The Week in Ransomware - June 17th 2022 - Have I Been Ransomed?

Source: https://www.bleepingcomputer.com/

Ransomware operations are constantly evolving their tactics to pressure victims to pay. For example, this week, we saw a new extortion tactic come into play with the creation of dedicated websites to extort victims with searchable data.

The new extortion tactic was introduced by the ALPHV gang, aka BlackCat, who created a searchable, clearweb site that contained the stolen data for employees and hotel guests for a particular victim.

Using this website, employees of the company could search for their names to see if their data was stolen, including Social Security Numbers, phone numbers, etc.

Victim's search data leak

Victim's search data leak site
Source: BleepingComputer

Other interesting news this week was learning that AvosLocker and Ceber2021 are using recent Atlassian Confluence exploits to gain initial access to corporate networks. We also learned that Hello XD ransomware is dropping a 'MicroBackdoor' on devices while encrypting.

Sadly, we also learned of some attacks this week, with RansomHouse extorting Africa's largest supermarket chain, Shoprite, and a California school district paying a 400k ransom to Quantum.

June 11th 2022

Confluence servers hacked to deploy AvosLocker, Cerber2021 ransomware

Ransomware gangs are now targeting a recently patched and actively exploited remote code execution (RCE) vulnerability affecting Atlassian Confluence Server and Data Center instances for initial access to corporate networks.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .bbii extension.

June 12th 2022

Hello XD ransomware now drops a backdoor while encrypting

Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.

June 13th 2022

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that calls itself Ritzer Ransomware. The ransomware appends the .ritzer extension and drops a ransom note named read_it.txt.

New Venus ransomware variant

Amigo-A found a new Venus ransomware variant that appends the .anigma extension and drops a ransom note named README.txt.

June 14th 2022

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .LIZARD extension and drops ransom notes named info.txt and info.hta.

Ransomware gang creates site for employees to search for their stolen data

The ALPHV ransomware gang, aka BlackCat, has brought extortion to a new level by creating a dedicated website that allows the customers and employees of their victim to check if their data was stolen in an attack

New Sheeva ransomware

PCrisk found a ransomware that appends the .sheeva extension and drops a ransom note named sheeva.txt.

June 15th 2022

Extortion gang ransoms Shoprite, largest supermarket chain in Africa

Shoprite Holdings, Africa's largest supermarket chain that operates almost three thousand stores across twelve countries in the continent, has been hit by a ransomware attack.

Glenn County Office of Education paid $400k ransom after ransomware attack

That situation apparently changed at some point thereafter because on June 7, GlennCOE paid $400,000 ransom to Quantum threat actors to get a decryption key and certain assurances.

June 16th 2022

Microsoft Office 365 feature can help cloud ransomware attacks

Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for a ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage.

June 17th 2022

QNAP 'thoroughly investigating' new DeadBolt ransomware attacks

Network-attached storage (NAS) vendor QNAP once again warned customers on Friday to secure their devices against a new campaign of attacks pushing DeadBolt ransomware.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .grt extension and drops a ransom note named info.txt and info.hta.