Lots of ransomware news broke this week, with the discovery of LockBit testing macOS encryptors until an outage on NCR causing huge headaches for restaurants.

By far the biggest news was the discovery of a Apple Silicon LockBit Encryptor by MalwareHunterTeam. Although quite buggy and requiring a lot of development to work properlyLockBit has confirmed to BleepingComputer that it is being actively developed.

Some interesting ransomware research also came out this week, including:

Finally, we became aware of some ransomware attacks, with an NCR outage confirmed to be ransomware And Capita confirming that data was stolen in a cyberattack.

Contributors and those who provided new ransomware information and stories this week include @billtoulas, @fwosar, @BleepinComputer, @LawrenceAbrams, @Ionut_Ilascu, @serghei, @demonslay335, @jorntvdw, @malwhunterteam, @Seifreed, @Ashukuhi, @patrickwardle, @kostastsale, @Blackberry, @TrendMicro, @WhichbufferArda, @NCCGroupplc, @BroadcomSW, @IBMSecurity, @AhnLab_man, @SophosXOps, @SentinelOne, @pcrisk, @AlvieriD, @BrettCallowAnd @siri_urz.

April 15, 2023

Hackers are starting to abuse Action1 RMM in ransomware attacks

Security researchers warn that cybercriminals are increasingly using Action1 remote access software to persist on compromised networks and to execute commands, scripts and binaries.

NCR Suffers Aloha POS Outage After BlackCat Ransomware Attack

NCR suffers an outage on its Aloha POS platform after being hit by a ransomware attack claimed by the BlackCat/ALPHV gang.

April 16, 2023

LockBit ransomware encryptors found targeting Mac devices

The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to specifically target macOS.

LockBit ransomware (sort of) is available for macOS

In this blog post, we’re going to tear up the sample, showing that ultimately, while yes, it can actually work on Apple Silicon, that’s basically the extent of its impact. So macOS users have nothing to worry about… for now!

A technical analysis of the LockBit macOS encryptor

“Brief analysis of #Lockbit 3.0 for macOS ARM M1/M2 It uses a simple XOR routine to decrypt all configuration data. The XOR key is the static value ’57′”

April 17, 2023

Former Conti Members and FIN7 Developers Team Up to Push New Domino Malware

Former Conti ransomware members have teamed up with FIN7 threat actors to distribute a new malware family named “Domino” in attacks on corporate networks.

New Phobos Variant

Risk found a new Phobos ransomware variant that adds the .sdk extension.

New Variant of VoidCrypt Ransomware

PCrisk has found a new VoidCrypt ransomware variant that adds the .Recov extension and drops a ransom note named Decryption-guide.txt.

New CrossLock ransomware discovered

S!Ri found a new CrossLock ransomware that adds the .crlk extension and delete the —CrossLock_readme_To_Decrypt—.txt ransom note.

New variant of STOP ransomware

PCrisk has found a new STOP ransomware variant that adds the .coty extension.

April 18, 2023

LockBit for Mac | How Real is the Risk of macOS Ransomware?

On April 16, Twitter user @malwrhunterteam tweeted details of a LockBit ransomware sample compiled for Apple’s macOS arm64 architecture. LockBit claims to be “the oldest ransomware affiliate program on the planet”, and the news that one of the leading cybercrime teams in the ransomware landscape was now targeting macOS devices has, predictably , raised concerns about the threat of ransomware on Mac devices.

An analysis of BabLock (aka Rorschach) ransomware

A ransomware called BabLock (aka Rorschach) has been making waves recently due to its sophisticated and fast attack chain that uses subtle yet effective techniques. Although primarily based on LockBit, the ransomware is a hodgepodge of other pieces of ransomware pieced together into what we now call BabLock (detected as Ransom.Win64.LOCKBIT.THGOGBB.enc). Note, however, that we don’t believe this ransomware comes from the threat actors behind LockBit, which is now in its third iteration.

New variants of MedusaLocker ransomware

PCrisk has found new MedusaLocker ransomware variants that add the .skynetlock And .tangem expansions.

April 19, 2023

March 2023 broke ransomware attack records with 459 incidents

March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% from March 2022.

Play ransomware gang uses custom Shadow Volume Copy data theft tool

The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks.

Microsoft SQL servers hacked to deploy Trigona ransomware

Attackers hack poorly secured Microsoft SQL (MS-SQL) servers exposed to Interned to deploy Trigona ransomware payloads and encrypt all files.

Fortra shares findings on GoAnywhere MFT zero-day attacks

Fortra has completed its investigation into the exploitation of CVE-2023-0669, a zero-day flaw in the GoAnywhere MFT solution that the Clop ransomware gang exploited to steal the data of over a hundred companies.

Ransomware Gangs Abuse Process Explorer Driver to Kill Security Software

Threat actors use a new hacking tool called AuKill to disable Endpoint Detection & Response (EDR) software on target systems before deploying backdoors and ransomware in BYOVD (Bring Your Own Vulnerable Driver) attacks.

April 20, 2023

Capita confirms hackers stole data in recent cyberattack

London-based business outsourcing giant Capita released an update on the cyber incident that affected it earlier this month, now admitting that hackers exfiltrated data from its systems.

BlackBit Ransomware distributed in Korea

AhnLab Security Emergency Response Center (ASEC) recently discovered BlackBit ransomware distribution disguised as svchost.exe during team monitoring. According to ASEC’s internal infrastructure, BlackBit ransomware has been distributed continuously since September last year.

New variant of MedusaLocker ransomware

PCrisk has found a new MedusaLocker ransomware variant that adds the .attackuk extension.

It’s all for this week ! I hope everyone is having a good weekend!