ALERTS RANSOM
HOME APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
DATE | NAME | CATEGORY | SUBCATE | INFO |
|
1.11.24 | Sauron - a new ransomware variant in the wild | ALERTS | RANSOM | Sauron is a new ransomware variant recently found in the wild. The malware appends ".sauron" extension to the encrypted files. The ransom note is dropped in form of a text file called "#HowToRecover.txt" on the affected machines. The attackers request to contact them via the provided email address and the ransom is demanded in form of Bitcoin cryptocurrency payment. The malware is also able to change the desktop wallpaper to inform the victims that the files have been encrypted. Sauron has the functionality to delete Volume Shadow Copies from the infected machines in an effort to prevent the victims from recovering the data. |
|
27.10.24 | Crystal Rans0m: Rust-Based Hybrid Ransomware | ALERTS | RANSOM | Crystal Rans0m is a Rust-based hybrid ransomware that combines file encryption with data-stealing capabilities that has been observed targeting Italy and Russia. The malware can steal browser data, Discord tokens, Steam files, Riot Games data and utilizes Discord webhooks for data exfiltration. It also employs anti-VM and anti-debugging techniques. The ransom note demands payment in Monero and provides a Session ID for communication. |
|
27.10.24 | Akira Ransomware Evolution: A move towards cross-platform adaptability | ALERTS | RANSOM | Earlier this year, Akira developed a new version of its ransomware encryptor and has since been observed using another novel iteration of the encryptor that targets both Windows and Linux systems. Akira typically employs a double-extortion tactic, exfiltrating critical data before encrypting the victim's systems. However, starting in early 2024, the group appears to be shifting away from encryption tactics, focusing solely on data exfiltration. |
|
27.10.24 | Lockbit ransomware pretender targets macOS and Windows environments for data theft | ALERTS | RANSOM | A new campaign leveraging a malware variant disguised as Lockbit ransomware has been reported in the wild. The GO-based malware targets both macOS and Windows users in attempts to encrypt and exfiltrate confidential data. The stolen information is uploaded to Amazon AWS S3 buckets controlled by the attacks. The malware encrypts user files, deletes shadow copies on the infected machines and appends .abcd extension to the encrypted files. The ransomware then changes the desktop wallpaper to one copied over from Lockbit 2.0 attacks. This action is clearly a tactic meant to pressure the victims in paying the demanded ransom. |
|
27.10.24 | INTERLOCK Ransomware | ALERTS | RANSOM | A new ransomware actor, going by the name INTERLOCK, has recently emerged in the threat landscape. This group appears to employ a double-extortion tactic. On successful compromise, encrypted files are appended with the ".interlock" extension. |
|
27.10.24 | Lynx ransomware - a formidable cyber-extortion threat | ALERTS | RANSOM | A new research published by Palo Alto Networks Unit 42 indicates that the ransomware variant known as Lynx shares a significant portion of its source code with the INC ransomware. The threat operators of Lynx have actively targeted organizations in various sectors (architecture, real estate, retail, and financial/environmental services) in the U.S. and UK. This ransomware operates using a RaaS model, and is disseminated through a variety of attack vectors (deceptive phishing mails, malicious downloads to infect users systems, and hacking forums etc.). Once afflicted with Lynx ransomware the victim(s) data is exfiltrated before encryption following the double extortion approach to obtain a ransom payment. |
|
27.10.24 | Kransom ransomware targets gamers by imitating Honkai: Star Rail installer | ALERTS | RANSOM | Reports indicate that Honkai: Star Rail, a popular role-playing game, is being exploited by a new ransomware dubbed Kransom. This ransomware spreads through drive-by-download campaigns, enticing victims by masquerading the malicious binary as a legitimate StarRail game installer and employing valid digital certificates. Upon execution, the malicious DLL is loaded using a dynamic-link library (DLL) side-loading technique, initiating the ransomware’s encryption process. |
|
27.10.24 | Key Group: Targeting Russian users with evolving ransomware | ALERTS | RANSOM | The Key Group is a financially motivated ransomware group that primarily targets Russian users and is known for negotiating with victims via Telegram. Like other groups that leverage leaked ransomware builders, Key Group predominantly utilizes the Chaos ransomware builder, among others, and operates a GitHub repository for its command and control (C2) infrastructure. Discovered in April 2022, the group has developed several ransomware variants over time, including Chaos, Annabelle, RuRansom, Hakuna Matata, and the latest NoCry variant. |
|
