The Week in Ransomware - December 2nd 2022 - Disrupting Health Care

[AFFASocial]

The Week in Ransomware - December 2nd 2022 - Disrupting Health Care​

• December 2, 2022
• 05:51 PM
• 0

This week's big news was the Colombia health system being severely disrupted by a ransomware attack on Keralty, one of the country's largest healthcare providers.
Patients have had to wait upwards of twelve hours to receive care, with reports of people fainting due to the lack of medical attention.
The Keralty attack was conducted by the RansomHouse ransomware operation, which claims to have stolen 3TB of data during the attack.
This week's other news includes an uptick in attacks by the rebranded Trigona Ransomware operation and reports of a new data wiper named CryWiper targeting local government agencies in Russia.
Zscaler also put out an excellent technical analysis of Black Basta, and the FBI disclosed that the Cuba ransomware earned $60 million from over 100 victims.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @LawrenceAbrams, @FourOctets, @demonslay335, @struppigel, @PolarToffee, @serghei, @fwosar, @DanielGallagher, @jorntvdw, @billtoulas, @Seifreed, @VK_Intel, @malwareforme, @malwrhunterteam, @Ionut_Ilascu, @kaspersky, @xfalexx,@hyperconectado, @kennethdee, @pcrisk, @pushecx, and @BrettCallow.

November 26th 2022​

Ransomware gang targets Belgian municipality, hits police instead​

The Ragnar Locker ransomware gang has published stolen data from what they thought was the municipality of Zwijndrecht, but turned out to be stolen from Zwijndrecht police, a local police unit in Antwerp, Belgium.

November 28th 2022​

New Dharma ransomware variants​

PCrisk found new Dharma ransomware variants that append the .just or .CRASH extension to encrypted files.

New Xorist ransomware variants​

PCrisk found new Xorist ransomware variants that append the .ety or .lUUUUUUUUU extensions to encrypted files.

New Chaos ransomware variant​

PCrisk found a new Chaos ransomware variant that appends the .NULL extension and drops a ransom note named read_it.txt.

November 29th 2022​

Trigona ransomware spotted in increasing attacks worldwide​

A previously unnamed ransomware has rebranded under the name 'Trigona,' launching a new Tor negotiation site where they accept Monero as ransom payments.

November 30th 2022​

Keralty ransomware attack impacts Colombia's health care system​

The Keralty multinational healthcare organization suffered a RansomHouse ransomware attack on Sunday, disrupting the websites and operations of the company and its subsidiaries.

New STOP ransomware variants​

PCrisk found new STOP ransomware variants that append the .uyro and .uyit extensions.

New MedusaLocker ransomware variant​

PCrisk found a new MedusaLocker variant that appends the .cipher extension and drops a ransom note named !-Recovery_Instructions-!.html.

New DATAF Locker ransomware​

PCrisk found a new DATAF Locker ransomware that appends the .dataf extension and drops a ransom note named How To Restore Your Files.txt.

December 1st 2022​

FBI: Cuba ransomware raked in $60 million from over 100 victims​

The FBI and CISA revealed in a new joint security advisory that the Cuba ransomware gang raked in over $60 million in ransoms as of August 2022 after breaching more than 100 victims worldwide.

Back in Black... Basta​

Zscaler ThreatLabz has been tracking prominent ransomware families and their tactics, techniques and procedures (TTPs) including the BlackBasta ransomware family. On November 16, 2022, ThreatLabz identified new samples of the BlackBasta ransomware that had significantly lower antivirus detection rates. The latest BlackBasta code has numerous differences compared to the original BlackBasta ransomware.

December 2nd 2022​

New CryWiper malware wipes data in attack against Russian org​

A previously undocumented data wiper named CryWiper is masquerading as ransomware, extorting victims to pay for a decrypter, but in reality, it just destroys data beyond recovery.

Seattle-area debt collector allegedly compromised data of 3.7 million people​

A Lynnwood, Washington-based debt-collection company has been sued for compromising the names and Social Security information of more than 3.7 million individuals in a data breach in April 2021.