Extortionists continue their attacks on health authorities and companies around the world, releasing data on victims who do not pay a ransom.
The biggest news this week is that for the second time in three months, the toll group has been attacked by a ransom attack, the Snake ransom demand has hit health care organizing committees and REvil has missed legal documents for a leading law firm.
We also saw interesting information about TTP for the Sodinokibi and Maze withdrawal operations.
Authors and those who have provided new information and stories about this week’s ransom include @BleepinComputer, @FourOctets, @Ionut_Ilascu, @Seifreed, @DanielGallagher, @malwareforme, @demonslay335, @malwrhunterteam, @PolarToffee, fwosar, VK_Intel, Serghei, Struppigel, LawrenceAbrams, Majorntvdw, Brian Cancer, Bad_packets, John_Fokker, ValthekOn, @McAfee_Labs, @coveware, @BitdefenderLabs, @FireEye, @Intel471Inc, @TrendMicroRSRCH, @JakubKroustek, @fbgwls245 and @vigilantbeluga.
2. May 2020
Sodinokibi, Ryuk’s ransom raises the average ransom to $111,000
In the first quarter of the year, the average number of ransoms demanded by operators from victims increased. Compared to the previous quarter, there was a 33% increase due to the acquisition of the operators of Sodinokibi and Ryuk.
Decryption tool for Shadow/Troldesh buyout
BitDefender released a decryptor for Shade/Troldesh Ransomware after the ransom administrators released all the decryption keys.
4. May 2020
LockBit auto distribution for fast encryption of 225systems
With the LockBit ransom function, attackers can penetrate the corporate network and use their buy-back programs to encrypt hundreds of devices in just a few hours.
The new VCrypt ransom software VCrypt blocks files in the 7ZIPs protected by a password
A new blackmail program called VCrypt targets French victims who use the 7zip legal command program to create password-protected archives of data files.
Changes in REvil 2.2Reimbursement Version
The REvil ransomware-as-a-service (RaaS) operation continues to have an impact on businesses around the world. The organizations responsible for the development and support of malware have released an updated ransom money, version 2.2. In this short blog post we will talk about the most important changes compared to the previous version, which we described in detail in the previous post.
5. May 2020
Toll car group second time freed, supplies allocated
In three months the Toll Group has had its second ransom attack, the last one was that of the operator Nefilim Ransomware.
New 0-day0 Dharma change
Jakub Krustek has found a new variant of Dharma Ransomware which adds the .0day0 extension to encrypted files.
6. May 2020
Large-scale ransom campaign for health snakes, more than
Snake Ransomware operators have launched a global cyber-attack campaign that has infected many companies and at least one healthcare organization in recent days.
Targeted buy-out actions against Taiwanese organisations
The new targeted attack infected several Taiwanese organizations with a new family of ransom programs called ColdLock. This attack is potentially devastating as the encryption blackmail appears on the target databases and mail servers.
New nemti-spam campaign for South Korea
An anti-malware vigilante discovered a new spam campaign targeting people in South Korea and combined it with a Vidhra Passandra.
MAZ Navigation: Tactics, techniques and procedures for MAZE ransom requirements
Targeted blackmail incidents have brought with them the danger of devastating and destructive attacks on organisations in various sectors and regions. Previously, the FireEye Mandiant Threat Intelligence documented this threat by investigating trends in extortion incidents, FIN6 activities, the impact on EO networks and other aspects of the extortion operation after a compromise. Since November 2019, MAZE-Ransom has been used in attacks that combine the targeted use of ransom, the disclosure of victim data and a partnership model.
New version of SQPC Stop Ransomware
Michael Gillespie has found a new version of STOP Ransomware that adds the .sqpc extension to encrypted files.
New version of PHP Dharma
Jakub Krustek discovered a new variant of Dharma Ransomware that adds the .PHP extension to encrypted files.
Sodinokibi / TTP buyback by REvil
We have stored the forensic data in the form of images from the hard drives of the VPS servers used by the cyber criminals behind the Sodinokibi / REvil ransom requirement (where we also found the Maze ransom requirement):
8. May 2020
REvil ransom demand threatens to leak celebrity A-list legal documents
The Sodinokibi ransom group threatens to hand over hundreds of gigabytes of legal documents from a famous law and entertainment firm that has dozens of international stars among its clients.
New NET Dharma Repurchase Option
dnwls0719 has found a new variant of Dharma Ransomware that adds the .net extension to encrypted files.
It’s the big day this week! I hope everyone has a great weekend!