27.10.24 | BabyLockerKZ - MedusaLocker Ransomware variant | ALERTS | RANSOM | BabyLockerKZ ransomware is a variant of MedusaLocker which has been active since 2023. This variant uses many of the same TTPs as seen in previous MedusaLocker attacks (publicly available tools, custom tools, lolbins, chat and leak sites). The threat actor responsible for this ransomware has been active since 2022 and has targeted victims globally. Most recent victims have been located in South America. Researchers at Cisco Talos have published additional details regarding this malware. |
|
27.10.24 | Defi Ransomware | ALERTS | RANSOM | Defi is the newest malware variant from the Makop ransomware family. The malware encrypts user files and appends .defi1328 to them, alongside of a developers' email address and a victim's unique ID. The ransom note is dropped in form of text file called "README-WARNING.txt" within various on the disk. The malware will also change the desktop wallpaper. Defi ransomware comes with functionality to delete the volume shadow copies on the infected machines. |
|
27.10.24 | New Rast ransomware threat targets Chinese government entities | ALERTS | RANSOM | A new ransomware threat called Rast has been identified, specifically targeting Chinese government entities. The attack vector includes RDP brute-forcing and exploiting N-day vulnerabilities to gain access to border servers, followed by the manual deployment of ransomware components. Once deployed, Rast uploads the machine name and a unique identifier to a remote MySQL database. The ransomware appears to have evolved over time, with the latest variant requiring manual operation via a console interface upon startup, necessitating direct attacker involvement to initiate the ransom process. |
27.9.24 | New DragonForce ransomware variant targets Global Industries with LockBit and Conti modifications | ALERTS | RANSOM | New variants of DragonForce ransomware, featuring modified versions of LockBit and Conti, have been observed targeting the manufacturing, real estate, and transportation industries worldwide. DragonForce operates a Ransomware-as-a-Service affiliate program, offering various attack management tools. The group employs the SystemBC backdoor for persistence, along with Mimikatz and Cobalt Strike for credential harvesting and lateral movement. |
25.9.24 | Foxtrot Ransomware - a new MedusaLocker variant | ALERTS | RANSOM | Foxtrot is a latest ransomware variant from the MedusaLocker family. The malware encrypts user files and appends .foxtrot70 to them. The ransom note is dropped in form of a .html file called "How_to_back_files.html". Foxtrot comes with functionality to delete the volume shadow copies and Windows Backup on the infected machines. |
13.9.24 | ShrinkLocker Ransomware: Leveraging BitLocker for encryption and system disruption | RANSOM | ShrinkLocker is a recently discovered ransomware that exploits BitLocker, a legitimate Windows feature, to encrypt data and lock users out of their systems. Unlike traditional ransomware, ShrinkLocker uses BitLocker's secure boot partition to make decryption extremely difficult. | |
13.9.24 | Ransomware activity surge observed in second quarter of 2024 | RANSOM | Ransomware activity increased markedly in the second quarter of 2024 as attackers seemingly recovered their momentum following the disruption experienced in late 2023 and early 2024. Analysis of data from ransomware leak sites found that ransomware actors claimed 1,310 attacks in the second quarter of 2024, a 36% increase on the first quarter of this year. This was the second highest amount of attacks claimed in a quarter by ransomware operators, short of the record 1,488 attacks claimed in the third quarter of 2023. | |
13.9.24 | ScRansom Ransomware | RANSOM | Researchers have found that the CosmicBeetle group is now using a new ransomware dubbed ScRansom, replacing their old Scarab ransomware. They are targeting small and medium businesses worldwide and are copying LockBit's style in their ransom notes and websites. CosmicBeetle is suspected to be affiliated with RansomHub, a recently active ransomware gang that has been increasing its operations since March 2024. | |
13.9.24 | New variant of Cicada3301 ransomware found in the wild | RANSOM | According to a recent report from Palo Alto, Repellent Scorpius is a new ransomware-as-a-service (RaaS) group responsible for the delivery of a ransomware variant dubbed Cicada3301. The threat actors have been observed to leverage a variety of Living-Off-the-Land (LOTL) tools in their attacks. Among them PsExec for ransomware execution and Rclone tool used for data exfiltration. | |
5.9.24 | RAZR Ransomware | RANSOM | RAZR is a recently identified ransomware variant that abuses web hosting service called PythonAnywhere for hosting the malicious binaries. The malware uses AES-256 algorithm for encryption and appends .raz extension to the filenames. The ransom note is dropped in form of a text file README.txt in which the attackers also threaten that the confidential files have not only been encrypted but also exfiltrated. | |
