This edition of the Week in Ransomware covers the last two weeks of news, as we were unable to cover it last week, and includes quite a bit of new information, including the return of the Avaddon ransomware gang.

Last month, a new ransomware operation dubbed NoEscape (or No_Escape) was launched and quickly began racking up a flood of new corporate victims.

After analyzing the operation’s encryptor, it quickly became apparent that NoEscape was a rebrand of Avaddonwhich closed in June 2020 after feeling the heat from law enforcement.

However, it seems the gang never really retired, just biding their time until they could return as a new NoEscape operation, presumably working in other operations before.

While the gang claimed to have no affiliation with Avaddon, their encryptor is very similar to ransomware from the old operation, according to ransomware expert Michael Gillespie.

This includes a unique encryption segmentation routine used only by Avaddon, similarities in code, same configuration file formatAnd many other routines. The only significant change was the switch from AES encryption to Salsa20.

Law enforcement was busy, Ukrainian scareware developer arrested after 10 years of hunting and a A computer scientist sentenced to more than three years in prison for impersonating a ransomware gang in an extortion scheme.

In other ransomware reports from BleepingComputer and cybersecurity companies:

Finally, Clop’s data theft attacks using zero-day MOVEit Transfer continue to be a hot topic in the news, with companies continuing to disclose data breaches as they are added to the gang’s data leak site.

According a new Coverware report published today, these attacks were very successful, with the ransomware gang ahead make $75-100 million in extortion payments.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Seifreed, @BleepinComputer, @malwhunterteam, @billtoulas, @Ionut_Ilascu, @struppigel, @fwosar, @LawrenceAbrams, @serghei, @chainalysis, @TrendMicro, @Intel_by_KELA, @pcrisk, @SophosXOps, @coveware, @BroadcomSW, @pcriskAnd @azalsecurity.

July 8, 2023

New “Big Head” ransomware shows fake Windows update alert

Security researchers have dissected a recently emerged ransomware strain dubbed “Big Head” that may be spread through malicious advertisements promoting fake Windows updates and fake Microsoft Word installers.

New Variant Makop Ransomware

Risk found new variants of Makop ransomware which adds the .rajah and drops a ransom note named +README-WARNING+.txt.

New variants of STOP Ransomware

PCrisk has found new STOP variants that add the .gayn And .gazp expansions.

July 12, 2023

Ransomware payments on record trajectory for 2023

Data from the first half of the year indicates that ransomware activity is on track to break previous records, with an increase in the number of payments large and small.

New variants of STOP Ransomware

PCrisk has found new STOP variants that add the .waqq And .gaqq expansions.

New Variant of Chaos Ransomware

PCRisk has found a new Chaos variant that adds the .hackedbySnea575 extension and drops a ransom note named README_txt.txt.

July 14, 2023

Shutterfly says Clop ransomware attack did not impact customer data

Shutterfly, an online retail and photography manufacturing platform, is among the latest victims of Clop ransomware.

July 17, 2023

Meet NoEscape: The Likely Successor to the Avaddon Ransomware Gang

The new NoEscape ransomware operation is believed to be a re-image of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021.

Police arrest Ukrainian scareware developer after 10 years of stalking

Spanish national police have apprehended an internationally wanted Ukrainian national for his involvement in a scareware operation that ran from 2006 to 2011.

IT worker jailed for impersonating ransomware gang to extort employer

Ashley Liles, 28, a former IT worker, was sentenced to more than three years in prison for trying to blackmail her employer during a ransomware attack.

New variants of STOP Ransomware

PCrisk has found new STOP variants that add the .miza, .mituAnd .miqe expansions.

New Xorist variant

PCrisk has found a new Xorist variant that adds the .Pro extension and drops a ransom note named HOW TO DECRYPTE .txt FILES.

July 18, 2023

Cybersecurity company Sophos impersonated by new SophosEncrypt ransomware

Cybersecurity vendor Sophos is posing as a new ransomware-as-a-service called SophosEncrypt, with threat actors using the company’s name for their operation.

FIN8 deploys ALPHV ransomware using Sardonic malware variant

A gang of financially motivated cybercriminals have been observed deploying BlackCat ransomware payloads to backnets using a revamped version of the Sardonic malware.

July 19, 2023

Beauty giant Estée Lauder raped by two ransomware gangs

Two ransomware actors, ALPHV/BlackCat and Clop, have listed beauty company Estée Lauder on their data leak sites as a victim of separate attacks.

July 20, 2023

Kanti: NIM-Based Ransomware Unleashed in the Wild

New programming languages ​​often have fewer security measures and less mature detection mechanisms than well-established languages. Threat actors (TAs) often attempt to circumvent traditional security defenses and evade detection by using a lesser-known programming language.

New Khronos ransomware

PCrisk has found a new Kronos ransomware that adds the .khronos extension and drops a ransom note named info.hta.

July 21, 2023

Clop gang to earn over $75 million from MOVEit extortion attacks

The Clop ransomware gang is expected to make between $75 million and $100 million by extorting victims of their massive MOVEit data theft campaign.

Ransom Monetization Rates Drop to All-Time High Despite Rising Average Ransom Payments

In the second quarter of 2023, the percentage of ransomware attacks that resulted in victim payment fell to an all-time high of 34%. The trend represents the combined effects we noted earlier of companies continuing to invest in security, continuity assets, and incident response training. Despite these encouraging statistics, ransomware threat actors and the broader cyber extortion economy continue to evolve their attack and extortion tactics.

Return of the Bl00dy ransomware gang

Az Al Security noted that the ransomware gang recruits new affiliates, but demands payment first.

Bl00dy ransomware has now been announced on the RAMP forum and is asking for 10,000 USD to join its affiliate program. It is half the price of Lockbits fees. Bl00dy seems to have felt the heat and seeks to be more discreet. Notably, the poster appears to be native English speaking.

New variants of STOP Ransomware

PCrisk has found new STOP variants that add the .kiqu And .kizu expansions.

New Black Hunt 2.0 ransomware

PCrisk has found a new Kronos ransomware that adds the .Hunt2 and drops ransom notes named #BlackHunt_ReadMe.txt And #BlackHunt_ReadMe.hta.

It’s all for this week ! I hope everyone is having a good weekend!