It has been a pretty quiet week with only a few large attacks disclosed and only a few new ransomware variants released.
The highest-profile attack this week is the NBA’s Houston Rockets who were transparent about their ransomware attack. Strangely, Babuk Locker who had begun leaking their data has suddenly taken the data leak from their site.
Another large attack is against La Martinière group, which is the fourth largest publisher in France.
Finally, we learned from Emsisoft that severe bugs in Babuk Locker’s decryptor is causing unencrypted files to be decrypted, and trashing the files in the process.
Contributors and those who provided new ransomware information and stories this week include: @Ionut_Ilascu, @fwosar, @Seifreed, @BleepinComputer, @FourOctets, @struppigel, @DanielGallagher, @LawrenceAbrams, @jorntvdw, @VK_Intel, @serghei, @demonslay335, @PolarToffee, @malwareforme, @malwrhunterteam, @ValeryMarchive, @emsisoft, @Kangxiaopao, and @3xp0rtblog. @fbgwls245, @Amigo_A_, @siri_urz, @chum1ng0, and @GrujaRS.
April 10th 2021
dnwls0719 found a Maoloa Ransomware variant that appends the .charlie.j0hnson extension.
April 12th 2021
Dutch supermarkets run out of cheese after ransomware attack
A ransomware attack against conditioned warehousing and transportation provider Bakker Logistiek has caused a cheese shortage in Dutch supermarkets.
xiaopao found new Dharma ransomware variant that append the .error, .gold, .zphs, and .back extensions to encrypted files.
April 13th 2021
Capcom: Ransomware gang used old VPN device to breach the network
Capcom has released a final update about the ransomware attack it suffered last year, detailing how the hackers gained access to the network, compromised devices, and stole personal information belonging to thousands of individuals.
xiaopao found new Dharma ransomware variant that append the .graysuit and .swagkarna extensions.
dnwls0719 found a new Hakbit ransomware variant that appends .CRYSTAL extension.
April 14th 2021
In this particular case, we found a severe issue within the Babuk ransomware strain that targets Linux and more specifically ESXi servers. ESXi is a popular virtualization platform offered by VMware. Virtualization platforms like ESXi have become a very lucrative target for many ransomware groups, like Defray/RansomExx, Darkside, and since recently also Babuk.
The Houston Rockets of the National Basketball Association are investigating a cyber-attack against their networks from a relatively new ransomware group that claims to have stolen internal business data.
dnwls0719 found a new VoidCrypt Ransomware variant that appends the .hydra and drops a ransom note named Decrypt-me.txt.
Michael Gillespie found a new STOP ransomware variant that appends the .wrui extension.
April 15th 2021
Le téléphone sonne. Le standard peut prendre les appels. Mais les mises en relations directes avec les interlocuteurs sont impossibles. « Pas de mail, pas de réseau, pas d’Internet… c’est compliqué », peut-on s’entendre expliquer. Et c’est ainsi depuis le mardi 13 avril. Les collaborateurs de l’entreprise semblent avoir été informés qu’une cyberattaque est survenue. Nous avons tenté de joindre la direction de la communication, sans succès à ce stade
3xp0rt spotted DarkSide promoting some of their new features:
Another DarkSide update. Added automatic test decrypting, all processes now are automated. Available DDoS (L3, L7), is performing before the target enters online. Also, the DarkSide team expand specialties like network supplies, pentesting.
April 16th 2021
Michael Gillespie found a wiper that appends the .combo13 extension TO destroyed files and drops a ransom note named FILES ENCRYPTED.TXT.