With ransom payments declining, ransomware gangs are evolving their extortion tactics to utilize new methods to pressure victims.
This was seen by both the Clop and BlackCat/ALPHV ransomware gangs, who began utilizing new tactics as part of their extortion schemes.
Clop has begun to create clearweb sites to leak data stolen during the MOVEit Transfer attacks, similar to a tactic introduced by ALPHV in 2022.
Using clearweb sites makes it easier to access the stolen data and could allow search engines to index the data and make it more readily available, further applying pressure on victims to have it removed.
At this time, Clop only targets the larger MOVEit victims, likely to avoid the overhead of maintaining so many individual sites.
We also saw a new extortion strategy from BlackCat, who introduced a new data leak API that makes it easy to grab the latest information on who is listed on their data leak site.
This new technique aims to quickly spread awareness of the gang’s new victims, hoping it pressures victims into paying a ransom.
Sophos also released new research containing further details on the new Nitrogen initial access malware used by BlackCat.
Finally, we learned more about some recent attacks:
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @Seifreed, @malwareforme, @BleepinComputer, @LawrenceAbrams, @demonslay335, @struppigel, @DanielGallagher, @malwrhunterteam, @VK_Intel, @serghei, @fwosar, @Ionut_Ilascu, @FourOctets, @jorntvdw, @PolarToffee, @jgreigj, @BrettCallow, @SophosXOps, @eSentire, @vxunderground, @AlvieriD, and @pcrisk.
July 23rd 2023
The Clop ransomware gang is copying an ALPHV ransomware gang extortion tactic by creating Internet-accessible websites dedicated to specific victims, making it easier to leak stolen data and further pressuring victims into paying a ransom.
July 24th 2023
Yamaha’s Canadian music division confirmed that it recently dealt with a cyberattack after two different ransomware groups claimed to have attacked the company.
Akira ransomware is a new and sophisticated threat that has been targeting organizations in recent months. The ransomware encrypts files on the victim’s system and then demands a ransom payment in order to decrypt them
PCrisk found a new STOP ransomware variant that appends the .kitu extension.
PCrisk found a new Architects ransomware, which appends the .architects extension and drops a ransom note named readme.txt.
July 26th 2023
A new ‘Nitrogen’ initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads.
The ALPHV ransomware gang, also referred to as BlackCat, is trying to put more pressure on their victims to pay a ransom by providing an API for their leak site to increase visibility for their attacks.
PCrisk found new STOP ransomware variants that append the .wsuu and .wsaz extensions.
July 27th 2023
U.S. government services contractor Maximus has disclosed a data breach warning that hackers stole the personal data of 8 to 11 million people during the recent MOVEit Transfer data-theft attacks.
PCrisk found a new STOP ransomware variant that appends the .wspn extension.
July 28th 2023
The Hawai?i Community College has admitted that it paid a ransom to ransomware actors to prevent the leaking of stolen data of approximately 28,000 people.
PCrisk found the Black Berserk ransomware, which appends the .Black extension and drops a ransom note named Black_Recover.txt.