The biggest news this week was the coordinated international law enforcement operation between Europol, the FBI, the Netherlands, Germany and Ukraine which targeted Operation DoppelPaymer.

As part of this operation, the police arrested two main members of the DoppelPaymer gang and attacked several places where they seized electronic devices.

DoppelPaymer is believed to be one of the ransomware brands operated by cybercrime operation Evil Corp, also known to operate and distribute the malicious Dridex botnet.

After the The United States sanctioned Evil Corp in 2019 for causing over $100 million in financial damage, many ransomware recovery and trading companies refused to interact with the ransomware operation, leading to a significant decrease in ransom payments.

These sanctions have led EvilCorp to constantly rebrand its ransomware operations under new names, with DoppelPaymer name change as Grievance (aka Pay or Grief) in the summer of 2021.

Another big piece of news this week came today, with the SEC announcing a settlement with BlackBaud for failing to disclose the full impact of a Ransomware attack 2020 which reached more than 13,000 customers.

New research was also published this week on tRoyal Ransomware’s ESXi encryptor and a new one Linux IceFire Encryptor.

Finally, we learned more about various ransomware attacks this week, including those on the City of Oakland, Barcelona Hospital Clinic, Technion, Fonasaand the Minneapolis Public Schools district.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @serghei, @Seifreed, @malwhunterteam, @demonslay335, @LawrenceAbrams, @billtoulas, @fwosar, @PolarToffee, @LabsSentinel, @BrettCallow, @security_score, @AhnLab_SecuInfo, @AJVicens, @AlvieriD, @pcrisk, @chum1ng0And @TrendMicro.

March 4, 2023

Ransomware Gang Leaks Stolen Data From City of Oakland

The Play ransomware gang has begun leaking data from the city of Oakland, California, which was stolen in a recent cyberattack.

March 6, 2023

Top members of DoppelPaymer ransomware gang targeted in Europol operation

Europol announced that law enforcement in Germany and Ukraine had targeted two people suspected of being key members of the DoppelPaymer ransomware group.

March 7, 2023

Hospital Clínic de Barcelona severely hit by a ransomware attack

Hospital Clínic de Barcelona suffered a ransomware attack on Sunday morning, severely disrupting its healthcare services after the facility’s virtual machines were targeted by the attacks.

ESXi Ransomware – A Case Study of Royal Ransomware

“Royal ransomware joins other ransomware groups targeting ESXi servers. Files are encrypted using the AES algorithm, with the key and IV being encrypted using the hardcoded RSA public key in the executable. The process can partially encrypt a file depending on its size and the value of the “-ep” parameter. The extension of encrypted files is changed to “.royal_u”.”

Israel accuses prolific Iran-linked hacking group of hacking university in February

Iran was behind a cyberattack on a major research university in Israel last month, Israel’s National Cybersecurity Directorate announced on Tuesday.

Ransomware targeting the Albanian government – RoadSweep 2.0

Albanian media reported two targeted large-scale cyberattacks of the same type and most likely by the same attackers as another previous ransomware attack on Albania.

New variant MedusaLocker

Risk found a new MedusaLocker variant that adds the .accessd extension and drops a ransom note named How_to_back_files.html.

March 8, 2023

Ransomware gang releases video of data stolen from Minneapolis schools

The Medusa ransomware gang is demanding a $1,000,000 ransom from the Minneapolis Public Schools District (MPS) to delete data allegedly stolen in a ransomware attack.

March 9, 2023

IceFire ransomware now encrypts Linux and Windows systems

Threat actors linked to the IceFire ransomware operation are now actively targeting Linux systems around the world with a new dedicated encryptor.

Decryptable iswr Ransomware distributed in Korea

ASEC (AhnLab Security Emergency Response Center) recently discovered the iswr ransomware distribution while monitoring the team.

Examining ransomware payments from a data science lens

In this article, we discuss case studies that demonstrated how data science techniques were applied in our investigation of ransomware groups’ ransom transactions, as detailed in our joint research with Waratah Analytics, “What policy makers need to know about the risk of ransomware”.

New variant of STOP ransomware

PCrisk has found a STOP variant that adds the .coba extension.

March 10, 2023

Blackbaud will pay $3 million for misleading disclosure of ransomware attack

Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging it failed to disclose the full impact of a 2020 ransomware attack that reached more than 13,000 customers.

BlackCat confirms Fonasa attack

In a Tox chat, BlackCat confirmed to DataBreaches that they are responsible for the attack and they say they will announce it soon on their leaks page. A spokesperson for the group told DataBreaches that they are not giving Fonasa more time to respond because they haven’t heard from them at all.

It’s all for this week ! I hope everyone is having a good weekend!