From ongoing attacks targeting ESXi servers to sanctions against Conti/TrickBot members, it’s been a pretty busy week when it comes to ransomware.

THE Global ESXiArgs Ransomware Attacks continued to plague VMware ESXi servers over the weekend and into the week. To help administrators recover their servers, CISA released a script which would recover virtual machines from flat files on encrypted servers.

However, a day later, a new version of ESXiArgs ransomware was released that encrypts more data, preventing previously known recovery methods.

With ESXi such a juicy target for ransomware gangs, the Linux encryptor for the Royal Ransomware group also developed its own Linux cipher to encrypt virtual machines.

We have also received news from the US government, which sanctioned seven members of the cybercrime organization TrickBot/Conti and released a report detailing how North Korean ransomware attacks are used to fund DRPK operations.

After a long period of few casualties and activity on their data leak site, the Clop ransomware gang (TA505) is back, claiming to be behind attacks using zero-day vulnerability in GoAnywhere MFT.

The ransomware gang says they exploited the vulnerability to steal data from 130 companies, but we were unable to independently verify this.

We also learned news about various (probable) ransomware attacks, including LockBit finally claims Royal Mail attackA Attack on Canada’s Indigo BookstoresAnd A10 Networks Confirms Data Breach after a Play ransomware attack.

However, a Hunter Labs report also indicates that Clop was likely involved in these attacks.

Contributors and those who provided new ransomware information and stories this week include @LawrenceAbrams, @malwhunterteam, @billtoulas, @demonslay335, @struppigel, @PolarToffee, @fwosar, @BleepinComputer, @Ionut_Ilascu, @serghei, @Seifreed, @jfslowik, @CISAgov, @LabsSentinel, @BushidoToken, @ASEC_Analysis, @pcrisk, @ValeryMarchiveAnd @BrettCallow.

February 5, 2023

Linux Version of Royal Ransomware Targets VMware ESXi Servers

Royal Ransomware is the latest ransomware operation to add Linux device encryption support to its most recent malware variants, specifically targeting VMware ESXi virtual machines.

February 6, 2023

VMware Warns Administrators to Patch ESXi Servers and Disable OpenSLP Service

VMware today warned customers to install the latest security updates and disable the OpenSLP service targeted in a large-scale campaign of ransomware attacks against vulnerable, Internet-facing ESXi servers.

DarkSide Ransomware with self-spread functionality in AD environments

In order to evade sandbox scanning and detection, DarkSide ransomware works only when both the loader and the data file are present. The loader with the name “msupdate64.exe” reads the data file “config.ini” in the same path which contains the encoded ransomware and executes the ransomware on the memory area of ​​a normal process. The ransomware is structured to work only when a specific argument matches. It will then register in the task scheduler and run periodically.

February 7, 2023

LockBit ransomware gang claims Royal Mail cyberattack

The LockBit ransomware operation claimed responsibility for the cyberattack on the UK’s leading mail delivery service, Royal Mail, which forced the company to halt its international shipping services due to a “serious disruption of service “.

Clop ransomware flaw allowed Linux victims to recover files for months

The Clop ransomware gang now also uses a malware variant that explicitly targets Linux servers, but a flaw in the encryption system has allowed victims to quietly retrieve their files for free for months.

Russian pleads guilty to laundering Ryuk ransomware money

Russian citizen Denis Mihaqlovic Dubnikov pleaded guilty on Tuesday to laundering money for notorious ransomware group Ryuk for more than three years.

CISA releases recovery script for victims of ESXiArgs ransomware

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a script to recover VMware ESXi servers encrypted by recent widespread ESXiArgs ransomware attacks.

New Variant of Chaos Ransomware

Risk found a new Chaos ransomware variant that adds what appear to be random extensions (.1iyT6bav7VyWM5) and removes a ransom note named adrianov.txt.

February 8, 2023

New version of ESXiArgs ransomware prevents VMware ESXi recovery

The new ESXiArgs ransomware attacks now encrypt larger amounts of data, making it significantly more difficult, if not impossible, to recover encrypted VMware ESXi virtual machines.

Investigate intrusions from intriguing exploits

By investigating the event in question and pursuing root cause analysis (RCA), Huntress was able to link this intrusion to a recently announced vulnerability as well as a long-standing post-exploitation framework linked to significant ransomware groups.

February 9, 2023

Canada’s largest bookstore Indigo shuts down after cyberattack

Indigo Books & Music, Canada’s largest bookstore chain, was hit by a cyberattack yesterday, forcing the company to make the website unavailable to customers and only accept cash payments.

US and UK sanction members of TrickBot and Conti ransomware operations

The US and UK have sanctioned seven Russians for their involvement in the cybercrime group TrickBot, whose malware was used to support attacks by the Conti and Ryuk ransomware operation.

New variant of STOP ransomware

PCrisk has found a new STOP ransomware variant that adds the .vvmm extension.

February 10, 2023

A10 Networks Confirms Data Breach After Play Ransomware Attack

California-based networking hardware manufacturer “A10 Networks” confirmed to BleepingComputer that the Play ransomware gang briefly gained access to its IT infrastructure and compromised data.

Clop ransomware claims to be behind GoAnywhere zero-day attacks

The Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, claiming to have stolen data from more than 130 organizations.

North Korean ransomware attacks on health fund government operations

A new cybersecurity advisory from the US Cybersecurity & Infrastructure Security Agency (CISA) outlines tactics, techniques, and procedures (TTPs) recently observed in North Korean ransomware operations against public health and other critical infrastructure sectors.

New variant of STOP ransomware

PCrisk has found a new STOP ransomware variant that adds the .vvoo extension.

It’s all for this week ! I hope everyone is having a good weekend!