Ransomware News 2021 July - Úvod 2020 2019 2018 0 1 2 3
2021 - January February March April May June July August September October November December 2021 - January February March April May June July August September October November December
| 7.2021 | DoppelPaymer ransomware gang rebrands as the Grief group | | After a period of little to no activity, the DoppelPaymer ransomware operation has made a rebranding move, now going by the name Grief (a.k.a. Pay or Grief). |
| 7.2021 | A Recap Of Events And Lessons Learned During The Kaseya Vsa Supply Chain Attack | | Now that a decryption key is available and we seem to be on the downward slope of the rollercoaster, we have an opportunity to look back and capture some important lessons and learnings that can help this industry try to combat these threats more effectively. |
| 7.2021 | New STOP Ransomware variants | | PCrisk found new STOP ransomware variants that append the .aeur and .guer extensions. |
| 7.2021 | Coalition's cyberinsurance claims report is out | | The cyber attack landscape evolved significantly in 2021 with the emergence of new ransomware variants, the increasing dangers of supply chain attacks, and the continued risks of staying secure while working remotely. |
| 7.2021 | Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems? | | Our worst fears were confirmed when Babuk announced on an underground forum that it was developing a cross-platform binary aimed at Linux/UNIX and ESXi or VMware systems. Many core backend systems in companies are running on these *nix operating systems or, in the case of virtualization, think about the ESXi hosting several servers or the virtual desktop environment. |
| 7.2021 | New Russian-Speaking Forum – A New Place for RaaS? | | A new Russian-speaking forum called RAMP was launched in July 2021 and received much attention from researchers and cybercrime actors. The forum emerged at the domain that previously hosted the Babuk ransomware data leak site and later the Payload.bin leak site. KELA researched the contents of the new site and assessed its chances to succeed. |
| 7.2021 | Synack rebrands as El_Cometa | | Catalin Cimpanu was told that the Synack ransomware has rebranded under the name El_Cometa. |
| 7.2021 | Biden: Severe cyberattacks could escalate to 'real shooting war' | | President Joe Biden warned that cyberattacks leading to severe security breaches could lead to a "real shooting war" with another major world power. |
| 7.2021 | New US security memorandum bolsters critical infrastructure cybersecurity | | US President Joe Biden today issued a national security memorandum designed to help strengthen the security of critical infrastructure by setting baseline performance goals for critical infrastructure owners and operators. |
| 7.2021 | Threat actors patch REvil ransomware | | Revil ransomware continues to be active but this time in the form of patched executables. |
| 7.2021 | Some backstory about Babuk ransomware | | I shared some of the backstory behind the split of Babuk ransomware after the attack on the Metropolitan Police Department. |
| 7.2021 | LockBit ransomware now encrypts Windows domains using group policies | | A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies. |
| 7.2021 | No More Ransom saves almost €1 billion in ransomware payments in 5 years | | The No More Ransom project celebrates its fifth anniversary today after helping over six million ransomware victims recover their files and saving them almost €1 billion in ransomware payments. |
| 7.2021 | New JCrypt ransomware variant | | dnwls0719 found a new JCrypt variant called 'FancyLocker' that appends the .FancyLeaks extension to encrypted files. |
| 7.2021 | New Dharma Ransomware variants | | Jakub Kroustek found new Dharma ransomware variants that append the .mnc and .ZEUS extensions to encrypted files. |
| 7.2021 | Kaseya obtains universal decryptor for REvil ransomware victims | | Kaseya received a universal decryptor that allows victims of the July 2nd REvil ransomware attack to recover their files for free. |
| 7.2021 | Ransomware gang breached CNA’s network via fake browser update | | Leading US insurance company CNA Financial has provided a glimpse into how Phoenix CryptoLocker operators breached its network, stole data, and deployed ransomware payloads in a ransomware attack that hit its network in March 2021. |
| 7.2021 | New Dharma Ransomware variants | | PCrisk found new Dharma ransomware variants that append the .myday and .grej extensions to encrypted files. |
| 7.2021 | New Scarab Ransomware variant | | dnwls0719 found a new Scarab variant that appends the .Imshifau extension. |
| 7.2021 | Ransomware attack on Israeli IT company impacts more than 100 customers, including hospitals | | Shahaf reports that Pionet , which is owned by Malam Tim, suffered a ransomware attack that has paralyzed many of the company’s systems and the sites of more than a hundred of the company’s customers, including Assuta, Rambam, Hadassah, Budget Car Rental Company, Sonol Fuel Company, and Apple importer Idigital. Idigital’s customers include the Israel Electric Corporation and Israel Railways. |
