Ransomware gangs continue to hammer local governments in attacks, destroying computer systems and disrupting the city’s online services.

Earlier this month we saw this with the Royal Ransomware attack on Dallas, and this week the city of Augusta, Georgia also suffered a cyberattack.

While the Augusta mayor’s office released a statement indicating that they suffered a cyberattack, they did not share any details about the breach.

“The City of Augusta, GA began experiencing technical difficulties on Sunday, May 21, 2023, unrelated to last week’s outage, causing some computer systems to be out of service,” reads the statement. City statement.

“We have opened an investigation and determined that we were victims of unauthorized access to our system.”

However, today the BlackByte ransomware operation claimed responsibility for the Augusta attack, leaking data they claim was stolen in the attack.

Other attacks we learned more about this week include a BlackBasta attack on German arms manufacturer Rheinmetall And ABB confirms that data was stolen during a attack earlier this month.

Cuba’s ransomware gang has also claimed responsibility for the attack on The Philadelphia Inquirer. However, after the publisher said the data did not belong to it, Cuba took the Inquirer’s entry to its data leak site.

We’ve also seen some interesting reports from security companies and researchers:

Finally, ransomware affiliate Bassterlord released a “slightly” edited but highly sought-after version of its version 2.0 ransomware handbook that was selling for $10,000 on hacker forums.

While some researchers felt the manual lacked detail, threat actors can still use it to gain more knowledge and learn how to penetrate corporate networks.

While we do not share this playbook, all network advocates and security professionals are advised to read the translated versions circulating on Twitter, or some of the analysis linked below, to learn what tactics were being taught.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @malwhunterteam, @BleepinComputer, @serghei, @billtoulas, @fwosar, @Ionut_Ilascu, @struppigel, @LawrenceAbrams, @Seifreed, @security_score, @Unit42_Intel, @_CPResearch_, @pcrisk, @BroadcomSW, @uuallan, @Jon__DiMaggio, @Ashukuhi, @BushidoToken, @BrettCallowAnd @UK_Daniel_Card.

May 22, 2023

Malicious Windows kernel drivers used in BlackCat ransomware attacks

The ALPHV (aka BlackCat) ransomware group has been observed using malicious signed Windows kernel drivers to evade detection by security software during attacks.

New variants of STOP Ransomware

Risk found new STOP Ransomware variants that add the .gapo, .gatqAnd .glance expansions.

New variant MedusaLocker

PCrisk has found a new variant of MedusaLocker that adds the .itlock20 extension (the number may differ) and drops a ransom note named How_to_back_files.html.

May 23, 2023

A Deep Dive into Medusa Ransomware

The Medusa ransomware emerged in June 2021, and it became more active this year by launching the “Medusa Blog” featuring leaked data from victims who failed to pay the ransom. The malware stops a list of decrypted services and processes while running and deletes the Volume Shadow
Copies.

IT employee poses as a ransomware gang to extort his employer

A 28-year-old UK man from Fleetwood, Hertfordshire, has been found guilty of gaining unauthorized access to a computer with criminal intent and blackmailing his employer.

Arms maker Rheinmetall confirms BlackBasta ransomware attack

German auto and arms manufacturer Rheinmetall AG confirms that it suffered a BlackBasta ransomware attack that impacted its civilian business.

Cuba ransomware claims cyber attack on Philadelphia Inquirer

The Cuban ransomware gang claimed responsibility for this month’s cyberattack on The Philadelphia Inquirer, which temporarily halted distribution of the newspaper and disrupted some business operations.

May 24, 2023

Iranian hackers use new Moneybird ransomware to attack Israeli organizations

An alleged Iranian state-backed threat actor known as “Agrius” is currently deploying a new strain of ransomware named “Moneybird” against Israeli organizations.

May 25, 2023

New Buhti Ransomware Gang Uses Leaked Windows and Linux Encryptors

A new ransomware operation codenamed “Buhti” uses leaked code from the LockBit and Babuk ransomware families to target Windows and Linux systems respectively.

New variants of STOP Ransomware

PCrisk has found new STOP Ransomware variants that add the .vape, .vatqAnd .vaze expansions.

New FAST ransomware

PCrisk has found new ransomware that adds the .FAST extension and drops a ransom note named #FILEENCRYPTED.txt.

Really? $10,000 for THIS? An overview of version 2.0 of the Basterlord manual

Basterlord posted the highly sought after 2nd version of his manual on Twitter.

May 26, 2023

BlackByte ransomware claims responsibility for Augusta city cyberattack

The city of Augusta in Georgia, USA has confirmed that the latest computer system outage was caused by unauthorized access to its network.

US government contractor ABB confirms ransomware attack and data theft

Swiss multinational technology company and US government contractor ABB has confirmed that some of its systems have been hit by a ransomware attack, previously described by the company as “a computer security incident”.

New EXISC ransomware

PCrisk has found a new ransomware variant that adds the .EXISC extension and drops a ransom note named Please contact us to restore.txt.

Analysis of “THE MANUAL”

Yesterday, Basterlord (an infamous ransomware operator) released a copy of the “Networking Manual v2.0” (which I will call “the manual”). So of course I thought we should analyze this and see what he was selling for $10,000!

On-Demand Webinar: The Lord Has Fallen

Join Ransomware Diaries: Volume 2 – A Ransomware Hacker Origin Story author Jon DiMaggio for a dive into the ramifications that Bassterlord has faced since his story was published.

It’s all for this week ! I hope everyone is having a good weekend!