23.8.24 | Insom ransomware | RANSOM | Insom malware is the latest variant from the Makop ransomware family. The malware encrypts user files and appends .Insom extension to the renamed file names. A unique victim ID and a malware developers' email address is also appended to the file name. The malware has the functionality to remove volume shadow copies from the infected endpoint. | |
20.8.24 | Hawk Eye Ransomware | RANSOM | A ransomware actor that goes by the name "Hawk Eye" has been observed in the wild. Files that have been successfully encrypted are appended with a random 4-character extension. The ransom note (read_it.txt) is dropped in various folders, and the desktop wallpaper is changed to a white hawk on a black background. According to the content of the ransom note, double extortion is leveraged, meaning that in addition to encrypting files, the attackers inform users that data has been exfiltrated and will be leaked or sold if the ransom is not paid. | |
16.8.24 | Datablack ransomware | RANSOM | Datablack is a new ransomware variant observed in the wild. The malware exhibits similarities to ransomware strains from the Proton malware family. Datablack encrypts user files and appends .Datablack extension to the renamed file name. The ransom note is dropped in form of a text file called #Recovery.txt, where attackers ask the victims to contact them via email addresses provided for further instructions regarding data decryption. The malware has the functionality to remove volume shadow copies from the infected machines and to disable the automatic repair options during the boot process. | |
16.8.24 | Allarich Ransomware | RANSOM | A new ransomware dubbed Allarich has emerged recently in the ransomware landscape. It encrypts files, appending the ".allarich" extension to them, and changes the desktop wallpaper. After completing the encryption process, the ransomware generates a ransom note titled "README.txt." | |
16.8.24 | DeathGrip: Emergence of a new Ransomware-as-a-Service | RANSOM | A new Ransomware-as-a-Service (RaaS) called DeathGrip ransomware has emerged in the expanding ransomware threat landscape. Promoted through Telegram and other underground forums, DeathGrip RaaS offers aspiring threat actors on the dark web sophisticated ransomware tools, including LockBit 3.0 and Chaos builders. Their payloads, created using leaked ransomware builders, are already being observed in real-world attacks, enabling individuals with minimal technical skills to deploy fully developed ransomware attacks. | |
9.8.24 | English-Spanish Speaking Ransomware Actor Targets Linux Machines | RANSOM | Symantec has recently observed a Linux Ransomware variant binary that appears to be connected to a English and Spanish-speaking Double-extortion Ransomware actor. At this time, their modus-operandi remains unclear, but the ransomware exhibits the following behavior. | |
9.8.24 | New file-less ransomware variant Cronus discovered | RANSOM | A new file-less ransomware variant dubbed Cronus has been reported as part of a malware campaign. Users are lured with documents masquerading as PayPal receipts. These documents contain malicious embedded VBA macros that, when executed, download a PowerShell loader. The loader then uses reflective DLL loading to deploy the ransomware DLL, aiming to evade detection. | |
8.8.24 | Lynx Ransomware | RANSOM | Lynx is another double-extortion ransomware actor that has been fairly active in recent weeks and has claimed multiple companies as victims on their website. They claim to have a strict policy against targeting governmental organizations, hospitals, non-profits, and other sectors vital to society. | |
8.8.24 | Zola - a new Proton ransomware variant | RANSOM | Zola is a recently discovered variant from the Proton ransomware family. The ransomware is written in C++ and employs a multi-threaded encryption process. Upon encryption the malware appends .zola extension to the encrypted files. Zola will also attempt to encrypt files on any network devices if present. | |
7.8.24 | Spike in activity delivering Magniber ransomware | RANSOM | A spike in activity leading up to the infection with the Magniber ransomware has been observed in the wild. Attackers spreading this malware variant are known to leverage various delivery methods including malvertisements, delivery via cracked software installers or exploitation of known vulnerabilities, etc. | |
2.8.24 | SARA Android Ransomware Targets Vietnamese Mobile Users in Fake App Scheme | RANSOM | Android lockers and ransomware were prevalent a couple of years ago, especially during the RansomLock craze. Today, while they remain in the mobile threat landscape, their prevalence has dwindled. These threats typically lock users out of their devices and display a ransom message, demanding payment to regain access with an unlock code. | |
