This week has been filled with research reports and news of significant attacks having a significant impact on many organizations.
Last week, Rackspace suffered a massive outage of its hosted Microsoft Exchange environment, preventing customers from accessing their email. On Tuesday, Rackspace finally confirmed everyone’s fears that a the ransomware attack caused the outage.
Rackspace did not provide any details about the attack, including the ransomware operation behind it and whether the threat actors stole any data.
However, today they started notifying customers be on the lookout for targeted phishing emails and monitor their credit reports and bank account statements for suspicious activity. This warning may indicate that the ransomware operation likely stole data during the attack.
Another one attack on a New Zealand MSP Mercury IT has also resulted in a series of outages for its customers, many of which are local governments across the country.
A ransomware attack against CHU André-Mignot in Paris has also caused significant disruption, leading to the redirection of some patients to other hospitals.
We also saw some interesting research from cybersecurity companies and the US government this week:
Finally, Brian Krebs had a very interesting report on new tactics used by Venus and Clop ransomware gangs to breach networks and convince victims to pay.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @PolarToffee, @Seifreed, @fwosar, @DanielGallagher, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @jorntvdw, @demonslay335, @billtoulas, @FourBytes, @VK_Intel, @serghei, @malwhunterteam, @malwareforme, @pcrisk, @Unit42_Intel, @Fortinet, @briankrebs, @morphisec, @smgoreliand @Phylum_IO.
December 5, 2022
The CHU André-Mignot, in the Paris suburbs, had to shut down its telephone and computer systems due to a ransomware attack that occurred on Saturday evening.
In the latest issue of our Ransomware Roundup series, we discussed a publicly available, open-source ransomware toolkit called Cryptonite. As part of this investigation, we also discovered a sample of Cryptonite in nature that never offers the decryption window, acting more like a windshield wiper. We have recently seen an increase in ransomware intentionally turned into erasing malware, mostly as part of a political campaign. So, in this article, we take a closer look at the Cryptonite wiper sample.
There has been a cybersecurity incident involving a ransomware attack on Mercury IT. Mercury IT provides a wide range of IT services to customers across New Zealand.
Risk found a HiddenTear variant called Puspa2 which adds the .puspa2#mejukeni7sala029 extension and drops a ransom note named XXX_HELLO’S_READ_ME._txt.
PCrisk has found new STOP ransomware variants that add the .mppn Where .mbtf extensions to encrypted files.
December 6, 2022
Texas-based cloud computing provider Rackspace today confirmed that a ransomware attack is behind an ongoing Hosted Exchange outage described as an “isolated disruption.”
Vice Society is a ransomware gang that has been involved in high-profile activity against schools this year. Unlike many other ransomware groups such as LockBit which follow a typical ransomware-as-a-service (RaaS) model, Vice Society’s operations are different in that they are known to use forks of pre-existing ransomware families in their attack chain that are sold on DarkWeb marketplaces. These include ransomware strains HelloKitty (aka FiveHands) and Zeppelin, as opposed to Vice Society which develops its own custom payload.
In November, Morphisec identified a brand new variant of Babuk ransomware while investigating a client prevention event. Babuk was first discovered in early 2021 when he began targeting companies to steal and encrypt data in double extortion attacks. Later that year, a malicious actor leaked Babuk’s full source code to a Russian-speaking hacking forum.
PCrisk has found a new ransomware variant that adds the .OBZ extension and drops a ransom note named ReadMe.txt.
December 8, 2022
CommonSpirit Health has confirmed that threat actors accessed the personal data of 623,774 patients in a ransomware attack in October.
The US Department of Health and Human Services (HHS) today issued a new warning to healthcare organizations nationwide regarding ongoing attacks by a relatively new operation, the Royal ransomware gang.
Ransomware groups are constantly devising new ways to infect victims and convince them to pay, but a few recently tested strategies seem particularly devious. The first consists of targeting health organizations that offer consultations on the Internet and sending them booby-trapped medical records for the “patient”. The other is to carefully alter the email inboxes of public company executives to make it appear that some have been involved in insider trading.
December 9, 2022
Cloud computing provider Rackspace on Thursday warned customers of heightened risks of phishing attacks following a ransomware attack affecting its hosted Microsoft Exchange environment.
Overnight, we saw a flurry of activity around the popular queries package typosquat. In the malicious packages themselves, the attacker embedded the following:
To provide context, Phylum found an NPM/PyPi campaign where python packages were distributing Linux and Windows malware that claimed to be ransomware. After testing the ransomware, BleepingComputer confirmed that it does not encrypt anything and just drops a ransom note and changes the desktop wallpaper.
The actor behind it told BleepingComputer that they were just “playing around” and not adding encryption.
PCrisk has found a new variant of MedusaLocker that adds the .allock[number] extension and drops a ransom note named how_to_back_files.html.
PCrisk has found a new VoidCrypt variant that adds the .Juli extension and drops a ransom note named unlock-info.txt.