
LA housing authority discloses data breach after ransomware attack
The Housing Authority of the City of Los Angeles (HACLA) is warning of a "data security event" after the LockBit ransomware gang targeted the organization and leaked data stolen in the attack.
New Dharma ransomware variants
PCrisk found new Dharma ransomware variants appending the .like and .j3rd extensions.
New Chaos ransomware variants
PCrisk found new Chaos ransomware variants appending the .nochi and .Cyber extensions.
CatB Ransomware | File Locker Sharpens Its Claws to Steal Data with MSDTC Service DLL Hijacking
The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns being observed steadily since November. The group’s activities have gained attention due to their ongoing use of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads.
March 14th 2023
Rubrik confirms data theft in GoAnywhere zero-day attack
Cybersecurity company Rubrik has confirmed that its data was stolen using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform.
New Phobos ransomware variant
PCrick spotted a new Phobos ransomware variant that appends the .BACKJOHN extension.
New VoidCrypt ransomware variant
PCrick spotted a new VoidCrypt ransomware variant that appends the .youhau extension and dropping a ransom name named Dectryption-guide.txt.
Microsoft fixes Windows zero-day exploited in ransomware attacks
Microsoft has patched another zero-day bug used by attackers to circumvent the Windows SmartScreen cloud-based anti-malware service and deploy Magniber ransomware payloads without raising any red flags.
March 15th 2023
ChipMixer platform seized for laundering ransomware payments, drug sales
An international law enforcement operation has seized the cryptocurrency mixing service 'ChipMixer' which is said to be used by hackers, ransomware gangs, and scammers to launder their proceeds.
FBI: Ransomware hit 860 critical infrastructure orgs in 2022
The Federal Bureau of Investigation (FBI) revealed in its 2022 Internet Crime Report that ransomware gangs breached the networks of at least 860 critical infrastructure organizations last year.
LockBit ransomware claims Essendant attack, company says “network outage”
LockBit ransomware has claimed a cyber attack on Essendant, a wholesale distributer of office products after a "significant" and ongoing outage knocked the company's operations offline.
New Xorist ransomware variant
PCrick spotted a new Xorist ransomware variant appending the .DrWeb and dropping ransomnotes named ??? ???????????? ?????.txt.
QBot: Laying the Foundations for Black Basta Ransomware Activity
Toward the latter half of Q4 2022, ReliaQuest discovered a security incident unfolding in a customer’s environment. A threat actor gained initial network access, rapidly escalated their privileges, and moved laterally, quickly establishing a foothold in 77 minutes.
March 16th 2023
Conti-based ransomware ‘MeowCorp’ gets free decryptor
A decryption tool for a modified version of the Conti ransomware could help hundreds of victims recover their files for free.
BianLian ransomware gang shifts focus to pure data extortion
The BianLian ransomware group has shifted its focus from encrypting its victims' files to only exfiltrating data found on compromised networks and using them for extortion.
New STOP ransomware variants
Quietman7 spotted new STOP ransomware variants appending the .darz and .dapo extensions
New Merlin ransomware
PCrisk found a new ransomware variant that appends the .Merlin extension and drops a ransom note named Merlin_Recover.txt.
New Phobos ransomware variant
PCrick spotted a new Phobos ransomware variant that appends the .usr extension.
#StopRansomware: LockBit 3.0
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.
Bee-Ware of Trigona, An Emerging Ransomware Strain
Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries.
March 17th 2023
New STOP ransomware variant
PCrick spotted a new STOP ransomware variant that appends the .dazx extension.
Hitachi Energy confirms data breach after Clop GoAnywhere attacks
Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability.
Comments
al1963 - 1 year ago
Avast added a decoding of the new Fonix version, which encrypts files with the .RYK extension. Super Avast!
New variant of the #Fonix ransomware (Feb'23) tries really hard to pretend it's Ryuk - filename, mutex, scheduled task... Nonetheless, it is still decryptable. We've updated our free #Fonix #Decryptor to cover this variant too: https://files.avast.com/files/decryptor/avast_decryptor_fonix.exe #NoMoreRansom #DontPayUp
https://twitter.com/AvastThreatLabs/status/1633794397891440642