The Week in Ransomware – April 29th 2022


Hand reaching out of smoke

This week we have discovered numerous new ransomware operations that have begun operating, with one appearing to be a rebrand of previous operations.

The Quantum ransomware gang has seen an uptick in victims, with a report showing that the gang deploys the encryptor in rapid attacks.

We also learned of a new ransomware gang called Black Basta that has quickly accumulated victims while, for the most part, staying under the radar until this week.

Some of Black Basta’s recent victims are the American Dental Association and Deutsche Windtechnik.

This week’s other news is discovering that the Onyx ransomware purposely destroys files larger than 2MB, making it pointless to pay a ransom.

Finally, Austin Peay State University suffered a ransomware attack and used the unusual tactic of blasting the news on Twitter that students and faculty should shut down their computers.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @LawrenceAbrams, @PolarToffee, @demonslay335, @serghei, @billtoulas, @malwareforme, @DanielGallagher, @FourOctets, @VK_Intel, @BleepinComputer, @Ax_Sharma, @Ionut_Ilascu, @malwrhunterteam, @struppigel, @jorntvdw, @Seifreed, @CheckPointSW, @vinopaljiri, @TheDFIRReport, @LabsSentinel, @pcrisk, and @Amigo_A_.

April 25th 2022

Quantum ransomware seen deployed in rapid network attacks

The Quantum ransomware, a strain first discovered in August 2021, were seen carrying out speedy attacks that escalate quickly, leaving defenders little time to react.

New Parker ransomware

PCrisk found a new ransomware that appends the .parker extension and drops a ransom note named RESTORE_FILES_INFO.txt.

April 26th 2022

American Dental Association hit by new Black Basta ransomware

The American Dental Association (ADA) was hit by a weekend cyberattack, causing them to shut down portions of their network while investigating the attack.

Coca-Cola investigates hackers’ claims of breach and data theft

Coca-Cola, the world’s largest soft drinks maker, has confirmed in a statement to BleepingComputer that it is aware of the reports about a cyberattack on its network and is currently investigating the claims.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .jhgn, .jhbg, and .dewd extensions.

April 27th 2022

Beware: Onyx ransomware destroys files instead of encrypting them

A new Onyx ransomware operation is destroying files larger than 2MB instead of encrypting them, preventing those files from being decrypted even if a ransom is paid.

New Black Basta ransomware springs into action with a dozen breaches

A new ransomware gang known as Black Basta has quickly catapulted into operation this month, breaching at least twelve companies in just a few weeks.

LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility

During a recent investigation, our DFIR team discovered an interesting technique used by LockBit Ransomware Group to load a Cobalt Strike Beacon Reflective Loader. In this particular case, LockBit managed to side-load Cobalt Strike Beacon through a signed VMware xfer logs command line utility.

New Axxes ransomware

PCrisk found a new ransomware variant that appends the .axxes extension and drops ransom notes named RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt.

April 28th 2022

Ransom payment is roughly 15% of the total cost of ransomware attacks

Researchers analyzing the collateral consequences of a ransomware attack include costs that are roughly seven times higher than the ransom demanded by the threat actors.

Austin Peay State University resumes after ransomware cyber attack

Austin Peay State University (APSU) confirmed yesterday that it had been a victim of a ransomware attack.

New Pipikaki ransomware

Amigo-A found a new ransomware that appends the .@PIPIKAKI extension and drops a ransom note named WE CAN RECOVER YOUR DATA.txt.

That’s it for this week! Hope everyone has a nice weekend!


Source link