It’s been a very quiet week for ransomware news, with only a few published reports and little information about cyberattacks.
However, one item of interest was Microsoft linking the recent PaperCut server attacks against Clop and LockBit ransomware operation.
Clop claims to have started exploiting PaperCut servers on April 13, the same day that Microsoft began to see active exploitation of the vulnerabilities.
The ransomware operation told BleepingComputer that they were using these exploits for initial access to corporate networks rather than stealing documents stored on the server.
Other ransomware reports released this week include:
Finally, we learned that Yellow Pages Canada suffered a BlackBasta ransomware attack.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @DanielGallagher, @malwareforme, @malwhunterteam, @FourBytes, @billtoulas, @struppigel, @LawrenceAbrams, @Ionut_Ilascu, @Seifreed, @demonslay335, @BleepinComputer, @fwosar, @jorntvdw, @PolarToffee, @uptycs, @Trellix, @MsftSecIntel, @AlvieriD, @Jon__DiMaggio, @FortinetAnd @pcrisk.
April 24, 2023
Yellow Pages Group, a Canadian directory publisher, has confirmed to BleepingComputer that it has been the victim of a cyberattack.
Risk found a new variant of Dharma ransomware that adds the .rea extension.
PCrisk has found a new Xorist ransomware variant that adds the .VoNiX extension and drops a ransom note named HOW TO DECRYPTE .txt FILES.
April 25, 2023
The story I am about to tell you is not my own, but it is the story of a man who was once no different from you or me. Unfortunately, bad decisions and difficulties in his life pushed him into a dark place, from which he never returned.
This is the story of Basserlord.
PCrisk has found a new STOP ransomware variant that adds the .foza extension.
April 26, 2023
“Microsoft attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the vulnerabilities to steal corporate data.
PCrisk has found a new Xorist ransomware variant that adds the .attack7 (the number may change) extension and drops a ransom note named how_to_back_files.html.
PCrisk has found a new STOP ransomware variant that adds the .foty extension.
April 27, 2023
RTM Locker is the latest enterprise-targeted ransomware operation that deploys a Linux encryptor that targets virtual machines on VMware ESXi servers.
FortiGuard Labs recently discovered a new ransomware variant called UNIZA. Like other ransomware variants, it encrypts files on victim machines in an attempt to extort money. It uses Command Prompt window (cmd.exe) to display its ransom message and interestingly it does not append the filename of the files it encrypts which makes it more difficult to determine which files impacted.
PCrisk has found a new Chaos ransomware variant that adds the .devinn extension and drops a ransom note named unlock_here.txt.