2.8.24 | Protection Highlight: Ransomware-as-a-Service Evolution, Impact, Mitigation | RANSOM | Malware evolution in the threat landscape is the singular reason cybersecurity professionals can’t rest, and Ransomware-as-a-Service (RaaS) is no different. From its first known form in 2012 as Reveton to the most recent inception of Eldorado ransomware, with early incidents reportedly raking in amounts of $400K USD a month to modern-day data breaches costing over $1M and sometimes far in excess of that figure. | |
29.7.24 | OceanSpy Ransomware | ALERTS | RANSOM | A ransomware actor calling themselves OceanCorp has been observed in the wild targeting single machines. At this time, according to their ransom note (OceanCorp.txt), this actor does not perform double-extortion tactics, meaning they do not threaten to leak or sell data. |
27.7.24 | Zilla Ransomware - a recent Crysis variant | ALERTS | RANSOM | Zilla is the latest Crysis/Dharma ransomware observed in the threat landscape. The malware encrypts user data and appends .ZILLA extension to the encrypted files. Alongside this custom extension, also a unique ID and the email address of the threat actors is added. |
26.7.24 | RADAR Ransomware | ALERTS | RANSOM | Another ransomware group that employs double-extortion tactics has been making the rounds in the already crowded ransomware threat landscape. Calling themselves RADAR, the group compromises machines, encrypts the files, and appends them with a .[random8characters] extension. |
25.7.24 | New Linux Play ransomware targets ESXi servers | ALERTS | RANSOM | As recently reported by researchers from Trend Micro, a new Linux variant of the infamous Play ransomware has been observed to target the ESXi servers. Prior to execution, the malware runs checks to confirm that it is running within an ESXi environment. Play ransomware will also attempt to power off all running ESXi virtual machines before proceeding with the encryption process. .PLAY extension is added to the encrypted files and ransomware note is dropped in the VM's root directories. Some of the network infrastructure used by this Linux Play variant has been previously observed in attacks attributed to the threat actor known as Prolific Puma. |
25.7.24 | BianLian Ransomware changes strategy | ALERTS | RANSOM | BianLian is a ransomware threat actor that has been active since mid-2022, specifically targeting the infrastructure sector in the US and Australia. As part of its attack vector, the threat actor typically exploits RDP credentials acquired through third parties or phishing to gain initial access. They deploy custom malware written in the Go programming language and utilize remote management and access software such as AnyDesk, Atera Agent, TeamViewer, etc., for persistence. |
24.7.24 | BlackSuit Ransomware poses as fake Antivirus Installer | ALERTS | RANSOM | New variants of BlackSuit ransomware have been observed in the wild, employing deceptive tactics to evade detection. Recently, they masqueraded as fake Qihoo 360 antivirus installers to deceive victims. Once installed, the malware encrypts user files and appends the .blacksuit extension. |
24.7.24 | CyberVolk Ransomware | ALERTS | RANSOM | A new strain of ransomware dubbed CyberVolk has been reported. This ransomware is written in C/C++ and features a unique encryption algorithm developed entirely by the group behind the malware. |
24.7.24 | RA World Ransomware group | ALERTS | RANSOM | Researchers at Palo Alto Networks have provided an analysis of the RA World Ransomware group. This group has been active since 2023 and has targeted victims worldwide across multiple industries. |
24.7.24 | RA World Ransomware group | ALERTS | RANSOM | In recent weeks, mobile users of several major financial institutions in South Korea were targeted by a FakeApp/FakeBank Android campaign. |
19.7.24 | ShadowRoot Ransomware | ALERTS | RANSOM | Threat researchers have identified a new ransomware called ShadowRoot which targets businesses in Turkey. The attack starts with a PDF attachment sent via suspicious emails from the "internet[.]ru" domain. If a user clicks on the embedded links within the PDF, it triggers the download of an executable payload that proceeds to encrypt files. Encrypted files have their extensions changed to ".shadowroot". |
11.7.24 | Despite group disruptions, ransomware activity not decreasing | ALERTS | RANSOM | In a newly released report, Symantec’s Threat Hunter Team shares insight into observed ransomware activity. The data shows that despite disruptions affecting Lockbit and Noberus groups and a downward trend between the last quarter of 2023 and the first quarter of 2024, activity is still on the rise. |
5.7.24 | LukaLocker ransomware distributed by Volcano Demon group | ALERTS | RANSOM | LukaLocker is a newly seen offering from a ransomware group dubbed Volcano Demon. Recently observed attacks were prefaced by exfiltration of data using harvested credentials. |