| 7.2021 | New ransomware discovered | | QVM360 found a new ransomware that appends the .zip extension. |
| 7.2021 | New Stop Ransomware variant | | PCrisk found a new Dharma ransomware variant that appends the .moqs extension to encrypted files. |
| 7.2021 | Ransomware incident at major cloud provider disrupts real estate, title industry | | A ransomware incident at Cloudstar, a cloud hosting service and managed service provider for several industry sectors, has disrupted the activities of hundreds of companies. |
| 7.2021 | US and allies officially accuse China of Microsoft Exchange attacks | | US and allies, including the European Union, the United Kingdom, and NATO, are officially blaming China for this year's widespread Microsoft Exchange hacking campaign. |
| 7.2021 | Ransomware hits law firm counseling Fortune 500, Global 500 companies | | Campbell Conroy & O'Neil, P.C. (Campbell), a US law firm counseling dozens of Fortune 500 and Global 500 companies, has disclosed a data breach following a February 2021 ransomware attack. |
| 7.2021 | Comparis customers targeted by scammers after ransomware attack | | Leading Swiss price comparison platform Comparis has notified customers of a data breach following a ransomware attack that hit and took down its entire network last week. |
| 7.2021 | HelloKitty ransomware is targeting vulnerable SonicWall devices | | CISA warns of threat actors targeting "a known, previously patched, vulnerability" found in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products with end-of-life firmware. |
| 7.2021 | Ecuador's state-run CNT telco hit by RansomEXX ransomware | | Ecuador's state-run Corporación Nacional de Telecomunicación (CNT) has suffered a ransomware attack that has disrupted business operations, the payment portal, and customer support. |
| 7.2021 | Kaseya victim struggling with decryption after REvil goes dark | | Many victims of the Kaseya ransomware attack are still in the process of recovering but one victim is facing a particularly difficult issue. |
| 7.2021 | US govt offers $10 million reward for tips on nation-state hackers | | The United States government has taken two more active measures to fight and defend against malicious cyber activities affecting the country’s business and critical infrastructure sectors. |
| 7.2021 | New AvosLocker ransomware launches a data leak site | | Artilllerie noted that the AvosLocker ransomware launched a data leak site. |
| 7.2021 | AvosLocker Under The Lens: A New Sophisticated Ransomware Group | | During our routine Open-source Intelligence (OSINT) research, we came across a new ransomware group named AvosLocker. It is a malicious program that infects Windows machines to encrypt document files of the victim and asks for ransom as part of its extortion program. AvosLocker appends the encrypted files with the extension .avos and forces victims to pay ransom for the decryption tool for recovering their data. The AvosLocker ransomware group uses spam email campaigns or distrustful advertisements as the primary delivery mechanisms for the malware. It uses a customized Advanced Encryption Standard (AES) with block size 256 to encrypt the data. |
| 7.2021 | Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools | | As cyber extortion flourishes, ransomware gangs are constantly changing tactics and business models to increase the chances that victims will pay increasingly large ransoms. As these criminal organizations become more sophisticated, they are increasingly taking on the appearance of professional enterprises. One good example is Mespinoza ransomware, which is run by a prolific group with a penchant for using whimsical terms to name its hacking tools. |
| 7.2021 | New Dharma ransomware variant | | PCrisk found new Dharma ransomware variants that appends the .OFF and .pause extensions. |
| 7.2021 | Linux version of HelloKitty ransomware targets VMware ESXi servers | | ?The ransomware gang behind the highly publicized attack on CD Projekt Red uses a Linux variant that targets VMware's ESXi virtual machine platform for maximum damage. |
| 7.2021 | New Dharma ransomware variant | | PCrisk found a new Dharma ransomware variant that appends the .PcS extension. |
| 7.2021 | SonicWall warns of 'critical' ransomware risk to EOL SMA 100 VPN appliances | | SonicWall has issued an "urgent security notice" warning customers of ransomware attacks targeting unpatched end-of-life (EoL) Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products. |
| 7.2021 | New STOP Djvu ransomware variant | | PCrisk found a new STOP ransomware variant that appends the .gujd extension. |
| 7.2021 | REvil ransomware gang's web sites mysteriously shut down | | The infrastructure and websites for the REvil ransomware operation have mysteriously gone offline as of last night. |
| 7.2021 | Interpol urges police to unite against 'potential ransomware pandemic' | | Interpol (International Criminal Police Organisation) Secretary General Jürgen Stock urged police agencies and industry partners to work together to prevent what looks like a future ransomware pandemic. |
