Puzzle hacker

It has been a fairly quiet week regarding ransomware, with only a few reports released and no new significant attacks. However, we may have a rebrand in the making, and a ransomware operation is likely behind a new zero-day data-theft campaign, so we have some news to talk about.

Numerous companies had data stolen after threat actors utilized a zero-day vulnerability in the MOVEit Transfer program to breach servers.

While extortion demands have not been sent to victims yet, and no one has claimed responsibility, this attack is similar to previous Clop ransomware attacks using GoAnywhere MFT and Accellion FTA zero-days to steal files.

Therefore, it would not be surprising to learn that Clop is behind the recent MOVEit attacks.

There have also been rumors for weeks that Royal ransomware was rebranding to a new ransomware operation called BlackSuit. This week, Trend Micro analyzed encryptors from both operations and said that they share very strong similarities with each other.

While this is not a strong enough link, the attack on Dallas may have put the Royal ransomware operation in the crosshairs, scaring them into a rebrand.

Finally, IBM released a report about BlackCat/ALPHV's new 'Sphynx' encryptor and other tools used by the operation that is a worthwhile read.

We also learned about some previous ransomware attacks, including @Seifreed, @billtoulas, @Ionut_Ilascu, @struppigel, @BleepinComputer, @serghei, @LawrenceAbrams, @malwrhunterteam, @demonslay335, @fwosar, @rapid7, @HuntressLabs, @GossiTheDog, @IBMSecurity, @TrendMicro, @Avast, @jgreigj, and @pcrisk.

May 29th 2023

MCNA Dental data breach impacts 8.9 million people after ransomware attack

Managed Care of North America (MCNA) Dental has published a data breach notification on its website, informing almost 9 million patients that their personal data were compromised.

May 30th 2023

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates’ more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted in the group’s publishing of sensitive data to their leak site including financial and medical information stolen from the victim organizations.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .weon or .werz extension.

New Dharma Variant

PCrisk found a new Dharma ransomware variant that appends the .xCor extension.

May 31st 2023

Investigating BlackSuit Ransomware’s Similarities to Royal

Royal ransomware, which is already one of the most notable ransomware families of 2022, has gained additional notoriety in early May 2023 after it was used to attack IT systems in Dallas, Texas. Around the same period, several researchers on Twitter came across a new ransomware family called BlackSuit that targeted both Windows and Linux users. Additional Twitter posts mentioned connections between BlackSuit and Royal, which piqued our interest. We managed to retrieve and analyze a Windows 32-bit sample of the ransomware from Twitter.

New STOP Variant

PCrisk found a new STOP ransomware variant that appends the .weqp extension.

June 1st 2023

New MOVEit Transfer zero-day mass-exploited in data theft attacks

Hackers are actively exploiting a zero-day vulnerability in the MOVEit Transfer file transfer software to steal data from organizations.

Harvard Pilgrim Health Care ransomware attack hits 2.5 million people

Harvard Pilgrim Health Care (HPHC) has disclosed that a ransomware attack it suffered in April 2023 impacted 2,550,922 people, with the threat actors also stealing their sensitive data from compromised systems.

June 2nd 2023

The rise and fall of ransomware: Insights from Avast's Q1/2023 Threat Report

Ransomware has been a prominent threat in cybersecurity for more than a decade, but the rates of incidents are showing slight decline. The Avast Q1/2023 Threat Report examines why.

Legal services platform used by SEC, Pentagon investigating ransomware attack claims

A legal document platform used by several arms of the U.S. government is investigating claims by a ransomware group that it has been attacked.

That's it for this week! Hope everyone has a nice weekend.

Related Articles:

University System of Georgia: 800K exposed in 2023 MOVEit attack

BlackSuit ransomware gang claims attack on KADOKAWA corporation

CDK Global outage caused by BlackSuit ransomware attack

Change Healthcare lists the medical data stolen in ransomware attack

The Week in Ransomware - May 17th 2024 - Mailbombing is back