| 28.6.24 | Ransomware used as cover for suspected China-backed APT group ChamelGang activities | ALERTS | RANSOM | According to a recently published report, a suspected China-backed APT group named ChamelGang (aka CamoFei) has been disguising its cyberespionage operations by also incorporating ransomware. The inclusion of ransomware as a payload allows for the group to draw attention away from their primary activities and potential attribution. The report highlights several attacks, including the government in Brazil and an Indian healthcare institution. |
| 19.6.24 | AzzaSec Ransomware | ALERTS | RANSOM | AzzaSec is another run-of-the-mill ransomware variant found being distributed in the wild. The malware encrypts user files and appends .AzzaSec extension to them. The attackers behind this variant leave a ransom note demanding payment in Bitcoin for the file decryption. |
| 18.6.24 | Rapax Ransomware | ALERTS | RANSOM | Rapax is a ransomware whose binaries have recently been submitted to a public malware analysis and detection platform. The ransom note found on compromised machines (instruction.txt) reveals that the author focuses solely on encrypting files rather than employing exfiltration and double-extortion tactics, demanding a ransom of 5,000 US dollars in Bitcoin for decryption. |
| 17.6.24 | Limpopo ransomware targets ESXi servers | ALERTS | RANSOM | Limpopo is new ransomware variant targeting the vulnerable ESXi servers, as reported by Fortinet. This malware variant is believed to be based on the leaked Babuk ransomware source code and related to other ransomware strains such as Socotra and Formosa. Limpopo has been observed to be distributed in campaigns affecting Latin America and Thailand. The ransomware encrypts user files and appends .Limpopo extension to them. |
| 17.6.24 | Brain Cipher Ransomware | ALERTS | RANSOM | Ransomware actors continue to sprout from left and right, and in this protection bulletin, we'll briefly discuss one which uses a Lockbit variant having recently emerged in the threat landscape. Dubbing themselves 'Brain Cipher Ransomware' per their ransom note ([randomID].README.txt), this group appear to perform double extortion - exfiltrating sensitive data and encrypting it. Victims are provided with an encryption ID to use on the group's Onion website to get in touch. |
| 17.6.24 | Chaos ransomware actors pose as Lockbit to add pressure | ALERTS | RANSOM | Symantec has recently observed a Chaos ransomware actor making the rounds - encrypting single machines and claiming to be 'Lockbit' in dropped ransom notes (readme.txt). In this case, they are demanding $180 USD worth of Bitcoin be paid to a specified crypto wallet. |
| 14.6.24 | OPIX Ransomware | ALERTS | RANSOM | OPIX is a newly discovered ransomware variant typically spread through social engineering tactics such as phishing emails and drive-by downloads. The malware modifies user files by encrypting them with a random character string and appending a ".OPIX" extension. For example, a file called "test.txt" becomes something like "B532D3Q9.OPIX". Victims will find a ransom note dropped by the ransomware, usually named "#OPIX-Help.txt", instructing them to contact the attackers via provided email or Telegram handle within 48 hours, or their stolen data will be sold to competitors and published on the dark web. |
| 14.6.24 | El Dorado Ransomware: Increased Attacks | ALERTS | RANSOM | El Dorado is a double-extortion ransomware actor who has recently claimed multiple victims on their website. Once they gain access to a company, they search for machines with valuable data to exfiltrate and encrypt, appending .00000001 to encrypted files. Copies of their ransom note (HOW_RETURN_YOUR_DATA.TXT) are placed in various folders. In their ransom note, they claim to have been "white hat" but turned to crime due to poor pay. They also inform victims about how to contact them through the TOR network and using live chat on their website, threatening to sell or leak the exfiltrated data if the victims do not connect within 7 days and pay a ransom. Additionally, they further pressure victims with threats of continuous attacks against their companies, partners, and customers. |
| 12.6.24 | Fog Ransomware | ALERTS | RANSOM | A new ransomware variant dubbed Fog has been recently distributed in the wild. The attackers behind this malware have been leveraging compromised VPN credentials to attack vulnerable networks of US organizations from the education and recreation sector. |
| 8.6.24 | DORRA Ransomware | ALERTS | RANSOM | DORRA is a recently found ransomware variant from the Makop malware family. The malware encrypts user files, appending the ".DORRA" extension, a unique ID and the developer's email address to them. The ransomware drops a ransom note as a text file called "README-WARNING.txt" where the victims are asked to contact the attackers via provided email for further instructions regarding the data decryption. |
