The Week in Ransomware – April 9th 2021


Money

Ransomware attacks continue over the past two weeks with a continuation of the massive initial ransom demands we have seen recently.

Over the past two weeks, we have learned of attacks against Asteelflash, the Broward County Public SchoolsApplus TechnologiesPierre Fabre, and Harris Federation, with many of the attack’s initial ransoms ranging between $24 – $40 million.

The Applus Technologies attack was particularly disruptive as it prevented emissions testing in eight US states.

Accellion FTA-related data breaches continue with the Clop ransomware gang leaking the data for Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California.

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @fwosar, @Seifreed, @LawrenceAbrams, @Ionut_Ilascu, @VK_Intel, @DanielGallagher, @jorntvdw, @demonslay335, @struppigel, @malwrhunterteam, @BleepinComputer, @malwareforme, @serghei, @FourOctets, @R3MRUM, @kaspersky, @PogoWasRight, @CheckPointSW, @troyhunt, @alexscroxton, @ValeryMarchive, @snlyngaas, @fbgwls245, @Amigo_A_, @campuscodi, @siri_urz, @chum1ng0, and @GrujaRS.

March 27th 2021

FatFace sends controversial data breach email after ransomware attack

British clothing brand FatFace has sent a controversial ‘confidential’ data breach notification to customers after suffering a ransomware attack earlier this year.

March 28th 2021

Ransomware admin is refunding victims their ransom payments

After recently announcing the end of the operation, the administrator of Ziggy ransomware is now stating that they will also give the money back.

CompuCom MSP expects over $20M in losses after ransomware attack

American managed service provider CompuCom is expecting losses of over $20 million following this month’s DarkSide ransomware attack that took down most of its systems.

March 29th 2021

Harris Federation hit by ransomware attack affecting 50 schools

The IT systems and email servers of London-based nonprofit multi-academy trust Harris Federation were taken down by a ransomware attack on Saturday.

March 30th 2021

Microsoft Exchange attacks increase while WannaCry gets a restart

The recently patched vulnerabilities in Microsoft Exchange have sparked new interest among cybercriminals, who increased the volume of attacks focusing on this particular vector.

New STOP Djvu Ransomware variant

Michael Gillespie found a new STOP ransomware variant that appends the .ytbn extension to encrypted files.

April 1st 2021

New Dharma ransomware variants

Jakub Kroustek found new Dharma ransomware variants that append the .4o4 and .ctpl extensions to encrypted files.

April 2nd 2021

Asteelflash electronics maker hit by REvil ransomware attack

Asteelflash, a leading French electronics manufacturing services company, has suffered a cyberattack by the REvil ransomware gang who is demanding a $24 million ransom.

Qualys says Accellion hackers did not breach production systems

Cybersecurity firm Qualys said today that the attackers who breached its Accellion FTA server didn’t infiltrate the company’s production and corporate environments.

Ransomware gang wanted $40 million in Florida schools cyberattack

Fueled by large payments from victims, ransomware gangs have started to demand ridiculous ransoms from organizations that can not afford to pay them. An example of this is a recently revealed ransomware attack on the Broward County Public Schools district where threat actors demanded a $40,000,000 payment.

As ransomware stalks the manufacturing sector, victims are still keeping quiet

In addition to Norsk Hydro, CyberScoop requested interviews with a dozen manufacturers in Europe and the U.S. that have reportedly had their production disrupted by ransomware incidents in the last two and half years. Nearly all either declined to comment, did not respond or said an executive was unavailable by press time.

New Makop Ransomware variant

dnwls0719 found a new Makop ransomware variant that appends the .dark extension and drops a ransom note named readme-warning.txt.

New WhiteBlackGroup ransomware

S!Ri has discovered a new ransomware called WhiteBlackGroup that appends the .encrpt3d extension to encrypted files.

WhiteBlack Group

April 3rd 2021

Malware attack is preventing car inspections in eight US states

A malware cyberattack on emissions testing company Applus Technologies is preventing vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin.

Ransomware gang leaks data from Stanford, Maryland universities

Personal and financial information stolen from Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California was leaked online by the Clop ransomware group.

Sepa spends nearly £800,000 on cyber attack response

Figures released to BBC Scotland under freedom of information laws show a total of £790,000 has been spent on Sepa’s response and recovery actions so far

New STOP Djvu Ransomware variant

Michael Gillespie found a new STOP ransomware variant that appends the .fdcz extension to encrypted files.

New Jigsaw Ransomware variant

GrujaRS found a new Jigsaw ransomware variant that appends the .cat extension.

April 4th 2021

Sierra Wireless resumes production after ransomware attack

Canadian IoT solutions provider Sierra Wireless announced that it resumed production at its manufacturing sites halted after a ransomware attack that hit its internal network and corporate website on March 20.

New STOP Djvu Ransomware variant

Michael Gillespie found a new STOP ransomware variant that appends the .urnb extension to encrypted files.

April 5th 2021

New Jormungand Ransomware variant

dnwls0719 found the Jormungand ransomware that appends the .glock extension and drops a ransom note named READ-ME-NOW.txt.

Jormungand

April 6th 2021

Windows XP makes ransomware gangs work harder for their money

A recently created ransomware decryptor illustrates how threat actors have to support Windows XP, even when Microsoft dropped supporting it seven years ago.

Ransomware hits TU Dublin and National College of Ireland

The National College of Ireland (NCI) and the Technological University of Dublin have announced that ransomware attacks hit their IT systems.

April 7th 2021

New Cring ransomware hits unpatched Fortinet VPN devices

A vulnerability impacting Fortinet VPNs is being exploited by a new human-operated ransomware strain known as Cring to breach and encrypt industrial sector companies’ networks.

REvil ransomware now changes password to auto-login in Safe Mode

A recent change to the REvil ransomware allows the threat actors to automate file encryption via Safe Mode after changing Windows passwords.

New Wintenzz Security Tool ransomware

S!Ri has discovered a new ransomware called Wintenzz Security Tool that appends the .wintenzz extension to encrypted files and drops a ransom note named BUY_WINTENZZ.txt.

Wintenzz Security Tool

April 8th 2021

New VHD ransomware variant

dnwls0719 found a new VHD ransomware variant that appends the .beaf extension and drops a ransom note named DecryptGuide.txt.

VHD

April 9th 2021

Leading cosmetics group Pierre Fabre hit with $25 million ransomware attack

Leading French pharmaceutical group Pierre Fabre suffered a REvil ransomware attack where the threat actors initially demanded a $25 million ransom, BleepingComputer learned today.

New STOP Djvu Ransomware variant

Michael Gillespie found a new STOP ransomware variant that appends the .lmas extension to encrypted files.

New GEHENNA Locker ransomware

dnwls0719 found a new VHD ransomware variant that appends the .gehenna and drops a ransom note named GEHENNA-README-WARNING.html.

Maze/Egregor ransomware cartel estimated to have made $75 million

The group behind the Maze and Egregor ransomware operations are believed to have earned at least $75 million worth of Bitcoin from ransom payments following intrusions at companies all over the world.

New RIP_lmao Ransomware

GrujaRS found a new ransomware called RIP_lmao that appends the .crypted extension and drops a ransom note named ___RECOVER__FILES__.crypted.txt.

That’s it for this week! Hope everyone has a nice weekend!





Source link

Leave a Reply

Your email address will not be published. Required fields are marked *