| 7.2021 | Fashion retailer Guess discloses data breach after ransomware attack | | American fashion brand and retailer Guess is notifying affected customers of a data breach following a February ransomware attack that led to data theft. |
| 7.2021 | Kaseya patches VSA vulnerabilities used in REvil ransomware attack | | Kaseya has released a security update for the VSA zero-day vulnerabilities used by the REvil ransomware gang to attack MSPs and their customers. |
| 7.2021 | New STOP Djvu ransomware variant | | PCrisk found a new STOP ransomware variant that appends the .wwka extension. |
| 7.2021 | New Phobos ransomware variant | | dnwls0719 found a new Phobos Ransomware variant that appends the .LOWPRICE extension to encrypted files. |
| 7.2021 | Biden asks Putin to crack down on Russian-based ransomware gangs | | President Biden asked Russian President Putin during a phone call today to disrupt ransomware groups operating within Russia's borders behind the ongoing wave of attacks impacting the United States and other countries worldwide. |
| 7.2021 | Insurance giant CNA reports data breach after ransomware attack | | CNA Financial Corporation, a leading US-based insurance company, is notifying customers of a data breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March. |
| 7.2021 | Kaseya warns of phishing campaign pushing fake security updates | | Kaseya has warned customers that an ongoing phishing campaign attempts to breach their networks by spamming emails bundling malicious attachments and embedded links posing as legitimate VSA security updates. |
| 7.2021 | New ransomware hunt | | Michael Gillespie is looking for a new ransomware that appends the extension .nohope and drops a ransom note named NOHOPE_README.txt. |
| 7.2021 | New Ransomwarewhere site launched | | Jack Cable launched a ransom payment tracking site called Ransomwarewhere. |
| 7.2021 | REvil victims are refusing to pay after flawed Kaseya ransomware attack | | The REvil ransomware gang's attack on MSPs and their customers last week outwardly should have been successful, yet changes in their typical tactics and procedures have led to few ransom payments. |
| 7.2021 | ‘Barely able to keep up’: America's cyberwarriors are spread thin by attacks | | Charles Carmakal has a problem: Ransomware has become so prolific that he has too much business. |
| 7.2021 | Morgan Stanley reports data breach after vendor Accellion hack | | Investment banking firm Morgan Stanley has reported a data breach after attackers stole personal information belonging to its customers by hacking into the Accellion FTA server of a third-party vendor. |
| 7.2021 | Conti Unpacked | Understanding Ransomware Development As a Response to Detection | | Not yet two years old and already in its seventh iteration, Ransomware as a Service variant Conti has proven to be an agile and adept malware threat, capable of both autonomous and guided operation and with unparalleled encryption speed. As of June 2021, Conti’s unique feature set has helped its affiliates extort several million dollars from over 400 organizations. |
| 7.2021 | New STOP Djvu ransomware variant | | PCrisk found a new STOP ransomware variant that appends the .zzla extension. |
| 7.2021 | Fake Kaseya VSA security update backdoors networks with Cobalt Strike | | Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates. |
| 7.2021 | Ransomware statistics for 2021: Q2 report | | The second quarter of 2021 marked the biggest ransomware attack on U.S. infrastructure to date. On May 7, The Colonial Pipeline Company, which operates the largest pipeline system for refined oil products in the United States, was infected with DarkSide ransomware. The attack resulted in a six-day shutdown that was only resolved when Colonial Pipeline paid the $4.4 million ransom – a decision that CEO Joseph Blount described as “the right thing to do for our country.” |
| 7.2021 | Kaseya: Roughly 1,500 businesses hit by REvil ransomware attack | | Kaseya says the REvil supply-chain ransomware attack breached the systems of roughly 60 of its direct customers using the company's VSA on-premises product. |
| 7.2021 | US warns of action against ransomware gangs if Russia refuses | | White House Press Secretary Jen Psaki says that the US will take action against cybercriminal groups from Russia if the Russian government refuses to do so. |
| 7.2021 | New STOP Djvu ransomware variants | | PCrisk found new STOP ransomware variants that append the .zqqw and .pooe extensions. |
| 7.2021 | CISA, FBI share guidance for victims of Kaseya ransomware attack | | CISA and the Federal Bureau of Investigation (FBI) have shared guidance for managed service providers (MSPs) and their customers impacted by the REvil supply-chain ransomware attack that hit the systems of Kaseya's cloud-based MSP platform. |
| 7.2021 | REvil ransomware asks $70 million to decrypt all Kaseya attack victims | | REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The gang wants $70 million in Bitcoin for the tool that allows all affected businesses to recover their files. |
