What's new
  • Donate
    TheWindowsForum.com needs donations to stay online!
    Love TheWindowsForum.com? Then help keep it alive by sending a donation!

The Week in Ransomware - September 30th 2022 - Emerging from the Shadows


Our community has more than 50.000 registered members, and we'd love to have you as a member. Join us and take part in our unbiased discussions among people of all different backgrounds about Windows OS, Software, Hardware and more.

The Week in Ransomware - September 30th 2022 - Emerging from the Shadows​

  • October 1, 2022
  • 04:48 AM ET 1:48 AM PT
  • 0
Hand reaching out from smoke

This week's news primarily revolves around LockBit, BlackMatter, and the rising enterprise-targeting Royal ransomware operation.
As expected, threat actors now use the leaked LockBit 3.0 ransomware builder for their ransomware operations. For example, the Bl00Dy Ransomware Gang, who previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor in an attack on a Ukrainian business.
Researchers also reported that TargetCompany ransomware affiliates are now targeting publicly exposed Microsoft SQL servers.
Another interesting research is the prediction that ransomware gangs may move away from encrypting altogether and switch to pure data exfiltration and file deletion to cut out the ransomware developer. This idea stems from a new file deletion/corruption feature in a data theft tool used by a BlackMatter affiliate.
Finally, this week we learned about Royal Ransomware, which has been quietly working from the shadows since February but has, more recently, ramped up attacks.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @serghei, @VK_Intel, @billtoulas, @DanielGallagher, @jorntvdw, @PolarToffee, @BleepinComputer, @fwosar, @struppigel, @demonslay335, @LawrenceAbrams, @Ionut_Ilascu, @FourOctets, @malwrhunterteam, @malwareforme, @swascan, @y_advintel, @AdvIntel, @angel11VR, @InsideStairwell, @aejleslie, @Cyderes, @ahnlab, and @pcrisk.

September 24th 2022​

Microsoft SQL servers hacked in TargetCompany ransomware attacks

Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning.

September 25th 2022​

Ransomware data theft tool may show a shift in extortion tactics

Data exfiltration malware known as Exmatter and previously linked with the BlackMatter ransomware group is now being upgraded with data corruption functionality that may indicate a new tactic that ransomware affiliates might switch to in the future.

Analyzing Bloody Ransomware

Today (09/25/22) very limited information was received for analysis from one of the Ukrainian victims of the Bl00dy Ransomware Gang . Unfortunately, from the files provided, it is not possible to establish the vector of interference, the time frame of the attack, and which operations were automated and which were conducted interactively, however, the information turned out to be quite sufficient to reconstruct the attack scheme .

September 26th 2022​

LockBit 3.0: Decryptor Analysis

In this analysis, conducted by Soc Team Swascan, the decryptors of “LockBit 3.0” (Windows version) and “LockBit” (Linux variant) were analyzed.

New Wanqu ransomware

PCrisk found a ransomware appending the .Wanqu extension and dropping ransom notes named RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt.

New Chaos ransomware variant

PCrisk found a new Chaos variant called TeamDarkAnon Ransomware that appends the .anon extension and drops a ransom note named read_it.txt.

September 27th 2022​

New Chaos ransomware variant

PCrisk found a new Chaos variant called OkHacked Ransomware that appends the .okhacked extension and drops a ransom note named read_it.txt.

New Phobos variant

PCrisk found a new Phobos variant that appends the .MMXXII extension and drops ransom notes named info.txt and info.hta.

September 28th 2022​

Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks

The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies.

New 'Wizard' Ransomware

PCrisk found a ransomware that appends the .wizard and drops a ransom note named decrypt_instructions.txt.

September 29th 2022​

New Royal Ransomware emerges in multi-million dollar attacks

A ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million.

New Dharma ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .iq20 extension and drops a ransom note named info.txt.

That's it for this week! Hope everyone has a nice weekend!​



Well-Known Member
Ultimate Donator
Nov 5, 2018
Windows 10
I just got back to work after a week in the mountains. My company has been getting slammed with some pretty sophisticated phishing attacks. No ransomeware attacks yet but they have been hammering away. Fortunately one of our products is disaster prevention/recovery so we have all the proper hardware and procedures in place. It is a pain and expensive to do so though.

Online statistics

Members online
Guests online
Total visitors