While the week started slowly, it turned into a big mess of ransomware, with attacks dealing a heavy blow to businesses running VMware ESXi servers.
The attacks began Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant called ESXiArgs.
What makes this attack so devastating is that many companies run much of their server infrastructure on VMware ESXi, allowing single-device encryption to encrypt multiple servers simultaneously.
The good news is that some admins have been able to recover their servers by rebuilding disks from flat filesbut some reported not being able to do so because these files were also encrypted.
We also saw new research published this week, with Microsoft warning that over a hundred malicious actors deploying ransomware and LockBit deciding to create a new decryptor based on Conti.
Finally, REsecurity published a report on the new Nevada ransomware-as-a-service recruit and prepare for future attacks.
Finally, we learned more about ransomware attacks conducted this week and in the past, including:
Contributors and those who provided new ransomware information and stories this week include @PolarToffee, @serghei, @fwosar, @BleepinComputer, @LawrenceAbrams, @Seifreed, @Ionut_Ilascu, @malwhunterteam, @struppigel, @demonslay335, @billtoulas, @vxunderground, @GeeksCyber, @PRODAFT, @brkalbyrk7, @RESecurity, @MsftSecIntel, @1ZRR4H, @pcrisk, @BrettCallow, @ahnlab, @jgreigjand @k7computing.
January 30, 2023
Risk found a new Makop variant that adds the .ZFX extension and drops a ransom note named +README-WARNING+.txt.
January 31, 2023
Microsoft revealed today that its security teams were tracking more than 100 ransomware gangs and more than 50 unique ransomware families that were in active use through the end of last year.
PCrisk has found new ransomware that adds the .masons extension and drops a ransom note named six62ix.txt.
PCrisk has found a new Chaos ransomware variant that adds the .Script extension and drops a ransom note named read_it.txt.
February 1, 2023
The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to an encryptor based on the leaked Conti ransomware source code.
A relatively new ransomware operation known as Nevada appears to be growing its capabilities rapidly as security researchers have noticed improved functionality for the locker targeting Windows and VMware ESXi systems.
Arnold Clark, who describes himself as Europe’s largest independent car retailer, is telling some customers that their personal information was stolen in a December 23 cyberattack claimed by the Play ransomware group.
Through internal monitoring, ASEC’s analysis team recently discovered the distribution of TZW ransomware, which encrypts files before appending the “TZW” file extension to the original extension.
Schools in Tucson, Arizona and Nantucket, Massachusetts are facing cyberattacks as American schools continue to face a barrage of threats in the first weeks of 2023.
PCrisk has found a new ransomware variant that adds the .honkai and drops a ransom note named #DECRYPT MY FILES#.html.
PCrisk has found a new ransomware variant that adds the .sunjn extension and drops a ransom note named Decryption-guide.txt.
February 2, 2023
The LockBit ransomware gang claimed responsibility for the cyberattack against ION Group, a UK-based software company whose products are used by financial institutions, banks and corporations for trading, investment management and market analysis. market.
Recently we came across a tweet shared by petikvx. The tweet was about a ransomware family whose group name was similar to WARLOCK DARK ARMY. The similarities to Chaos ransomware seem to end with the name of the group of attackers. After analyzing the tweet’s ransomware, we suspect that the two are very different groups based solely on their malware attributes.
February 3, 2023
Tallahassee Memorial HealthCare (TMH) took its computer systems offline and suspended elective procedures following a cyberattack on Thursday evening.
Administrators, hosters and the French computer emergency response team (CERT-FR) warn that attackers are actively targeting unpatched VMware ESXi servers against a two-year-old remote code execution vulnerability to deploy ransomware.
PCrisk has found a new DoDo ransomware variant that adds the .dodov2 extension and drops a ransom note named dodov2_readit.txt.