We noticed one other ransomware operation shut down this week after first getting breached by legislation enforcement after which concentrating on essential infrastructure, placing them additional within the highlight of the US authorities.
What makes this unusual is that this appears to be a typical routine for the DarkSide, I imply BlackCat/ALPHV, ransomware operation which tends to hit essential infrastructure, after which understand it was a giant mistake.
Because it was, they have been already being focused by a global legislation enforcement operation, permitting the FBI to hack the gang’s servers for months whereas accumulating information, decryptors, and finally, seizing the area of the information leak web site.
Whereas the Tor onion area seizure was a sport of tug of conflict between the FBI and BlackCat, as an alternative of shutting down, the ransomware gang determined to proceed working and vowed to focus on US essential infrastructure in revenge.
Roughly two months later, one in every of their associates attacked UnitedHealth Group’s Change Healthcare, a know-how options firm utilized by many pharmacies, physician’s workplaces, and hospitals for billing claims for healthcare and prescriptions.
This assault led to extreme disruption within the US healthcare system, stopping pharmacies from accepting insurance coverage and low cost playing cards and, in some instances, inflicting sufferers to pay full value for drugs.
Just like their assault on Colonial Pipeline as DarkSide, which led to them to shut down, their rebrand as BlackCat/ALPHV has now shut down after the Change Healthcare assault.
Based on an affiliate, Optum, Change Healthcare’s father or mother firm and a subsidiary of UnitedHealth, paid a $22 million ransom to the ransomware operation to forestall the leaking of stolen information and to obtain a file decryptor.
Nevertheless, this affiliate says that BlackCat stole the ransom and didn’t switch over a share of the fee, stating it was seized by the “feds.”
In actuality, BlackCat carried out an exit rip-off the place they stole the ransom, blamed legislation enforcement, and shut down, stating that they don’t wish to be in courtroom once more.
Sadly, it is just a matter of time earlier than we see the ransomware operation rebrand below a brand new title to repeat this cycle.
In different information, the Stormous ransomware gang attacked the Duvel Belgian beer maker, which many take into account essential infrastructure.
Lastly, the Swiss authorities additionally warned that 65,000 of its paperwork have been leaked as a part of a Play ransomware assault on Xplain.
Contributors and people who offered new ransomware data and tales this week embody @demonslay335, @Seifreed, @fwosar, @malwrhunterteam, @billtoulas, @BleepinComputer, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @ddd1ms, @uuallan, @AShukuhi, @BrettCallow, @BushidoToken, @JBurnsKoven, @Jon__DiMaggio, @ValeryMarchive, @UK_Daniel_Card, @AlexMartin, @TalosSecurity, @CarlyPage_, and @pcrisk.
March 4th 2024
BlackCat ransomware turns off servers amid declare they stole $22 million ransom
The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate chargeable for the assault on Optum, the operator of the Change Healthcare platform, of $22 million.
Ought to we ban ransom funds?
As cybercriminals proceed to reap the monetary rewards of their assaults, discuss of a federal ban on ransom funds is getting louder.
New STOP ransomware variants
PCrisk discovered new STOP ransomware variants that append the .wisz and .wiaw extensions.
New SkyNet ransomware variant
PCrisk discovered a SkyNet variant that appends the .payuranson extension and drops a ransom observe named SkynetData.txt.
March fifth 2024
BlackCat ransomware shuts down in exit rip-off, blames the “feds”
The BlackCat ransomware gang is pulling an exit rip-off, attempting to close down and run off with associates’ cash by pretending the FBI seized their web site and infrastructure.
GhostSec’s joint ransomware operation and evolution of their arsenal
Talos noticed the GhostSec and Stormous ransomware teams working collectively to conduct a number of double extortion assaults utilizing the GhostLocker and StormousX ransomware packages in opposition to the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia in response to our evaluation of the disclosure messages posted by the group of their Telegram channels and Stormous ransomware information leak web site.
New Makop ransomware variant
PCrisk discovered a Makop variant that appends the .reload extension and drops a ransom observe named +README-WARNING+.txt.
March sixth 2024
Duvel says it has “greater than sufficient” beer after ransomware assault
Duvel Moortgat Brewery was hit by a ransomware assault late final night time, bringing to a halt the beer manufacturing within the firm’s bottling amenities.
Capita, firm offering UK’s nuclear submarine coaching, confirms ‘cyber incident’
Capita, the UK’s largest outsourcing firm, confirmed Monday that an IT outage which left workers locked out of their accounts on Friday was brought on by “a cyber incident.”
New MedusaLocker ransomware variants
PCrisk discovered new MedusaLocker variants that append the .genesis15 and .duralock05 extensions and drop a ransom observe named HOW_TO_BACK_FILES.html.