| 8.6.24 | CashRansomware - a new arrival to the threat landscape | ALERTS | RANSOM | CashRansomware (aka CashCrypt) is a newly identified Ransomware‑as‑a‑Service (RaaS) variant. As reported by researchers from Tehtris, the malware appears to be still in active development. CashRansomware is C#-based malware that leverages time‑stomping techniques to detect its execution within a sandbox or a virtualized environment. The malware has the capability to communicate with the attackers by leveraging the Telegram APIs. CashRansomware encrypts user files and appends '.CashRansomware' extension to them. The malware has also functionality to delete system restore points from the infected endpoint. |
6.6.24 | CoinMiner's Proxy Server Suffers Unlucky Ransomware Attack | ALERTS | RANSOM | Reports have described what seems to be an accidental cyber threat activity where a CoinMiner's proxy server was exposed to the Internet and became the target of a ransomware threat actor's RDP scan attack. This kind of practice, if it becomes more common, may complicate threat analysis as it blurs the lines between different attack groups and their intentions. |
6.6.24 | SenSayQ: Emerging Ransomware Group | ALERTS | RANSOM | SenSayQ is an emerging ransomware actor who has recently been observed in the threat landscape. At this time, their modus operandi remains shrouded, but they employ double-extortion tactics, exfiltrating data from companies' environments and encrypting their files. This group uses a Lockbit variant to conduct encryption and it drops ransom notes in most folders ([randomID].README.txt) whose content starts with "---Welcome! Your are locked by SenSayQ!---". Similar to other ransomware actors, victims are pressured to make contact within 72 hours or else their stolen data will be published on the attacker’s website. |
6.6.24 | New Linux variant of the TargetCompany ransomware | ALERTS | RANSOM | A new Linux variant belonging to the TargetRansomware (aka Mallox) malware family has been found in the wild. As called out in the recent report published by Trend Micro, the threat group leveraging this latest Linux variant is actively conducting attacks against ESXi environments. The attackers are also using a custom shell script for the purpose of payload delivery and victim's information exfiltration. The malware encrypts user data and appends .locked extension to the encrypted files. Upon completed encryption a ransom note in form of a text file called "HOW TO DECRYPT.txt" is dropped onto the victim's machine. |
6.6.24 | RansomHub Ransomware | ALERTS | RANSOM | In a newly released report, Symantec’s Threat Hunter Team provide an analysis of the highly active RansomHub ransomware and its similarity to the now defunct Knight ransomware. Analysis indicates that the developers of RansomHub are different from those that developed Knight, but based on a significant overlap of code, it's assumed the RansomHub developers likely purchased Knight source code which was offered for sale in early 2024. As with others, RansomHub attacks involve vulnerability exploitation and dual-use tools to aid in distribution. |
6.6.24 | Underground Ransomware Remains Active | ALERTS | RANSOM | Over the past year the Ransomware actor known as "Underground" has been less active than other groups, yet they remain in the threat landscape and continue to target industries of various size. They are known to generate a lengthy ransom note (!!READ_ME!!.txt) with detailed information that has been exfiltrated. Victims are provided with an ID and a password that allow them to connect with the ransomware group through a website on the TOR network. |
30.5.24 | Zonix Ransomware | ALERTS | RANSOM | Zonix is a recently discovered ransomware variant from the Xorist malware family. The malware encrypts user files and appends the ".ZoN" extensions to them. Zonix drops a ransom note as a text file called "HOW TO DECRYPT FILES.txt" and also displays a pop-up window on the desktop demanding 1500 USD in bitcoin for the decryption of the locked files. |
28.5.24 | Embargo Ransomware | ALERTS | RANSOM | Embargo is a new Rust-based ransomware variant identified in the wild. The malware encrypts user files and appends “.564ba1” extension to them. Ransom note is dropped in form of a text file called “HOW_TO_RECOVER_FILES.txt” advising the victims to register on the attackers portal via the provided onion site link. The threat actors behind this malware have been reported to be employing the double extortion technique by not only encrypting confidential data but also by exfiltrating it and threatening the victims with public release. |
21.5.24 | Chaos Ransomware Lures Gamers with Fake Free Discord Nitro | ALERTS | RANSOM | As the Chaos Ransomware builder is widely available to the public, instances are observed on a daily basis around the world with both consumers and enterprises being targeted. Recently, one actor has been luring consumers, more specifically gamers, with a Chaos Ransomware disguised as a fake free Discord Nitro. Within the ransom note, the actor is hoping to extort compromised users of 0.003 BTC, which is the equivalent of 195 USD at the time of writing. |
