• Donate
    TheWindowsForum.com needs donations to stay online!
    Love TheWindowsForum.com? Then help keep it alive by sending a donation!

The Week in Ransomware - September 24th 2022 - LockBit leak


Our community has more than 63,000 registered members, and we'd love to have you as a member. Join us and take part in our unbiased discussions among people of all different backgrounds about Windows OS, Software, Hardware and more.

The Week in Ransomware - September 23rd 2022 - LockBit leak​

  • September 24, 2022
  • 05:25 AM ET 2:25 AM PT
  • 0

Man saying oops in a red background

This week we saw some embarrassment for the LockBit ransomware operation when their programmer leaked a ransomware builder for the LockBit 3.0 encryptor.
Running the ransomware builder is simple and quickly creates an encryptor, private/public encryption keys, and a decryptor by just running a batch file.
The LockBit 3.0 ransomware builder makes it easy for any would-be threat actor to roll out their own operation simply by modifying the enclosed configuration file to use custom ransom notes.
Ransomware operations were launched in the past from the leaks of the Babuk ransomware builder and Conti source code.
Other research this week shows how the BlackMatter ransomware gang continues to evolve its operation by upgrading its data exfiltration tool for double-extortion attacks.
This week, we also learned more about ransomware attacks, including those on the New York Racing Association and a New York ambulance service.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @DanielGallagher, @demonslay335, @malwrhunterteam, @Seifreed, @malwareforme, @fwosar, @BleepinComputer, @FourOctets, @billtoulas, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @VK_Intel, @LawrenceAbrams, @serghei, @S2W_Official, @GeeksCyber, @BroadcomSW, @pcrisk, @3xp0rtblog, @vxunderground, @PogoWasRight, @AhnLab_SecuInfo, and @zscaler.

September 17th 2022​

New York ambulance service discloses data breach after ransomware attack

Empress EMS (Emergency Medical Services), a New York-based emergency response and ambulance service provider, has disclosed a data breach that exposed customer information.

September 19th 2022​

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .aawt, .aabn, .aamv, and .aayu extension.

New Phobos variant

PCrisk found a new Phobos ransomware variant that appends the .duck extension and drops a ransom note named info.txt and info.hta.

New VoidCrypt variant

PCrisk found a new VoidCrypt ransomware variant that appends the .Joker extension and drops a ransom note named Decryption-Guide.txt and Decryption-Guide.HTA.

New VSOP variant

PCrisk found a new VSOP ransomware variant that appends the .minex extension and drops a ransom note named readme.txt.

September 20th 2022​

Hive ransomware claims attack on New York Racing Association

The Hive ransomware operation claimed responsibility for an attack on the New York Racing Association (NYRA), which previously disclosed that a cyber attack on June 30, 2022, impacted IT operations and website availability and compromised member data.

New BlackBit ransomware

PCrisk found a ransomware called BlackBit that appends the .BlackBit extension and drops a ransom notes named Restore-My-Files.txt and info.hta.

September 21st 2022​

LockBit ransomware builder leaked online by “angry developer”

The LockBit ransomware operation has suffered a breach, with an allegedly disgruntled developer leaking the builder for the gang's newest encryptor.

Technical Analysis of Crytox Ransomware

The threat actor using Crytox ransomware has been active since at least 2020, but has received significantly less attention than many other ransomware families. In September 2021, the Netherlands-based company RTL publicly acknowledged that they were compromised by the threat actor. The company paid Crytox 8,500 euros. Compared with current ransom demands, this amount is relatively low. Unlike most ransomware groups, the Crytox threat actor does not perform double extortion attacks where data is both encrypted and held for ransom.

September 22nd 2022​

BlackCat ransomware’s data exfiltration tool gets an upgrade

The BlackCat ransomware (aka ALPHV) isn't showing any signs of slowing down, and the latest example of its evolution is a new version of the gang's data exfiltration tool used for double-extortion attacks.

Quick Overview of Leaked LockBit 3.0 (Black) builder program

Build.bat creates an RSA public/private key pair by executing Keygen.exe, and Builder.exe that generates a LockBit 3.0 ransomware using the generated key pair.

A technical analysis of the leaked LockBit 3.0 builder

This is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022.

Ransomware disguised as GTA 6 source code

MalwareHunterTeam found a few ransomware samples pretending to be GTA 6 source code.
Ransomware disguised as GTA 6 source code

New Zeppelin variant

PCrisk found a new Zeppelin ransomware variant that appends the .ORCA extension and drops the HOW_TO_RECOVER_DATA.hta ransom note.

September 23rd 2022​

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .ofoq, .ofww, and .oflg extension.

FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers

The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers. In the past, it was also called the Mallox because it used the file extension .mallox.
The sad part is keep a back up of 1 or 2 generations off line if your data on your computer is so precious. When I was managing a sales/repair division, so many sad faces when their hard drives failed and how they have lost this and that.
Especially in these days, back your stuff up off line. You may never need it for recovery, but if you do it will be many times worth your effort..
Has anyone here tried to recover data lost on a SSD? I remember the old Intel SSD controllers had a nasty habit of 100% failing.