This was a nasty week for ransomware, with the Trigona ransomware struggling a knowledge breach and legislation enforcement disrupting the RagnarLocker ransomware operation.
Final week, Ukrainian hacktivists generally known as the Ukrainian Cyber Alliance hacked the Trigona gang’s servers by exploiting a vulnerability of their Confluence server.
This finally allowed the activists to breach different websites run by Trigona to take information, copies of inner chats, and the web site supply code. They then wiped Trigona’s Tor negotiation and information leak websites, defacing them with the message under.
Supply: BleepingComputer
Trigona later admitted they have been breached and stated they plan on launching new websites on October twenty second.
On Thursday, the RagnarLocker information leak website and negotiation website additionally started to indicate a brand new message, this time a seizure banner by legislation enforcement from France, the Czech Republic, Germany, Italy, Latvia, the Netherlands, Spain, Sweden, Japan, Canada, and the USA.
As a part of this worldwide legislation enforcement operation, police arrested a malware developer linked with the RagnarLocker ransomware gang and seized the group’s darkish web sites
Supply: BleepingComputer
It is a important motion as RagnarLocker is likely one of the oldest, still-active ransomware operations, having carried out assaults in opposition to 168 worldwide corporations globally since 2020
In different information, we discovered extra about cyberattacks in opposition to varied corporations, with a BlackBasta assault in opposition to TV promoting agency Ampersand and Kwik Journey lastly confirming they suffered a cyberattack, although it was not confirmed to be ransomware.
Lastly, cybersecurity researchers launched attention-grabbing reviews on ransomware, together with:
Contributors and people who supplied new ransomware data and tales this week embrace: @LawrenceAbrams, @serghei, @fwosar, @Ionut_Ilascu, @billtoulas, @Seifreed, @demonslay335, @malwrhunterteam, @BleepinComputer, @vx_herm1t, @AlvieriD, @AShukuhi, @pcrisk, @rivitna2, @BushidoToken, @ResilienceSays, @SophosXOps, @Unit42_Intel, @jgreigj, @azalsecurity, @AShukuhi, @Cynet360, @FalconFeedsio, and @cyber_int.
October fifteenth 2023
Colonial Pipeline attributes ransomware claims to ‘unrelated’ third-party information breach
Colonial Pipeline stated there was no disruption to pipeline operations or their programs after a ransomware gang made a number of threats on Friday afternoon.
October sixteenth 2023
New STOP ransomware variants
PCrisk discovered new STOP ransomware variants that append the .ptqw and .pthh extensions.
New MedusaLocker variant
PCrisk discovered a brand new MedusaLocker variant that appends the .crypto1317 extension and drops a ransom observe named How_to_back_files.html.
New Chaos variant
PCrisk discovered a brand new Chaos variant that appends the .MesaCorp extension and drops a ransom observe named read_it.txt.
October seventeenth 2023
KwikTrip all however says IT outage was attributable to a cyberattack
Kwik Journey has launched one other assertion on an ongoing outage, all however confirming it suffered a cyberattack that has led to IT system disruptions.
TV promoting gross sales big affected by ransomware assault
A tv promoting gross sales and expertise firm collectively owned by the three largest U.S. cable operators was hit with a ransomware assault in latest weeks that affected operations.
New Dharma variant
PCrisk discovered a brand new Dharma ransomware variant that appends the .2023 extension.
New STOP variant
PCrisk discovered a brand new Dharma ransomware variant that appends the .ptrz extension.
New EarthGrass ransomware
PCrisk discovered a brand new ransomware named EarthGrass that appends the .34r7hGr455 extnesion and drops a ransom observe named Learn ME (Decryptor).txt.
New KeyLock ransomware
PCRisk discovered the brand new KeyLocker ransomware that appends the .keylock extension and drops a ransom observe named README-id-[username].txt.
October 18th 2023
Ukrainian activists hack Trigona ransomware gang, wipe servers
A bunch of cyber activists beneath the Ukrainian Cyber Alliance (UCA) banner has hacked the servers of the Trigona ransomware gang and wiped them clear after copying all the data accessible.
Resilience 2023 Claims Report
The primary half of 2023 has as soon as once more seen an upheaval within the cybercrime business. From Russian companies probably licensing out superior malware to affiliate companions within the US and UK, to assaults in opposition to comparatively unknown third-party SaaS suppliers scaling to hundreds of sufferer organizations directly, cybercrime actors are as soon as once more adeptly reacting to a shift of their market. As corporations change into extra immune to paying extortions, Resilience is seeing a transfer in direction of going after larger fish and swimming upstream to hit distributors and bypass safety controls. This has important implications for these defending their organizations and making an attempt to restrict monetary losses from these actors.
GhostLocker: The New Ransomware On The Block
Over the previous week, an institution of a brand new ransomware franchise has emerged named GhostLocker. Ghost Locker is a brand new Ransomware-as-a-Service (Raas) established by a number of hacktivist teams led by GhostSec.
Professional-Palestinian hacktivisits declare to make use of Crucio ransomware
A brand new pro-Palestinian hacktivist group known as Troopers Of Solomon declare to be deploying a brand new Crucio Ransomware.
October nineteenth 2023
Ragnar Locker ransomware’s darkish internet extortion websites seized by police
The Ragnar Locker ransomware operation’s Tor negotiation and information leak websites have been seized Thursday morning as a part of a global legislation enforcement operation.
BlackCat ransomware makes use of new ‘Munchkin’ Linux VM in stealthy assaults
The BlackCat/ALPHV ransomware operation has begun to make use of a brand new device named ‘Munchkin’ that makes use of digital machines to deploy encryptors on community gadgets stealthily.
Ransomware actor exploits unsupported ColdFusion servers—however comes away empty-handed
In September and early October, we noticed a number of efforts by a beforehand unknown actor to leverage vulnerabilities in out of date, unsupported variations of Adobe’s ColdFusion Server software program to achieve entry to the Home windows servers they ran on and pivot to deploying ransomware. None of those assaults have been profitable, however they supplied telemetry that allowed us to affiliate them with a single actor or group of actors, and to retrieve the payloads they tried to deploy.
Megazord ransomware evaluation
A brand new model of the Akira ransomware known as “Megazord” emerged round August 2023. It adjustments the names of your recordsdata by including “.Powerrangers” on the finish. A number of static and code similarities recommend that Megazord might be an try to present Akira a brand new look. Such alteration may be an try to rebrand the Akira ransomware because it has change into acquainted to widespread recognition all through the cybersecurity group.
Trigona’s responds to their takedown by UCA
As seen by AzAl Safety, the Trigona ransomware operation has responded to UCA’s takedown of their websites, claiming to return on the twenty second.
October twentieth 2023
Kwik Journey lastly confirms cyberattack was behind ongoing outage
Two weeks into an ongoing IT outage, Kwik Journey lastly confirmed that it is investigating a cyberattack impacting the comfort retailer chain’s inner community since October 9.
Ragnar Locker ransomware developer arrested in France
Legislation enforcement companies arrested a malware developer linked with the Ragnar Locker ransomware gang and seized the group’s darkish internet sites in a joint worldwide operation.
New STOP ransomware variants
PCrisk discovered new STOP ransomware variants that append the .ithh, .itqw, and .itrz extensions.
New Hunters Worldwide makes use of Hive encryptor
rivitna found the brand new Hunters Worldwide ransomware, which seems to be utilizing an encryptor from the Hive operation.
That is it for this week! Hope everybody has a pleasant weekend!