While the week started slowly, it turned into a big mess of ransomware, with attacks dealing a heavy blow to businesses running VMware ESXi servers.

The attacks began Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant called ESXiArgs.

the the attacks were rapid and widespreadwith administrators around the world will soon report that they were encrypted in this new campaign.

What makes this attack so devastating is that many companies run much of their server infrastructure on VMware ESXi, allowing single-device encryption to encrypt multiple servers simultaneously.

The good news is that some admins have been able to recover their servers by rebuilding disks from flat filesbut some reported not being able to do so because these files were also encrypted.

We also saw new research published this week, with Microsoft warning that over a hundred malicious actors deploying ransomware and LockBit deciding to create a new decryptor based on Conti.

Finally, REsecurity published a report on the new Nevada ransomware-as-a-service recruit and prepare for future attacks.

Finally, we learned more about ransomware attacks conducted this week and in the past, including:

Contributors and those who provided new ransomware information and stories this week include @PolarToffee, @serghei, @fwosar, @BleepinComputer, @LawrenceAbrams, @Seifreed, @Ionut_Ilascu, @malwhunterteam, @struppigel, @demonslay335, @billtoulas, @vxunderground, @GeeksCyber, @PRODAFT, @brkalbyrk7, @RESecurity, @MsftSecIntel, @1ZRR4H, @pcrisk, @BrettCallow, @ahnlab, @jgreigjand @k7computing.

January 30, 2023

New Makop variant

Risk found a new Makop variant that adds the .ZFX extension and drops a ransom note named +README-WARNING+.txt.

January 31, 2023

Microsoft: More than 100 malicious actors deploy ransomware in attacks

Microsoft revealed today that its security teams were tracking more than 100 ransomware gangs and more than 50 unique ransomware families that were in active use through the end of last year.

New Masons ransomware

PCrisk has found new ransomware that adds the .masons extension and drops a ransom note named six62ix.txt.

New Variant of Chaos Ransomware

PCrisk has found a new Chaos ransomware variant that adds the .Script extension and drops a ransom note named read_it.txt.

February 1, 2023

LockBit ransomware goes ‘green’ and uses new Conti-based encryptor

The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to an encryptor based on the leaked Conti ransomware source code.

New Nevada Ransomware Targets Windows and VMware ESXi Systems

A relatively new ransomware operation known as Nevada appears to be growing its capabilities rapidly as security researchers have noticed improved functionality for the locker targeting Windows and VMware ESXi systems.

Arnold Clark’s customer data was stolen in an attack claimed by Play ransomware

Arnold Clark, who describes himself as Europe’s largest independent car retailer, is telling some customers that their personal information was stolen in a December 23 cyberattack claimed by the Play ransomware group.

TZW Ransomware is distributed in Korea

Through internal monitoring, ASEC’s analysis team recently discovered the distribution of TZW ransomware, which encrypts files before appending the “TZW” file extension to the original extension.

K-12 schools in Tucson, Nantucket respond to cyberattacks

Schools in Tucson, Arizona and Nantucket, Massachusetts are facing cyberattacks as American schools continue to face a barrage of threats in the first weeks of 2023.

New variant of Honkai ransomware

PCrisk has found a new ransomware variant that adds the .honkai and drops a ransom note named #DECRYPT MY FILES#.html.

New Variant of VoidCrypt Ransomware

PCrisk has found a new ransomware variant that adds the .sunjn extension and drops a ransom note named Decryption-guide.txt.

February 2, 2023

Ransomware Attack Against ION Group Impacts Derivatives Trading Market

The LockBit ransomware gang claimed responsibility for the cyberattack against ION Group, a UK-based software company whose products are used by financial institutions, banks and corporations for trading, investment management and market analysis. market.

Acquired by Warlock Dark Army “OFFICIALS”

Recently we came across a tweet shared by petikvx. The tweet was about a ransomware family whose group name was similar to WARLOCK DARK ARMY. The similarities to Chaos ransomware seem to end with the name of the group of attackers. After analyzing the tweet’s ransomware, we suspect that the two are very different groups based solely on their malware attributes.

February 3, 2023

Florida hospital takes computer systems offline after cyberattack

Tallahassee Memorial HealthCare (TMH) took its computer systems offline and suspended elective procedures following a cyberattack on Thursday evening.

Massive ESXiArgs Ransomware Attack Targets VMware ESXi Servers Worldwide

Administrators, hosters and the French computer emergency response team (CERT-FR) warn that attackers are actively targeting unpatched VMware ESXi servers against a two-year-old remote code execution vulnerability to deploy ransomware.

New DoDo ransomware

PCrisk has found a new DoDo ransomware variant that adds the .dodov2 extension and drops a ransom note named dodov2_readit.txt.

It’s all for this week ! I hope everyone is having a good weekend!