| 7.2021 | New AvosLocker RaaS | | Toffee saw a new RaaS called AvosLocker being promoted on a hacker forum. Appends the .avos extension to encrypted files and drops the GET_YOUR_FILES_BACK.txt ransom note. |
| 7.2021 | REvil is increasing ransoms for Kaseya ransomware attack victims | | The REvil ransomware gang is increasing the ransom demands for victims encrypted during Friday's Kaseya ransomware attack. |
| 7.2021 | Kaseya was fixing zero-day just as REvil ransomware sprung their attack | | The zero-day vulnerability used to breach on-premise Kaseya VSA servers was in the process of being fixed, just as the REvil ransomware gang used it to perform a massive Friday attack. |
| 7.2021 | Kaseya supply‑chain attack: What we know so far | | Just when we were getting over the SolarWinds supply-chain attack, we see Kaseya IT management software, commonly used in Managed Service Provider (MSP) environments, hit by another in a series of supply-chain hacks. As with the SolarWinds incident, this latest attack uses a two-step malware delivery process sliding through the back door of tech environments. Unlike SolarWinds, the cybercriminals behind this attack apparently had monetary gain rather than cyberespionage in their sights, eventually planting ransomware while exploiting the trust relationship between Kaseya and its customers. |
| 7.2021 | REvil ransomware hits 200 companies in MSP supply-chain attack | | A massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack. |
| 7.2021 | US insurance giant AJG reports data breach after ransomware attack | | Arthur J. Gallagher (AJG), a US-based global insurance brokerage and risk management firm, is mailing breach notification letters to potentially impacted individuals following a ransomware attack that hit its systems in late September. |
| 7.2021 | Babuk Ransomware, if you Hit and Run do not leave a trace | | On the Server, we saw a weird directory that we start to check, after the scan we were able to see that the website onion is full with Active Chat sessions. In the active session, we can view all conversations between the Babuk ransomware group and the victims. the sessions basically get you inside the “Chat Conversation Page” with all the History chats. that gives us an inside look into the negotiations process. |
| 7.2021 | Babuk ransomware is back, uses new version on corporate networks | | After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. |
| 7.2021 | Trickbot cybercrime group linked to new Diavol ransomware | | FortiGuard Labs security researchers have linked a new ransomware strain dubbed Diavol to Wizard Spider, the cybercrime group behind the Trickbot botnet. |
| 7.2021 | REvil Twins: Deep Dive into Prolific RaaS Affiliates' TTPs | | In this blog post, we would like to focus on one of the most active ransomware collectives, REvil, and their RaaS program, which attracts more and more affiliates due to the shutdown of other RaaS. Group-IB's DFIR experts took a deep dive into the modus operandi of REvil affiliates and shared some information on various affiliates' tactics, techniques and procedures observed, so defenders can tune their detection capabilities accordingly. |
| 7.2021 | Leaked Babuk Locker ransomware builder used in new attacks | | A leaked tool used by the Babuk Locker operation to create custom ransomware executables is now being used by another threat actor in a very active campaign targeting victims worldwide. |
| 7.2021 | CISA releases new ransomware self-assessment security audit tool | | The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET). |
| 7.2021 | New STOP Djvu ransomware variants | | PCrisk found new STOP Djvu ransomware variants that append the .miis, .neer, and .leex extension. |
| 7.2021 | Lorenz ransomware decryptor recovers victims' files for free | | Dutch cybersecurity firm Tesorion has released a free decryptor for the Lorenz ransomware, allowing victims to recover some of their files for free without paying a ransom. |
| 7.2021 | HADES ransomware operators continue attacks | | Accenture Security assesses with a moderate-to-high level of confidence that a previously reported unknown threat group is now using multiple ransomware variants in cybercrime operations that have impacted at least seven (7) victims. |
| 7.2021 | REvil ransomware's new Linux encryptor targets ESXi virtual machines | | The REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines. |
| 7.2021 | Ransomware gangs now creating websites to recruit affiliates | | Ever since two prominent Russian-speaking cybercrime forums banned ransomware-related topics criminal operations have been forced to promote their service through alternative methods. |
| 7.2021 | Babuk ransomware builder leaked | | Kevin Beaumont found that the ransomware builder for the Babuk Ransomware was uploaded to VirusTotal. |
| 7.2021 | New Hive Ransomware | | dnwls0719 found a sample of the Hive Ransomware that appends the .hive extension to encrypted files. |