Ransomware gangs continue to hammer local governments in attacks, destroying computer systems and disrupting the city’s online services.
Earlier this month we saw this with the Royal Ransomware attack on Dallas, and this week the city of Augusta, Georgia also suffered a cyberattack.
While the Augusta mayor’s office released a statement indicating that they suffered a cyberattack, they did not share any details about the breach.
“The City of Augusta, GA began experiencing technical difficulties on Sunday, May 21, 2023, unrelated to last week’s outage, causing some computer systems to be out of service,” reads the statement. City statement.
“We have opened an investigation and determined that we were victims of unauthorized access to our system.”
However, today the BlackByte ransomware operation claimed responsibility for the Augusta attack, leaking data they claim was stolen in the attack.
Other attacks we learned more about this week include a BlackBasta attack on German arms manufacturer Rheinmetall And ABB confirms that data was stolen during a attack earlier this month.
Cuba’s ransomware gang has also claimed responsibility for the attack on The Philadelphia Inquirer. However, after the publisher said the data did not belong to it, Cuba took the Inquirer’s entry to its data leak site.
We’ve also seen some interesting reports from security companies and researchers:
Finally, ransomware affiliate Bassterlord released a “slightly” edited but highly sought-after version of its version 2.0 ransomware handbook that was selling for $10,000 on hacker forums.
While some researchers felt the manual lacked detail, threat actors can still use it to gain more knowledge and learn how to penetrate corporate networks.
While we do not share this playbook, all network advocates and security professionals are advised to read the translated versions circulating on Twitter, or some of the analysis linked below, to learn what tactics were being taught.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @malwhunterteam, @BleepinComputer, @serghei, @billtoulas, @fwosar, @Ionut_Ilascu, @struppigel, @LawrenceAbrams, @Seifreed, @security_score, @Unit42_Intel, @_CPResearch_, @pcrisk, @BroadcomSW, @uuallan, @Jon__DiMaggio, @Ashukuhi, @BushidoToken, @BrettCallowAnd @UK_Daniel_Card.
May 22, 2023
The ALPHV (aka BlackCat) ransomware group has been observed using malicious signed Windows kernel drivers to evade detection by security software during attacks.
Risk found new STOP Ransomware variants that add the .gapo, .gatqAnd .glance expansions.
PCrisk has found a new variant of MedusaLocker that adds the .itlock20 extension (the number may differ) and drops a ransom note named How_to_back_files.html.
May 23, 2023
The Medusa ransomware emerged in June 2021, and it became more active this year by launching the “Medusa Blog” featuring leaked data from victims who failed to pay the ransom. The malware stops a list of decrypted services and processes while running and deletes the Volume Shadow
A 28-year-old UK man from Fleetwood, Hertfordshire, has been found guilty of gaining unauthorized access to a computer with criminal intent and blackmailing his employer.
German auto and arms manufacturer Rheinmetall AG confirms that it suffered a BlackBasta ransomware attack that impacted its civilian business.
The Cuban ransomware gang claimed responsibility for this month’s cyberattack on The Philadelphia Inquirer, which temporarily halted distribution of the newspaper and disrupted some business operations.
May 24, 2023
An alleged Iranian state-backed threat actor known as “Agrius” is currently deploying a new strain of ransomware named “Moneybird” against Israeli organizations.
May 25, 2023
A new ransomware operation codenamed “Buhti” uses leaked code from the LockBit and Babuk ransomware families to target Windows and Linux systems respectively.
PCrisk has found new STOP Ransomware variants that add the .vape, .vatqAnd .vaze expansions.
PCrisk has found new ransomware that adds the .FAST extension and drops a ransom note named #FILEENCRYPTED.txt.
Basterlord posted the highly sought after 2nd version of his manual on Twitter.
May 26, 2023
The city of Augusta in Georgia, USA has confirmed that the latest computer system outage was caused by unauthorized access to its network.
Swiss multinational technology company and US government contractor ABB has confirmed that some of its systems have been hit by a ransomware attack, previously described by the company as “a computer security incident”.
PCrisk has found a new ransomware variant that adds the .EXISC extension and drops a ransom note named Please contact us to restore.txt.
Yesterday, Basterlord (an infamous ransomware operator) released a copy of the “Networking Manual v2.0” (which I will call “the manual”). So of course I thought we should analyze this and see what he was selling for $10,000!
Join Ransomware Diaries: Volume 2 – A Ransomware Hacker Origin Story author Jon DiMaggio for a dive into the ramifications that Bassterlord has faced since his story was published.