This was a foul week for ransomware, with the Trigona ransomware struggling an information breach and regulation enforcement disrupting the RagnarLocker ransomware operation.
Final week, Ukrainian hacktivists often called the Ukrainian Cyber Alliance hacked the Trigona gang’s servers by exploiting a vulnerability of their Confluence server.
This in the end allowed the activists to breach different websites run by Trigona to take knowledge, copies of inner chats, and the web site supply code. They then wiped Trigona’s Tor negotiation and knowledge leak websites, defacing them with the message beneath.
Supply: BleepingComputer
Trigona later admitted they had been breached and stated they plan on launching new websites on October twenty second.
On Thursday, the RagnarLocker knowledge leak web site and negotiation web site additionally started to point out a brand new message, this time a seizure banner by regulation enforcement from France, the Czech Republic, Germany, Italy, Latvia, the Netherlands, Spain, Sweden, Japan, Canada, and the US.
As a part of this worldwide regulation enforcement operation, police arrested a malware developer linked with the RagnarLocker ransomware gang and seized the group’s darkish web sites
Supply: BleepingComputer
This can be a vital motion as RagnarLocker is without doubt one of the oldest, still-active ransomware operations, having performed assaults towards 168 worldwide corporations globally since 2020
In different information, we discovered extra about cyberattacks towards numerous corporations, with a BlackBasta assault towards TV promoting agency Ampersand and Kwik Journey lastly confirming they suffered a cyberattack, although it was not confirmed to be ransomware.
Lastly, cybersecurity researchers launched fascinating stories on ransomware, together with:
Contributors and people who supplied new ransomware data and tales this week embody: @LawrenceAbrams, @serghei, @fwosar, @Ionut_Ilascu, @billtoulas, @Seifreed, @demonslay335, @malwrhunterteam, @BleepinComputer, @vx_herm1t, @AlvieriD, @AShukuhi, @pcrisk, @rivitna2, @BushidoToken, @ResilienceSays, @SophosXOps, @Unit42_Intel, @jgreigj, @azalsecurity, @AShukuhi, @Cynet360, @FalconFeedsio, and @cyber_int.
October fifteenth 2023
Colonial Pipeline attributes ransomware claims to ‘unrelated’ third-party knowledge breach
Colonial Pipeline stated there was no disruption to pipeline operations or their programs after a ransomware gang made a number of threats on Friday afternoon.
October sixteenth 2023
New STOP ransomware variants
PCrisk discovered new STOP ransomware variants that append the .ptqw and .pthh extensions.
New MedusaLocker variant
PCrisk discovered a brand new MedusaLocker variant that appends the .crypto1317 extension and drops a ransom observe named How_to_back_files.html.
New Chaos variant
PCrisk discovered a brand new Chaos variant that appends the .MesaCorp extension and drops a ransom observe named read_it.txt.
October seventeenth 2023
KwikTrip all however says IT outage was attributable to a cyberattack
Kwik Journey has launched one other assertion on an ongoing outage, all however confirming it suffered a cyberattack that has led to IT system disruptions.
TV promoting gross sales big affected by ransomware assault
A tv promoting gross sales and know-how firm collectively owned by the three largest U.S. cable operators was hit with a ransomware assault in latest weeks that affected operations.
New Dharma variant
PCrisk discovered a brand new Dharma ransomware variant that appends the .2023 extension.
New STOP variant
PCrisk discovered a brand new Dharma ransomware variant that appends the .ptrz extension.
New EarthGrass ransomware
PCrisk discovered a brand new ransomware named EarthGrass that appends the .34r7hGr455 extnesion and drops a ransom observe named Learn ME (Decryptor).txt.
New KeyLock ransomware
PCRisk discovered the brand new KeyLocker ransomware that appends the .keylock extension and drops a ransom observe named README-id-[username].txt.
October 18th 2023
Ukrainian activists hack Trigona ransomware gang, wipe servers
A gaggle of cyber activists beneath the Ukrainian Cyber Alliance (UCA) banner has hacked the servers of the Trigona ransomware gang and wiped them clear after copying all the data out there.
Resilience 2023 Claims Report
The primary half of 2023 has as soon as once more seen an upheaval within the cybercrime trade. From Russian corporations doubtlessly licensing out superior malware to affiliate companions within the US and UK, to assaults towards comparatively unknown third-party SaaS suppliers scaling to 1000’s of sufferer organizations directly, cybercrime actors are as soon as once more adeptly reacting to a shift of their market. As corporations turn into extra immune to paying extortions, Resilience is seeing a transfer in direction of going after greater fish and swimming upstream to hit distributors and bypass safety controls. This has vital implications for these defending their organizations and attempting to restrict monetary losses from these actors.
GhostLocker: The New Ransomware On The Block
Over the previous week, an institution of a brand new ransomware franchise has emerged named GhostLocker. Ghost Locker is a brand new Ransomware-as-a-Service (Raas) established by a number of hacktivist teams led by GhostSec.
Professional-Palestinian hacktivisits declare to make use of Crucio ransomware
A brand new pro-Palestinian hacktivist group known as Troopers Of Solomon declare to be deploying a brand new Crucio Ransomware.
October nineteenth 2023
Ragnar Locker ransomware’s darkish internet extortion websites seized by police
The Ragnar Locker ransomware operation’s Tor negotiation and knowledge leak websites had been seized Thursday morning as a part of a world regulation enforcement operation.
BlackCat ransomware makes use of new ‘Munchkin’ Linux VM in stealthy assaults
The BlackCat/ALPHV ransomware operation has begun to make use of a brand new device named ‘Munchkin’ that makes use of digital machines to deploy encryptors on community gadgets stealthily.
Ransomware actor exploits unsupported ColdFusion servers—however comes away empty-handed
In September and early October, we noticed a number of efforts by a beforehand unknown actor to leverage vulnerabilities in out of date, unsupported variations of Adobe’s ColdFusion Server software program to achieve entry to the Home windows servers they ran on and pivot to deploying ransomware. None of those assaults had been profitable, however they supplied telemetry that allowed us to affiliate them with a single actor or group of actors, and to retrieve the payloads they tried to deploy.
Megazord ransomware evaluation
A brand new model of the Akira ransomware known as “Megazord” emerged round August 2023. It adjustments the names of your recordsdata by including “.Powerrangers” on the finish. A number of static and code similarities recommend that Megazord may very well be an try to present Akira a brand new look. Such alteration could be an try to rebrand the Akira ransomware because it has turn into acquainted to widespread recognition all through the cybersecurity group.
Trigona’s responds to their takedown by UCA
As seen by AzAl Safety, the Trigona ransomware operation has responded to UCA’s takedown of their websites, claiming to return on the twenty second.
October twentieth 2023
Kwik Journey lastly confirms cyberattack was behind ongoing outage
Two weeks into an ongoing IT outage, Kwik Journey lastly confirmed that it is investigating a cyberattack impacting the comfort retailer chain’s inner community since October 9.
Ragnar Locker ransomware developer arrested in France
Legislation enforcement businesses arrested a malware developer linked with the Ragnar Locker ransomware gang and seized the group’s darkish websites in a joint worldwide operation.
New STOP ransomware variants
PCrisk discovered new STOP ransomware variants that append the .ithh, .itqw, and .itrz extensions.
New Hunters Worldwide makes use of Hive encryptor
rivitna found the brand new Hunters Worldwide ransomware, which seems to be utilizing an encryptor from the Hive operation.
That is it for this week! Hope everybody has a pleasant weekend!