21.5.24 | Synapse Ransomware | ALERTS | RANSOM | Synapse is a ransomware written in C that can encrypt local files, files on removable drives, and files stored on network shares, with the capability of propagating to other systems on a network. Encrypted files will have the extension .Synapse added to them. Additionally, a ransom note named [random_string].README.txt is dropped. The ransomware has the capability to collect system information and encryption statistics, and exfiltrate the data to its remote C2 server. Victims are provided with a URL (hosted on the Tor network) as a means of contact. |
15.5.24 | Beast Ransomware and Vidar Infostealer delivered via disguised documents | ALERTS | RANSOM | Documents like copyright violation warnings and resumes were leveraged in a recent campaign to deliver ransomware and infostealer. Initial infection initiates from a phishing email with an external malicious link that if clicked will download a compressed file. Upon decompression, two executable files will be dropped and these are identified as Beast Ransomware and Vidar Infostealer. |
15.5.24 | Trinity Ransomware | ALERTS | RANSOM | According to a recent research published by Cyble, Trinity is a newly identified ransomware variant believed to be an updated version of the “2023Lock” ransomware. The malware encrypts user files and appends “.trinitylock” extension to them. Trinity ransomware has also been reported to share some code base with yet another ransomware variant known as Venus. The threat actors behind Trinity are employing the double extortion techniques by also exfiltrating confidential files and threatening to publicly release them. |
15.5.24 | Black Basta ransomware attacks target the healthcare sector | ALERTS | RANSOM | Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) regarding a number of targeted activities observed for the Black Basta ransomware. This malware variant is known since at least 2022 and has been leveraged in a number of campaigns targeted at critical infrastructure including the Healthcare and Public Health (HPH) sector. Black Basta is ransomware-as-a-service (RaaS) variant mostly distributed via phishing or exploitation of disclosed vulnerabilities. The attackers behind this malware often employ the double extortion model by not only encrypting user files but also by exfiltrating them and threatening with public release of the stolen data. |
| 9.5.24 | Hunt Ransomware - another Dharma/Crysis variant | ALERTS | RANSOM | Hunt is another Dharma/Crysis ransomware variant discovered recently in the wild. The malware encrypts user files and appends .hunt extension to them alongside of a unique victim ID and the threat actor email address. The dropped ransom note in form of a text file asks the victims to contact the attackers via the provided email address for further instructions on how to restore the locked files. |
| 9.5.24 | Shinra Ransomware | ALERTS | RANSOM | Shinra, a recently discovered ransomware variant from the Proton malware family, encrypts files and appends the ".SHINRA3" extension while renaming file names to random strings. A ransom note is dropped as a text file called "#SHINRA-Recovery.txt" containing contact details, typically the attacker's email address. |
| 9.5.24 | Increase of Lockbit ransomware attacks | ALERTS | RANSOM | Earlier in February this year the Lockbit ransomware family was targeted in a coordinated disruption operation called "Operation Cronos" that saw multiple members of this ransomware gang arrested, assets taken and a decryption tool released publicly. Despite those efforts Lockbit still remains active in the threat landscape and we recently observed a spike in detections related to this ransomware variant. Symantec's Advanced Machine Learning technology played a crucial role in blocking this attack by detecting the malicious emails at the beginning of the attack chain. |
| 30.4.24 | New DragonForce Ransomware variant | ALERTS | RANSOM | A new variant of ransomware called DragonForce has been observed using a leaked ransomware builder from the LockBit ransomware group.DragonForce Ransomware targets victim(s) with the intent of extortion. The threat actor typically employs a double extortion tactic by locking the victim(s) out of their infected machines and exfiltrating data before encryption. If the victim(s) fail to meet the demands imposed, the threat actor will release the data to others via the dark web. |
| 27.4.24 | KageNoHitobito ransomware | ALERTS | RANSOM | KageNoHitobito ransomware came on the scene in March 2024. This is a no frills ransomware with basic old school functionality; file encryption (only on the local drive), drops ransom notes, and requires interaction with the attack group via Tor. There are no indications of any data theft for extortion functions. Data shows that this ransomware has been seen in multiple countries across the world. |
