For this week’s ‘Week in Ransomware’ article we have included the latest ransomware news over the past two weeks.
The biggest news over the past two weeks is the unsealing of a United States’ Complaint for Forfeiture detailing how the FBI seized 39.89138522 bitcoins from an Exodus wallet belonging to an REvil affiliate. Based on the email listed in the court document, it is believed that the affiliate is one known as ‘Lalartu.’
We also learned that the BlackByte ransomware gang exploits the Microsoft Exchange ProxyShell vulnerabilities to gain initial access to internal networks. Therefore, make sure to update your servers.
The FBI also disclosed that Cuba ransomware has attacked 49 US critical infrastructure orgs and received at least US $43.9 million in ransom payments.
Finally, some of the attacks we learned about over the past two weeks include Planned Parenthood Los Angeles, Swire Pacific Offshore, and Correos Express.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @DanielGallagher, @BleepinComputer, @PolarToffee, @malwrhunterteam, @Ionut_Ilascu, @jorntvdw, @Seifreed, @FourOctets, @billtoulas, @struppigel, @demonslay335, @serghei, @VK_Intel, @malwareforme, @LawrenceAbrams, @redcanary, @John_Fokker, @Mandiant, @siri_urz, @teachemtechy, @fbgwls245, @pcrisk, @Kangxiaopao, @Amigo_A, and @ValeryMarchive.
November 22nd 2021
Wind turbine giant Vestas’ data compromised in cyberattack
Vestas Wind Systems, a leader in wind turbine manufacturing, has shut down its IT systems after suffering a cyberattack.
US govt warns of increased ransomware risks during holidays
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warned critical infrastructure partners and public/private sector organizations not to let down their defenses against ransomware attacks during the holiday season.
New Dharma Ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .NEEH extension.
November 24th 2021
New Thanos variant
dnwls0719 found a new Thanos variant that appends the .xot5ik extension.
November 25th 2021
New STOP Ransomware variant
PCrisk found a new STOP ransomware variant that appends the .robm extension.
New AV Ghost ransomware
xiaopao found a new Av Ghost ransomware that appends the AvGhost extension and drops a ransom note named AvGhost.txt.
November 26th 2021
Marine services provider Swire Pacific Offshore hit by ransomware
Marine services giant Swire Pacific Offshore (SPO) has suffered a Clop ransomware attack that allowed threat actors to steal company data.
New Rook Ransomware
Zack Allen found a new ransomware called ‘Rook’ that is based on Babuk and appends the .rook extension to encrypted files.
New STOP Ransomware variant
PCrisk found a new STOP ransomware variant that appends the .rigj extension.
November 29th 2021
New Phobos Ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .XIII extension.
November 30th 2021
Yanluowang ransomware operation matures with experienced affiliates
An affiliate of the recently discovered Yanluowang ransomware operation is focusing its attacks on U.S. organizations in the financial sector using BazarLoader malware in the reconnaissance stage.
FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs
The FBI seized $2.3 million in August from a well-known REvil and GandCrab ransomware affiliate, according to court documents seen by BleepingComputer.
New Blue Locker Ransomware
Siri found a new Blue Locker that appends the .blue extension to encrypted files.
December 1st 2021
Microsoft Exchange servers hacked to deploy BlackByte ransomware
The BlackByte ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities.
Planned Parenthood LA discloses data breach after ransomware attack
Planned Parenthood Los Angeles has disclosed a data breach after suffering a ransomware attack in October that exposed the personal information of approximately 400,000 patients.
Ransomware: the Spanish Correos Express appears to be confronted with Hive
The Spanish specialist in express parcel delivery Correos Express seems to be having difficulties in providing its services. A sample of Hive ransomware suggests a cyberattack that occurred around November 27.
New STOP Ransomware variant
PCrisk found a new STOP ransomware variant that appends the .moia extension.
December 2nd 2021
New Hello Ransomware
Siri found a new ransomware calling itself ‘Hello’ that uses an interesting ransom note and appends the .hello extension.
December 3rd 2021
FBI: Cuba ransomware breached 49 US critical infrastructure orgs
The Federal Bureau of Investigation (FBI) has revealed that the Cuba ransomware gang has compromised the networks of at least 49 organizations from US critical infrastructure sectors.
DailyMail.com tracked suspected Yeveniy Polyanin
DailyMail allegedly tracked down Yeveniy Polyanin, a member of the REvil ransomware group.
New Makop variant
dnwls0719 found a new Makop ransomware variant that appends the .mkp extension.
New STOP Ransomware variant
PCrisk found a new STOP ransomware variant that appends the .yqal extension.
