The week was dominated by fallout from the MOVEit Transfer data theft attacks, with the Clop ransomware gang confirming they were behind them.

On Monday, Microsoft was the first to attribute the attacks to the Clop ransomware operationfollowed by threat actors tell BleepingComputer that they started operating the servers on May 27.

After analyzing historical telemetry, Kroll security experts also discovered that the Clop gang had likely tested MOVEit Transfer zero-day since 2021 in limited attacks.

As expected, we are only just beginning to see the fallout from the attacks, with victims showing announcements and data breach notifications.

Companies that have disclosed MOVEit Transfer breaches so far are listed below:

In other news, the The Royal Ransomware gang has started testing a new BlackSuit encryptor in limited attacks. Since it is a standalone ransomware operation with its own encryptor, Tor trading site and data leak site, it is unclear how they plan to use BlackSuit in the future.

Other research published this week focuses on new ransomware variants called Cyclops And xollam.

There was an interesting development regarding the Rhysida ransomware attack on the Chilean military, with a Army corporal arrested for alleged involvement.

We also saw a attack on Japanese pharmaceutical company Eisai and Australia’s largest commercial law firm, HWL Ebsworth, refusing to give in to extortion demands from the ALPHV.

Finally, we would be remiss not to share the excellent map of ransomware operations created by CERT Orange Cyberdefense Threat Intelligence Researcher Marine Pichon.

Contributors and those who provided new ransomware information and stories this week include: @serghei, @LawrenceAbrams, @malwhunterteam, @BleepinComputer, @demonslay335, @DanielGallagher, @fwosar, @billtoulas, @KrollWire, @Mar_Pich, @RedSenseIntel, @CISAgov, @FBI, @MsftSecIntel, @pcrisk, @TrendMicro, @PogoWasRight, @catabatarce, @GossiTheDog, @BrettCallowAnd @uptycs.

June 4, 2023

CISA orders government agencies to fix MOVEit bug used for data theft

CISA has added an actively exploited security bug in the managed file transfer (MFT) solution Progress MOVEit Transfer to its list of known exploited vulnerabilities, ordering US federal agencies to patch their systems by June 23.

Rhysida ransomware group claims attack on Martinique

DataBreaches has not reviewed all of the files leaked by the Rhysida ransomware group, but as the screenshot of only a small portion of the list of files suggests, they appear to be government-related files. Unlike other groups that often provide a brief summary of the file types they leak, Rhysida offers no information about the size of the data leak or its contents.

June 5, 2023

Microsoft links Clop ransomware gang to MOVEit data theft attacks

Microsoft has linked the Clop ransomware gang to recent attacks that exploited a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations.

Clop ransomware claims responsibility for MOVEit extortion attacks

The Clop ransomware gang told BleepingComputer they were behind the MOVEit Transfer data theft attacks, where a zero-day vulnerability was exploited to breach servers belonging to “hundreds of companies” and steal Datas.

A martial hacker: PDI arrests an army corporal for cyberattack on the internal networks of the military institution

Editor’s note: This is related to the Rhysida ransomware attack on the Chilean military.

According to sources in the case, a series of electronic devices were seized from the soldier, which are currently being examined by detectives. He was prosecuted for the crime of breaching the Computer Crimes Act, and then he was remanded in custody.

Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat

The Cyclops group is particularly proud to have created ransomware capable of infecting all three major platforms: Windows, Linux and macOS. In an unprecedented move, he also shared a separate binary specifically designed to steal sensitive data, such as an infected computer name and a number of processes. The latter targets specific files on both Windows and Linux.

New variants of Dharma ransomware

Risk found new variants of Dharma ransomware that add the .NBR And .THANKS expansions.

New STOP ransomware variants

PCrisk has found new STOP ransomware variants that add the .nerz, .neonAnd .neqp expansions.

June 6, 2023

Xollam, the latest face of TargetCompany

After being first detected in June 2021, the TargetCompany ransomware family has undergone several name changes which have signified major updates in the ransomware family, such as changes to the encryption algorithm and different features of decryptor.

June 7, 2023

CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

According to open source information, starting on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software’s Managed File Transfer (MFT) solution known as MOVEit Transfer.

June 8, 2023

Royal ransomware gang adds BlackSuit encryptor to its arsenal

The Royal ransomware gang has started testing a new encryptor called BlackSuit which shares many similarities with the regular operation encryptor.

Clop ransomware probably testing MOVEit zero-day since 2021

The Clop ransomware gang has been looking for ways to exploit a now patched zero-day in the managed file transfer (MFT) solution MOVEit Transfer since 2021, according to security experts at Kroll.

An amazing map of the ransomware ecosystem and its evolution

Marine Pichon put together an amazing, and probably thorough, map illustrating ransomware operations and the groups they are affiliated with. It’s worth taking a look.

Japanese pharma giant Eisai reveals ransomware attack

Pharmaceutical company Eisai has revealed that it suffered a ransomware incident that impacted its operations, admitting attackers encrypted some of its servers.

New variant of Dharma

PCrisk has found a new variant of Dharma ransomware that adds the .mono extension.

June 9, 2023

BlackCat ransomware fails to extort Australian commercial law giant

Australian law firm HWL Ebsworth has confirmed to local media that its network was hacked after the ALPHV ransomware gang began leaking data they claim was stolen from the firm.

University of Manchester says hackers ‘likely’ stole data in cyberattack

The University of Manchester is warning staff and students that they have suffered a cyberattack where threat actors have likely stolen data from the University’s network.

It’s all for this week ! I hope everyone is having a good weekend!