For the most part, this week was relatively quiet for ransomware attacks and researchers, that is, until the FBI announced a halt to the Hive ransomware operation.
Hive ransomware was launched in June 2021 and quickly became one of the most active and prominent ransomware operations.
Launched as Ransomware-as-a-Service, Hive’s operators were responsible for developing the ransomware and maintaining the data leak/trading sites. At the same time, affiliates were recruited to carry out attacks and deploy the ciphers.
Under this arrangement, the operators kept 20% of all ransom payments and the affiliates earned the rest.
Yesterday, an international law enforcement operation seized Tor websites for Hive ransomware operation and revealed that they had secretly hacked into the organization’s servers in July 2022.
Over the past six months, the police have been monitoring their communications, intercepting decryption keys and helping victims with free decryptors.
Although no arrests were made, it was a blow to a prominent player in this cybercrime space while preventing $100 million in ransom payments.
BleepingComputer also reported this week on Google ads are abused by ransomware access brokers for initial access to corporate networks.
This same access broker previously in partnership with the Royal Ransomware gang for attacks.
Be careful and always click on legitimate links in search results for software developers rather than using Google ads.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @demonslay335, @LawrenceAbrams, @malwhunterteam, @BleepinComputer, @Ionut_Ilascu, @Seifreed, @serghei, @struppigel, @billtoulas, @fwosar, @TrendMicro, @pcrisk, @1ZRR4H, @wdormannand @ffforward.
January 23, 2023
New variants of Dharma ransomware
Risk found new variants of Dharma ransomware that add the .nlb and .r0n extensions to encrypted files.
New Stop ransomware variant
PCrisk has found a new STOP ransomware variant that adds the .mztu extension.
New Variant of VoidCrypt Ransomware
PCrisk has found a new VoidCrypt ransomware variant that adds the .MrWhite extension and drops a ransom note named Decryption-guide.txt.
January 24, 2023
Ransomware Access Brokers Use Google Ads to Breach Your Network
A threat actor tracked as DEV-0569 uses Google Ads in ongoing, widespread advertising campaigns to distribute malware, steal victims’ passwords, and ultimately breach networks for ransomware attacks.
Vice Society Ransomware Group targets manufacturing companies
In most reports, the threat actor focuses his efforts on the education and the health care Industries. However, thanks to Trend Micro telemetry data, we have evidence that the group is also targeting the manufacturing sector, meaning they have the ability and desire to break into different industries – most likely through the purchase of compromised credentials from underground channels.
New variant of MedusaLocker ransomware
PCrisk has found a new MedusaLocker ransomware variant that adds the .filesencrypted extension.
January 26, 2023
Hive ransomware disrupted after FBI hacks into gang systems
Operation Hive ransomware’s Tor payment and data leak sites were seized in an international law enforcement operation after the FBI infiltrated the gang’s infrastructure last July.
New Mimic ransomware abuses Windows ‘Everything’ search tool
Security researchers have discovered a new strain of ransomware they have named Mimic that leverages the APIs of the “Everything” file search tool for Windows to search for files targeted for encryption.
US offers $10 million bounty for Hive ransomware links to foreign governments
The US State Department today offered up to $10 million for information that could help link the Hive ransomware group (or other threat actors) to foreign governments.
New variant of Phobos ransomware
PCrisk has found a new Phobos variant that adds the .unknown extension.
January 27, 2023
New SickFile ransomware
PCrisk has found a new ransomware variant that adds the .sickfile extension and drops a ransom note named how_to_back_files.html.
New Variant of Mallox Ransomware
PCrisk has found a new variant of Mallox that adds the .bitenc extension.