Hidden threat actor

Ransomware gangs continue to target organizations large and small, including a brazen attack on the Washington DC police department.

This week, we learned of attacks affecting the Metropolitan Police Department, Merseyrail UK rail operator, the Whistler Resort Municipality, and an attack on Brazil’s court systems in Rio Grande do Sul.

We also reported that the Qlocker ransomware targeting QNAP devices had made $260,000 by Sunday, which is likely much higher now.

Finally, after threatening to release data for the Metropolitan Police Department, Babuk Locker has suddenly decided to no longer encrypt systems and focus entirely on the ransoming of stolen data.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @PolarToffee, @Seifreed, @struppigel, @jorntvdw, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @malwareforme, @demonslay335, @serghei, @malwrhunterteam, @FourOctets, @DanielGallagher, @VK_Intel, @ValeryMarchive, @emsisoft, @fbgwls245, @Amigo_A_, @chum1ng0, @pcrisk@GrujaRS, @BruteBee, @FireEye, @ddd1ms, @coveware, @campuscodi, and @JakubKroustek.

April 24th 2021

A ransomware gang made $260,000 in 5 days using the 7zip utility

A ransomware gang has made $260,000 in just five days simply by remotely encrypting files on QNAP devices using the 7zip archive program.

New Dharma ransomware variant

Jakub Kroustek found a new Dharma ransomware variant that appends the .bdev extension to encrypted files.

April 25th 2021

New NoCry ransomware

GrujaRS found a variant of the Stupid Ransomware calling itself NoCry that appends the .Cry extension.

NoCry

New Conti ransomware variant

GrujaRS found a new variant of the Conti Ransomware that appends the .GFYPK extension.

April 26th 2021

DC Police confirms cyberattack after ransomware gang leaks data

The Metropolitan Police Department has confirmed that they suffered a cyberattack after the Babuk ransomware gang leaked screenshots of stolen data.

Ransomware gang now warns they will leak new Apple logos, iPad plans

The REvil ransomware gang has mysteriously removed Apple’s schematics from their data leak site after privately warning Quanta that they would leak drawings for the new iPad and new Apple logos.

Accellion data breaches drive up average ransom price

The data breaches caused by the Clop ransomware gang exploiting a zero-day vulnerability have led to a sharp increase in the average ransom payment calculated for the first three months of the year.

New Conti ransomware variant

dnwls0719  found a new Dharma ransomware variant that appends the .ALNBR extension to encrypted files.

Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound

The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q1 of 2021. Data exfiltration extortion continues to be prevalent and we have reached an inflection point where the vast majority of ransomware attacks now include the theft of corporate data. Q1 saw a reversal of average and median ransom amounts. The averages in Q1 were pulled up by a raft of data exfiltration attacks by one specific threat actor group that opportunistically leveraged a unique vulnerability (more on this below).

New Phobos Ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .lookfornewitguy extension.

April 27th 2021

Ransomware : Revil enchaîne les victimes… qui ne paient pas

Oui, le groupe Revil, qui pilote le rançongiciel Sodinokibi, est très actif ces temps-ci. Et il semble décidé à enchaîner les coups d’éclat. Mais ses activités semblent de moins en moins couronnées de succès. Et de plus en plus, ce qu’il exhibe comme un tableau de chasse prend des airs de triste galerie de ses échecs.

The cost of ransomware in 2021: A country-by-country analysis

The statistics below show the devastating economic toll ransomware has taken in a number of key markets. The data includes ransom demands, the cost of downtime, and the overall global cost of ransomware, as well as separate statistics focused on the public and private sectors.

Ransomware gang targets Microsoft SharePoint servers for the first time

Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs.

April 28th 2021

UK rail network Merseyrail likely hit by Lockbit ransomware

UK rail network Merseyrail has confirmed a cyberattack after a ransomware gang used their email system to email employees and journalists about the attack.

New Dharma ransomware variant

dnwls0719  found a new Dharma ransomware variant that appends the .cum extension to encrypted files.

April 29th 2021

Security expert coalition shares actions to disrupt ransomware

The Ransomware Task Force, a public-party coalition of more than 50 experts, has shared a framework of actions to disrupt the ransomware business model.

Whistler resort municipality hit by new ransomware operation

The Whistler municipality in British Columbia, Canada, has suffered a cyberattack at the hands of a new ransomware operation.

Brazil’s Rio Grande do Sul court system hit by REvil ransomware

Brazil’s Tribunal de Justiça do Estado do Rio Grande do Sul was hit with an REvil ransomware attack yesterday that encrypted employee’s files and forced the courts to shut down their network.

New ransomware group uses SonicWall zero-day to breach networks

A financially motivated threat actor exploited a zero-day bug in Sonicwall SMA 100 Series VPN appliances to deploy new ransomware known as FiveHands on the networks of North American and European targets.

QNAP warns of AgeLocker ransomware attacks on NAS devices

QNAP customers are once again urged to secure their Network Attached Storage (NAS) devices to defend against Agelocker ransomware attacks targeting their data.

Babuk ransomware readies ‘shut down’ post, plans to open source malware

After just a few months of activity, the operators of Babuk ransomware briefly posted a short message about their intention to quit the extortion business after having achieved their goal.

New CryBaby ransomware

MalwareHunterTeam found a new ‘CryBaby’ ransomware.

CryBaby

April 30th 2021

Babuk quits ransomware encryption, focuses on data-theft extortion

A new message today from the operators of Babuk ransomware clarifies that the gang has decided to close the affiliate program and move to an extortion model that does not rely on encrypting victim computers.

That’s it for this week! Hope everyone has a nice weekend!