It’s been a fairly quiet week on the ransomware front, with the biggest news being US sanctions against Iranians linked to ransomware attacks.

Wednesday, the The US Treasury Department announced sanctions against Iranians affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) for their violation of US networks and encryption devices with DiskCryptor and BitLocker.

The researchers also published some interesting reports this week:

In Ransomware Attack News, Yanluowang Ransomware Gang started disclosing data stolen during a cyberattack on Cisco and Hive ransomware claimed an attack against Bell Technical Solutions (BTS).

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @demonslay335, @serghei, @malwareforme, @malwhunterteam, @BleepinComputer, @LawrenceAbrams, @Seifreed, @DanielGallagher, @VK_Intel, @FourBytes, @billtoulas, @struppigel, @PolarToffee, @fwosar, @Ionut_Ilascu, @Bitdefender, @AlvieriD, @AWNetworks, @LabsSentinel, @pcrisk, @CISAgovand @security_score, @censysioand @juanbrodersen.

September 10, 2022

Ransomware Gangs Switch to New Intermittent Encryption Tactic

A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims’ systems faster while reducing the risk of detection and arrest.

The Neverending Deadbolt Story

But recently, Censys has observed a massive increase in QNAP devices infected with Deadbolt. The Deadbolt team is stepping up their operations and the number of casualties is increasing every day.

September 12, 2022

Cisco Confirms Yanluowang Ransomware Leaked Stolen Corporate Data

Cisco has confirmed that data leaked yesterday by the Yanluowang ransomware gang was stolen from the company’s network in a cyberattack in May.

Lorenz ransomware breaches corporate network via phone systems

The Lorenz ransomware gang is now using a critical vulnerability in Mitel MiVoice VOIP appliances to breach businesses, using their phone systems for initial access to their corporate networks.

New variants of STOP Ransomware

Risk found new STOP ransomware variants that add the .eemv and .eewt extensions to encrypted files.

New Scam Ransomware Variant

PCrisk has found the new Ransomware Scam which adds the .scam extension to encrypted files and drops a ransom note named read_it.txt.

New variant of Babuk ransomware

PCrisk has found the new Babuk ransomware variant that adds the .Devil extension to encrypted files and drops a ransom note named How to recover your .txt files.

September 14, 2022

US government sanctions ten Iranians linked to ransomware attacks

The Treasury Department’s Office of Foreign Assets Control (OFAC) today announced sanctions against ten individuals and two entities affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks.

Buenos Aires Legislative Assembly recovers after cyberattack

The Buenos Aires City Legislative Assembly is slowly recovering from the cyberattack it suffered last Sunday: After changing passwords and disconnecting infected computers, it turned WiFi back on, recovered one computer per area, and sued parliamentary work. However, they do not disclose what information was compromised or what type of attack it was.

CISA: cyber actors affiliated with Iran’s Islamic Revolutionary Guard Corps

This advisory updates CSA Iranian government-sponsored APT cyber actors exploiting vulnerabilities in Microsoft Exchange and Fortinet in pursuit of malicious activity, which provides information on these Iranian government-sponsored APT actors exploiting vulnerabilities Fortinet and Microsoft Exchange known to gain initial access to a wide range of targeted entities through malicious activity, including ransomware operations. The authoring agencies now deem these actors to be an APT group affiliated with the IRGC.

New variant of Dharma ransomware

PCrisk has found a new variant of Dharma ransomware that adds the .gnik extension to encrypted files.

New variant of STOP ransomware

PCrisk has found a new STOP ransomware variant that adds the .eeyu extension to encrypted files.

New variant of Snatch ransomware

PCrisk has found a new Snatch ransomware variant that adds the .winxvykljw extension to encrypted files.

September 15, 2022

Hive ransomware claims cyber attack on Bell Canada subsidiary

The Hive ransomware gang has claimed responsibility for an attack that affected the systems of Bell Technical Solutions (BTS), a subsidiary of Bell Canada.

A detailed analysis of the Quantum Ransomware

Quantum ransomware, a new image of MountLocker ransomware, was discovered in August 2021. The malware stops a list of processes and services, and can encrypt machines found in the Windows domain or local network, as well as shared resources on the network. It records all its activities in a file called “.log” and calculates a client ID which is the XOR encryption of the computer name.

New variant of STOP ransomware

PCrisk has found a new STOP ransomware variant that adds the .eebn extension to encrypted files.

New BISAMWARE ransomware

PCrisk found the BISAMWARE Ransomware which adds the .BISAMWARE and drops a ransom note named SYSTEM=RANSOMWARE=INFECTED.TXT.

September 16, 2022

Bitdefender releases free decryptor for LockerGoga ransomware

Romanian cybersecurity company Bitdefender has released a free decryptor to help victims of LockerGoga ransomware recover their files without paying a ransom.

It’s all for this week ! I hope everyone is having a good weekend!