The Week in Ransomware - September 30th 2022 - Emerging from the Shadows

The Week in Ransomware - September 30th 2022 - Emerging from the Shadows​

• October 1, 2022
• 04:48 AM ET 1:48 AM PT
• 0

This week's news primarily revolves around LockBit, BlackMatter, and the rising enterprise-targeting Royal ransomware operation.
As expected, threat actors now use the leaked LockBit 3.0 ransomware builder for their ransomware operations. For example, the Bl00Dy Ransomware Gang, who previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor in an attack on a Ukrainian business.
Researchers also reported that TargetCompany ransomware affiliates are now targeting publicly exposed Microsoft SQL servers.
Another interesting research is the prediction that ransomware gangs may move away from encrypting altogether and switch to pure data exfiltration and file deletion to cut out the ransomware developer. This idea stems from a new file deletion/corruption feature in a data theft tool used by a BlackMatter affiliate.
Finally, this week we learned about Royal Ransomware, which has been quietly working from the shadows since February but has, more recently, ramped up attacks.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @serghei, @VK_Intel, @billtoulas, @DanielGallagher, @jorntvdw, @PolarToffee, @BleepinComputer, @fwosar, @struppigel, @demonslay335, @LawrenceAbrams, @Ionut_Ilascu, @FourOctets, @malwrhunterteam, @malwareforme, @swascan, @y_advintel, @AdvIntel, @angel11VR, @InsideStairwell, @aejleslie, @Cyderes, @ahnlab, and @pcrisk.

September 24th 2022​

Microsoft SQL servers hacked in TargetCompany ransomware attacks​

Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning.

September 25th 2022​

Ransomware data theft tool may show a shift in extortion tactics​

Data exfiltration malware known as Exmatter and previously linked with the BlackMatter ransomware group is now being upgraded with data corruption functionality that may indicate a new tactic that ransomware affiliates might switch to in the future.

Analyzing Bloody Ransomware​

Today (09/25/22) very limited information was received for analysis from one of the Ukrainian victims of the Bl00dy Ransomware Gang . Unfortunately, from the files provided, it is not possible to establish the vector of interference, the time frame of the attack, and which operations were automated and which were conducted interactively, however, the information turned out to be quite sufficient to reconstruct the attack scheme .

September 26th 2022​

LockBit 3.0: Decryptor Analysis​

In this analysis, conducted by Soc Team Swascan, the decryptors of “LockBit 3.0” (Windows version) and “LockBit” (Linux variant) were analyzed.

New Wanqu ransomware​

PCrisk found a ransomware appending the .Wanqu extension and dropping ransom notes named RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt.

New Chaos ransomware variant​

PCrisk found a new Chaos variant called TeamDarkAnon Ransomware that appends the .anon extension and drops a ransom note named read_it.txt.

September 27th 2022​

New Chaos ransomware variant​

PCrisk found a new Chaos variant called OkHacked Ransomware that appends the .okhacked extension and drops a ransom note named read_it.txt.

New Phobos variant​

PCrisk found a new Phobos variant that appends the .MMXXII extension and drops ransom notes named info.txt and info.hta.

September 28th 2022​

Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks​

The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies.

New 'Wizard' Ransomware​

PCrisk found a ransomware that appends the .wizard and drops a ransom note named decrypt_instructions.txt.

September 29th 2022​

New Royal Ransomware emerges in multi-million dollar attacks​

A ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million.

New Dharma ransomware variant​

PCrisk found a new Dharma ransomware variant that appends the .iq20 extension and drops a ransom note named info.txt.

That's it for this week! Hope everyone has a nice weekend!​

 

[DVDR_Dog]

I just got back to work after a week in the mountains. My company has been getting slammed with some pretty sophisticated phishing attacks. No ransomeware attacks yet but they have been hammering away. Fortunately one of our products is disaster prevention/recovery so we have all the proper hardware and procedures in place. It is a pain and expensive to do so though.