March seventh 2024
FBI: U.S. misplaced file $12.5 billion to on-line crime in 2023
FBI’s Web Crime Criticism Middle (IC3) has launched its 2023 Web Crime Report, which recorded a 22% improve in reported losses in comparison with 2022, amounting to a file of $12.5 billion.
Switzerland: Play ransomware leaked 65,000 authorities paperwork
The Nationwide Cyber Safety Centre (NCSC) of Switzerland has launched a report on its evaluation of an information breach following a ransomware assault on Xplain, disclosing that the incident impacted 1000’s of delicate Federal authorities recordsdata.
LockBit: How the franchise is attempting to stage a comeback
Because the Cronos authorized operation, the LockBit 3.0 mafia franchise has endeavored to persuade that enterprise continues as if nothing had occurred. Examination of his claims reveals a really completely different actuality.
March eighth 2024
UnitedHealth brings some Change Healthcare pharmacy companies again on-line
Optum’s Change Healthcare has began to carry programs again on-line after struggling a crippling BlackCat ransomware assault final month that led to widespread disruption to the US healthcare system.
That is it for this week! Hope everybody has a pleasant weekend!
Contributors and people who offered new ransomware data and tales this week embody: @demonslay335, @Seifreed, @fwosar, @malwrhunterteam, @billtoulas, @BleepinComputer, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @ddd1ms, @uuallan, @AShukuhi, @BrettCallow, @BushidoToken, @JBurnsKoven, @Jon__DiMaggio, @ValeryMarchive, @UK_Daniel_Card, @AlexMartin, @TalosSecurity, @CarlyPage_, and @pcrisk
March 4th 2024
BlackCat ransomware turns off servers amid declare they stole $22 million ransom
The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate chargeable for the assault on Optum, the operator of the Change Healthcare platform, of $22 million.
Ought to we ban ransom funds?
As cybercriminals proceed to reap the monetary rewards of their assaults, discuss of a federal ban on ransom funds is getting louder.
New STOP ransomware variants
PCrisk discovered new STOP ransomware variants that append the .wisz and .wiaw extensions.
New SkyNet ransomware variant
PCrisk discovered a SkyNet variant that appends the .payuranson extension and drops a ransom observe named SkynetData.txt.
March fifth 2024
BlackCat ransomware shuts down in exit rip-off, blames the “feds”
The BlackCat ransomware gang is pulling an exit rip-off, attempting to close down and run off with associates’ cash by pretending the FBI seized their web site and infrastructure.
GhostSec’s joint ransomware operation and evolution of their arsenal
Talos noticed the GhostSec and Stormous ransomware teams working collectively to conduct a number of double extortion assaults utilizing the GhostLocker and StormousX ransomware packages in opposition to the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia in response to our evaluation of the disclosure messages posted by the group of their Telegram channels and Stormous ransomware information leak web site.
New Makop ransomware variant
PCrisk discovered a Makop variant that appends the .reload extension and drops a ransom observe named +README-WARNING+.txt.
March sixth 2024
Duvel says it has “greater than sufficient” beer after ransomware assault
Duvel Moortgat Brewery was hit by a ransomware assault late final night time, bringing to a halt the beer manufacturing within the firm’s bottling amenities.
Capita, firm offering UK’s nuclear submarine coaching, confirms ‘cyber incident’
Capita, the UK’s largest outsourcing firm, confirmed Monday that an IT outage which left workers locked out of their accounts on Friday was brought on by “a cyber incident.”
New MedusaLocker ransomware variants
PCrisk discovered new MedusaLocker variants that append the .genesis15 and .duralock05 extensions and drop a ransom observe named HOW_TO_BACK_FILES.html.
March seventh 2024
FBI: U.S. misplaced file $12.5 billion to on-line crime in 2023
FBI’s Web Crime Criticism Middle (IC3) has launched its 2023 Web Crime Report, which recorded a 22% improve in reported losses in comparison with 2022, amounting to a file of $12.5 billion.
Switzerland: Play ransomware leaked 65,000 authorities paperwork
The Nationwide Cyber Safety Centre (NCSC) of Switzerland has launched a report on its evaluation of an information breach following a ransomware assault on Xplain, disclosing that the incident impacted 1000’s of delicate Federal authorities recordsdata.
LockBit: How the franchise is attempting to stage a comeback
Because the Cronos authorized operation, the LockBit 3.0 mafia franchise has endeavored to persuade that enterprise continues as if nothing had occurred. Examination of his claims reveals a really completely different actuality.
March eighth 2024
UnitedHealth brings some Change Healthcare pharmacy companies again on-line
Optum’s Change Healthcare has began to carry programs again on-line after struggling a crippling BlackCat ransomware assault final month that led to widespread disruption to the US healthcare system.
That is it for this week! Hope everybody has a pleasant weekend!