| 22.4.24 | Megazord Ransomware | ALERTS | RANSOM | Megazord ransomware is a Rust-based malware that targets healthcare, education, and government entities. The initial attack vector includes spear-phishing emails as well as exploiting vulnerable services. Tools such as RDP and advanced IP scanners are used for lateral movement. Once compromised, Megazord terminates multiple processes and services, and encrypts local volumes and files. The encrypted files are appended with the “POWERRANGES” extension, and a ransom note, "powerranges.txt" is dropped in each folder containing encrypted files. Victims are instructed to contact the threat actor via the TOX messenger with reference to a unique Telegram channel link provided in the ransom note. Megazord shares multiple code similarities with Akira and is believed to be related to the Akira ransomware. |
| 20.4.24 | Akira ransomware remains an active threat on the landscape | ALERTS | RANSOM | Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL) regarding a number of targeted activities observed for the Akira ransomware. Akira is a ransomware family seen on the threat landscape since at least 2023. |
| 17.4.24 | Rincrypt Ransomware | ALERTS | RANSOM | Rincrypt is one more run-of-the-mill ransomware variant recently observed on the threat landscape. When executed, it targets files with the specific extensions according to a pre-defined list. The malware appends the encrypted files with “.rincrypt” extension. Upon completed encryption process a ransom note file called "READ THIS.txt" is dropped onto the desktop of the infected machine. It contains an email address for the victims to contact for further instructions. |
| 17.4.24 | Risen Ransomware | ALERTS | RANSOM | A ransomware actor known as "Risen" has been detected in the wild. According to their ransom note ($Risen_Note.txt and $risen_guide.hta), the threat actors appear to employ double-extortion tactics by threatening to sell or leak stolen information if the ransom payment is not made. Encrypted files will have an extension added to them, following this format: [actor's email address, TELEGRAM:actor's ID].random ID. Victims are provided with two email addresses, a Telegram ID, and a blog URL (hosted on the Tor network) as means of contact. |
| 16.4.24 | L00KUPRU Ransomware | ALERTS | RANSOM | L00KUPRU is a new Xorist ransomware variant recently discovered in the wild. The malware encrypts user files and adds the .L00KUPRU extension to them.The attackers drop a ransom noted as a text file called "HOW TO DECRYPT FILES.txt" and demand payment in Bitcoin cryptocurrency. Additionally, the ransom note is displayed in a pop-up window on the desktop providing the victims with contact details of the attackers as well as BTC wallet address for payments. |
| 8.4.24 | TISAK Ransomware | ALERTS | RANSOM | TISAK is a new ransomware variant observed in the wild. The malware appears to be a strain of the Proxima/BlackShadow ransomware family. It encrypts user data and appends .Tisak extension to the files. Upon completed encryption process a ransom note text file called Tisak_Help.txt is dropped within the encrypted locations on the infected machine. The malware has the functionality to stop various system processes and services as well as delete volume shadow copies. The threat actors behind this ransomware variant threaten the victims with data publication if the requested ransom demands are not met. |
| 8.4.24 | Xray Ransomware | ALERTS | RANSOM | Xray is yet another ransomware actor that has been observed in the threat landscape, targeting companies' servers and clients. Capability-wise, it's a generic ransomware that allows the actor to determine which folders to encrypt and which to skip. Upon successful encryption, files will be appended with a .Xray extension. |
| 8.4.24 | Play Ransomware - latest attacks against enterprises | ALERTS | RANSOM | Symantec Security Response is aware of the recent CISA, FBI and ASD's ACSC alert regarding a number of recent targeted activities observed for the Play (aka PlayCrypt) ransomware. Play ransomware has been discovered back in June 2022, and since that time it has been used in multiple high-profile attacks. |
| 3.4.24 | Napoli Ransomware | ALERTS | RANSOM | Napoli, a variant of Chaos ransomware, has recently been discovered in the wild. The malware encrypts user files, adds the .napoli extension and also changes the desktop wallpaper on the infected endpoints. |
| 28.3.24 | Qilin ransomware remains an active threat in the landscape | ALERTS | RANSOM | Qilin, also known as Agenda, is a Rust-based ransomware variant discovered in 2022. The malware has been spreading actively in the wild in recent months, with ongoing developments evident in new versions. Qilin is known to be distributed under a Ransomware-as-a-Service (RaaS) model with its operators often employing double extortion tactics. Most recent campaigns utilise custom PowerShell scripts to target vCenter and ESXi instances. |
| RANSOM |