The fallout from the Clop ransomware attacks on GoAnywhere platforms became apparent this week, with threat actors beginning to extort victims on their data leak site and companies confirming the breaches.

These attacks were claimed by threat actors Clop, a ransomware gang that historically encrypts devices and steals data to extort victims into paying a ransom. However, more recently they have focused on data extortion rather than encryption.

Clop previously claimed to have breached and stolen data from 130 organizations over ten days using the GoAnywhere vulnerabilities.

This week, BleepingComputer learned that Clop had started extorting victims, sending ransom demands via email and creating profiles for numerous victims on their data leak site. At this time, it is unclear to what extent threat actors are demanding not to release data.

This has led to numerous data breach disclosures by companies, including Community Health Systems (CHS), hatch bank, rubricAnd Hitachi Energywith probably many more to come.

In addition to Clop attacks, we learned about various ransomware attacks, including those on Essendant and the LA Housing Authority.

The other big news this week that will affect ransomware and other cybercrimes is the seizure of the ChipMixer platformused by cybercriminals to launder ransom payments, stolen cryptocurrency, and revenue generated from dark web markets.

Finally, interesting reports have been published on Trine, LockBit 3.0, CatBthe transition from BianLian to pure data extortionand more!

Contributors and those who provided new ransomware information and stories this week include @LawrenceAbrams, @Seifreed, @Ionut_Ilascu, @Ax_Sharma, @malwhunterteam, @struppigel, @BleepinComputer, @serghei, @fwosar, @billtoulas, @demonslay335, @kaspersky, @pcrisk, @ReliaQuest, @BrettCallowAnd @Unit42_Intel.

March 11, 2023

Clop ransomware gang begins extorting zero-day GoAnywhere victims

The Clop ransomware gang has begun extorting companies whose data has been stolen using a zero-day vulnerability in the Fortra GoAnywhere MFT secure file sharing solution.

New STOP ransomware variants

Quietman7 spotted new variants of STOP ransomware by adding the .craa, .qazxAnd .qapo extensions

March 12, 2023

Medusa ransomware gang grows as it targets businesses worldwide

A ransomware operation known as Medusa began gaining momentum in 2023, targeting victimized businesses around the world with million-dollar ransom demands.

Staples-owned Essendant faces multi-day ‘outage’, orders frozen

Essendant, a wholesale distributor of stationery and office supplies, is experiencing a multi-day systems “outage”, preventing customers and suppliers from placing and fulfilling orders online.

New variant of STOP ransomware

Quietman7 has spotted a new STOP ransomware variant that adds the .qarj extension.

March 13, 2023

Los Angeles Housing Authority Reveals Data Breach After Ransomware Attack

The Housing Authority of the City of Los Angeles (HACLA) is warning of a “data security event” after the LockBit ransomware gang targeted the organization and leaked data stolen in the attack.

New variants of Dharma ransomware

Risk found new variants of Dharma ransomware by adding the .as And .j3rd expansions.

New variants of Chaos ransomware

PCrisk has found new variants of Chaos ransomware by adding the .nochi And .cyber expansions.

CatB Ransomware | File Locker sharpens its claws to steal data with MSDTC service DLL hijacking

The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns regularly observed since November. The group’s activities have drawn attention due to their continued use of DLL hacking through Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads.

March 14, 2023

Rubrik confirms data theft in GoAnywhere zero-day attack

Cybersecurity firm Rubrik has confirmed that its data was stolen using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform.

New variant of Phobos ransomware

PCrick has spotted a new variant of Phobos ransomware that adds the .BACKJOHN extension.

New Variant of VoidCrypt Ransomware

PCrick has spotted a new VoidCrypt ransomware variant that adds the .youhau extending and deleting a named ransom name Decryption-guide.txt.

Microsoft fixes Windows zero-day exploited in ransomware attacks

Microsoft has patched another zero-day bug used by attackers to bypass the Windows SmartScreen cloud-based anti-malware service and deploy Magniber ransomware payloads without raising a red flag.

March 15, 2023

ChipMixer platform seized for laundering ransomware payments and selling drugs

An international law enforcement operation has seized the cryptocurrency mixing service “ChipMixer”, which is believed to be used by hackers, ransomware gangs and scammers to launder their profits.

FBI: Ransomware affected 860 critical infrastructure organizations in 2022

The Federal Bureau of Investigation (FBI) revealed in its 2022 Internet Crime Report that ransomware gangs hacked into the networks of at least 860 critical infrastructure organizations last year.

LockBit ransomware claims Essendant attack, company declares ‘network outage’

LockBit ransomware claimed responsibility for a cyberattack on Essendant, a wholesale distributor of office products after a “significant” and ongoing outage took the company’s operations offline.

New variant of Xorist ransomware

PCrick has spotted a new Xorist ransomware variant adding the .DrWeb and drop ransom notes named ??? ?????????? ?????.SMS.

QBot: Laying the Groundwork for Black Basta Ransomware Activity

Around the second half of the fourth quarter of 2022, ReliaQuest discovered a security incident taking place in a customer’s environment. A malicious actor gained initial access to the network, quickly escalated their privileges, and moved laterally, quickly gaining a foothold in 77 minutes.

March 16, 2023

Conti-Based Ransomware ‘MeowCorp’ Gets Free Decryptor

A decryption tool for a modified version of Conti ransomware could help hundreds of victims recover their files for free.

BianLian ransomware gang focuses on pure data extortion

The BianLian ransomware group has shifted its focus from encrypting its victims’ files to exfiltrating data found on compromised networks and using it for extortion purposes.

New STOP ransomware variants

Quietman7 spotted new variants of STOP ransomware by adding the .darz And .dapo extensions

New Merlin ransomware

PCrisk has found a new ransomware variant that adds the .Merlin extension and drops a ransom note named Merlin_Recover.txt.

New variant of Phobos ransomware

PCrick has spotted a new variant of Phobos ransomware that adds the .usr extension.

#StopRansomware: LockBit 3.0

Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Multi-State Information Sharing & Analysis Center (MS-ISAC) release this joint CSA to release known LockBit 3.0 ransomware IOCs and TTPs identified by FBI Investigations as recently as March 2023.

Bee-Ware of Trigona, an emerging strain of ransomware

Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, along with information from the response to the unit 42 incident, we determined that Trigona was very active in December 2022, with at least 15 potential victims compromised. Organizations affected are in manufacturing, finance, construction, agriculture, marketing, and high-tech industries.

March 17, 2023

New variant of STOP ransomware

PCrick has spotted a new STOP ransomware variant that adds the .dazx extension.

Hitachi Energy Confirms Data Breach After Clop GoAnywhere Attacks

Hitachi Energy has confirmed that it suffered a data breach after the Clop ransomware gang stole data using a GoAnyway zero-day vulnerability.

It’s all for this week ! I hope everyone is having a good weekend!