The Week in Ransomware – December ninth 2022







Global pew pew map

This week has been crammed with analysis stories and information of serious assaults having a large affect on many organizations.

Final week, Rackspace suffered an enormous outage on their hosted Microsoft Change atmosphere, stopping clients from accessing their e-mail. On Tuesday, Rackspace lastly confirmed everybody’s fears {that a} ransomware assault triggered the outage.

Rackspace has not offered any particulars on the assault, together with the ransomware operation behind it and if the risk actors stole knowledge.

Nonetheless, immediately they started warning clients to be looking out for focused phishing emails and to watch their credit score stories and banking account statements for suspicious exercise. This warning might point out that the ransomware operation doubtless stole knowledge within the assault.

One other assault in opposition to a New Zealand MSP Mercury IT has additionally led to a collection of outages for its clients, lots of that are native governments within the nation.

A ransomware assault on the André-Mignot instructing hospital in Paris has additionally led to important disruption, inflicting some sufferers to be rerouted to different hospitals.

We additionally noticed some attention-grabbing analysis by cybersecurity companies and the U.S. authorities this week:

Lastly, Brian Krebs had a really attention-grabbing report on new ways utilized by the Venus and Clop ransomware gangs to breach networks and persuade victims to pay.

Contributors and people who offered new ransomware info and tales this week embrace: @struppigel, @PolarToffee, @Seifreed, @fwosar, @DanielGallagher, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @jorntvdw, @demonslay335, @billtoulas, @FourOctets, @VK_Intel, @serghei, @malwrhunterteam, @malwareforme, @pcrisk, @Unit42_Intel, @Fortinet, @briankrebs, @morphisec, @smgoreli, and @Phylum_IO.

December fifth 2022

Ransomware assault forces French hospital to switch sufferers

The André-Mignot instructing hospital within the suburbs of Paris needed to shut down its cellphone and pc programs due to a ransomware assault that occurred on Saturday night.

The Story of a Ransomware Turning into an Unintended Wiper

Within the final concern of our Ransomware Roundup collection, we mentioned a publicly obtainable open-source ransomware toolkit known as Cryptonite. As a part of that investigation, we additionally found a Cryptonite pattern within the wild that by no means provides the decryption window, as an alternative appearing as a wiper. We just lately noticed a rise in ransomware deliberately become wiper malware, primarily as a part of a political marketing campaign. So on this put up, we take a more in-depth have a look at the Cryptonite wiper pattern.

Ransomware assault on New Zealand MSP

There was a cyber safety incident involving a ransomware assault on Mercury IT. Mercury IT supplies a variety of IT companies to clients throughout New Zealand.

New Puspa2 ransomware

PCrisk discovered a HiddenTear variant valled Puspa2 that appends the .puspa2#mejukeni7sala029 extension and drops a ransom notice named XXX_HELLO’S_READ_ME._txt.

New STOP ransomware variants

PCrisk discovered new STOP ransomware variants that append the .mppn or .mbtf extensions to encrypted information.

December sixth 2022

Rackspace confirms outage was attributable to ransomware assault

Texas-based cloud computing supplier Rackspace has confirmed immediately {that a} ransomware assault is behind an ongoing Hosted Change outage described as an “remoted disruption.”

Vice Society: Profiling a Persistent Menace to the Training Sector

Vice Society is a ransomware gang that has been concerned in high-profile exercise in opposition to faculties this 12 months. In contrast to many different ransomware teams equivalent to LockBit that comply with a typical ransomware-as-a-service (RaaS) mannequin, Vice Society’s operations are totally different in that they’ve been identified for utilizing forks of pre-existing ransomware households of their assault chain which might be bought on DarkWeb marketplaces. These embrace the HelloKitty (aka FiveHands) and Zeppelin strains of ransomware versus Vice Society creating their very own customized payload.

New Babuk Ransomware Present in Main Assault

Throughout November, Morphisec recognized a brand-new variant of Babuk ransomware whereas investigating a buyer’s prevention occasion. Babuk was first found originally of 2021, when it started concentrating on companies to steal and encrypt knowledge in double-extortion assaults. Later within the 12 months, a risk actor leaked the whole supply code for Babuk on a Russian-speaking hacking discussion board.

New Obz ransomware

PCrisk discovered a brand new ransomware variant that appends the .OBZ extension and drops a ransom notice named ReadMe.txt.

December eighth 2022

CommonSpirit Well being ransomware assault uncovered knowledge of 623,000 sufferers

CommonSpirit Well being has confirmed that risk actors accessed the private knowledge for 623,774 sufferers throughout an October ransomware assault.

US Well being Dept warns of Royal Ransomware concentrating on healthcare

The U.S. Division of Well being and Human Providers (HHS) issued a brand new warning immediately for the nation’s healthcare organizations relating to ongoing assaults from a comparatively new operation, the Royal ransomware gang.

New Ransom Fee Schemes Goal Executives, Telemedicine

Ransomware teams are continually devising new strategies for infecting victims and convincing them to pay up, however a few methods examined just lately appear particularly devious. The primary facilities on concentrating on healthcare organizations that provide consultations over the Web and sending them booby-trapped medical information for the “affected person.” The opposite includes fastidiously enhancing e-mail inboxes of public firm executives to make it seem that some have been concerned in insider buying and selling.

December ninth 2022

Rackspace warns of phishing dangers following ransomware assault

Cloud computing supplier Rackspace warned clients on Thursday of elevated dangers of phishing assaults following a ransomware assault affecting its hosted Microsoft Change atmosphere.

An Ongoing Assault Towards Python and Javascript Builders

In a single day we noticed a flurry of exercise round typosquat of the favored requests bundle. Within the malicious packages themselves the attacker has embedded the next:

To supply some context, Phylum discovered a NPM/PyPi marketing campaign the place python packages have been distributing Linux and Home windows malware that pretended to be ransomware. After testing the ransomware, BleepingComputer has confirmed it doesn’t truly encrypt something and simply drops a ransom notice and adjustments the desktop wallpaper.

The actor behind this informed BleepingComputer that they’re simply “taking part in” round and won’t be including encryption.

New MedusaLocker variant

PCrisk discovered a brand new MedusaLocker variant that appends the .allock[number] extension and drops a ransom notice named how_to_back_files.html.

New VoidCrypt variant

PCrisk discovered a brand new VoidCrypt variant that appends the .Juli extension and drops a ransom notice named unlock-info.txt.

That is it for this week! Hope everybody has a pleasant weekend!


Share this


Investing in the Stock Market: A Beginner’s Checklist

Investing in the Stock Market: A Beginner's Checklist The stock market can be a mysterious and intimidating place for those who are new to investing....

How To Invest In Gold For Beginners?

How To Invest In Gold For Beginners? Welcome to our blog where we explore the world of investing. Today, we are going to delve into...

Amega broker review: Amega scam or good Forex broker?

Amega broker review: Amega scam or good Forex broker? AmegaFX is a forex broker claiming to be an STP/NSDD broker. Claiming that they are offering...

Recent articles

More like this