The Week in Ransomware - September 30th 2022 - Emerging from the Shadows
- October 1, 2022
- 04:48 AM ET 1:48 AM PT
This week's news primarily revolves around LockBit, BlackMatter, and the rising enterprise-targeting Royal ransomware operation.
As expected, threat actors now use the leaked LockBit 3.0 ransomware builder for their ransomware operations. For example, the Bl00Dy Ransomware Gang, who previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor in an attack on a Ukrainian business.
Researchers also reported that TargetCompany ransomware affiliates are now targeting publicly exposed Microsoft SQL servers.
Another interesting research is the prediction that ransomware gangs may move away from encrypting altogether and switch to pure data exfiltration and file deletion to cut out the ransomware developer. This idea stems from a new file deletion/corruption feature in a data theft tool used by a BlackMatter affiliate.
Finally, this week we learned about Royal Ransomware, which has been quietly working from the shadows since February but has, more recently, ramped up attacks.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @serghei, @VK_Intel, @billtoulas, @DanielGallagher, @jorntvdw, @PolarToffee, @BleepinComputer, @fwosar, @struppigel, @demonslay335, @LawrenceAbrams, @Ionut_Ilascu, @FourOctets, @malwrhunterteam, @malwareforme, @swascan, @y_advintel, @AdvIntel, @angel11VR, @InsideStairwell, @aejleslie, @Cyderes, @ahnlab, and @pcrisk.
September 24th 2022
September 25th 2022
September 26th 2022
PCrisk found a ransomware appending the .Wanqu extension and dropping ransom notes named RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt.