Ransomware News 2021 June - Úvod 2020 2019 2018 0 1 2 3
2021 - January February March April May June July August September October November December 2021 - January February March April May June July August September October November December
| 6.2021 | New Spyro Ransomware | | Amigo-A found the new Spyro Ransomware that appends the .Spyro extension and drops the Decrypt-info.txt ransom note. |
| 6.2021 | New STOP Ransomware variant | | PCrisk found a new STOP ransomware variant that appends the .ddsg extension. |
| 6.2021 | What We Can Learn From Ransomware Actor "Security Reports" | | Luckily, some threat actors are more forthcoming. What follows are several case studies from real ransomware negotiations wherein the threat actor provided granular details on the full attack lifecycle, including usernames and passwords of compromised accounts and specific CVE’s leveraged to gain entry. Please note that these reports have not been edited or spell checked and that we redacted identifying information. Additionally, the tactics described by the threat actors herein were validated following thorough forensic investigation. |
| 6.2021 | Binance exchange helped track down Clop ransomware money launderers | | Cryptocurrency exchange service Binance played an important part in the recent arrests of Clop ransomware group members, helping law enforcement in their effort to identify, and ultimately detain the suspects. |
| 6.2021 | Ransomware: Growing Number of Attackers Using Virtual Machines | | Symantec has found evidence that an increasing number of ransomware attackers are using virtual machines (VMs) in order to run their ransomware payloads on compromised computers. The motivation behind the tactic is stealth. In order to avoid raising suspicions or triggering antivirus software, the ransomware payload will “hide” within a VM while encrypting files on the host computer. |
| 6.2021 | New Dharma Ransomware variant | | Jakub Kroustek found new Dharma Ransomware variants that append the .nmc or .ZEUS extension to encrypted files. |
| 6.2021 | PYSA ransomware backdoors education orgs using ChaChi malware | | The PYSA ransomware gang has been using a remote access Trojan (RAT) dubbed ChaChi to backdoor the systems of healthcare and education organizations and steal data that later gets leveraged in double extortion ransom schemes. |
| 6.2021 | Tulsa warns of data breach after Conti ransomware leaks police citation | | The City of Tulsa, Oklahoma, is warning residents that their personal data may have been exposed after a ransomware gang published police citations online. |
| 6.2021 | Clop ransomware is back in business after recent arrests | | The Clop ransomware operation is back in business after recent arrests and has begun listing new victims on their data leak site again. |
| 6.2021 | New Rapid Ransomware variant | | dnwls0719 found a new variant of the Rapid ransomware that appends the .snoopdog extension. |
| 6.2021 | Healthcare giant Grupo Fleury hit by REvil ransomware attack | | Brazilian medical diagnostic company Grupo Fleury has suffered a ransomware attack that has disrupted business operations after the company took its systems offline. |
| 6.2021 | Mysterious ransomware payment traced to a sensual massage site | | A ransomware targeting an Israeli company has led researchers to track a portion of a ransom payment to a website promoting sensual massages. |
| 6.2021 | ADATA suffers 700 GB data leak in Ragnar Locker ransomware attack | | The Ragnar Locker ransomware gang have published download links for more than 700GB of archived data stolen from Taiwanese memory and storage chip maker ADATA. |
| 6.2021 | Data leak marketplace pressures victims by emailing competitors | | The Marketo data theft marketplace is applying maximum pressure on victims by emailing their competitors and offering sample packs of the stolen data. |
| 6.2021 | New ransomware targeting WD NAS devices | | Amigo-A found a new ransomware called 0XXX that is encrypted Western Digital NAS devices and appending the .0xxx extension and dropping a ransom note named !0XXX_DECRYPTION_README.TXT. |
| 6.2021 | New APIS Wiper | | GrujaRS found a wiper that pretends to be the APIS ransomware. |
| 6.2021 | New STOP Ransomware variant | | LittleRedBean found a new STOP ransomware variant that appends the .sspq extension to encrypted files. |
| 6.2021 | New STOP Ransomware variant | | GrujaRS found a new STOP ransomware variant that appends the .iqll extension to encrypted files. |
| 6.2021 | LockBit RaaS In-Depth Analysis | | The PRODAFT Threat Intelligence (PTI) Team has published this report to provide in-depth knowledge about the threat actors who operate LockBit ransomware. The PTI Team has managed to extract decryption tools for most of the victims who were affected by the LockBit. All affiliates of the ransomware group, including the developer, were also identified during the investigation of the PTI Team. This report answers questions such as : How do they select their targets ? How many targets did they breach ? How does the network operate ? Who are the affiliates ? |
| 6.2021 | Fake DarkSide gang targets energy, food industry in extortion emails | | Threat actors impersonate the now-defunct DarkSide Ransomware operation in fake extortion emails sent to companies in the energy and food sectors. |
| 6.2021 | Carnival Cruise hit by data breach, warns of data misuse risk | | In December 2020, Carnival was hit by a second (previously undisclosed) ransomware attack with "investigation and remediation phases" still ongoing, according to a 10-Q form filed with the SEC in April 2021. |
| 6.2021 | SCOOP: UnitingCare paid hundreds of thousands of dollars to REvil for decryption key and deletion of files | | On April 25, UnitingCare Queensland (UCQ) was the victim of a ransomware attack that impacted multiple Queensland hospitals and aged care centres. The next day, they posted a notice on their web site informing people as to what was happening and its impact. And on May 5, they posted a second update where they revealed that it was REvil (Sodinokibi) threat actors who had attacked them. That update described steps they had taken since the incident to safely recover and restore services. |
| 6.2021 | MA: UMass Lowell closed due to cybersecurity incident | | The University of Massachusetts Lowell (UMass Lowell) has suffered a cybersecurity breach that has caused school closures for the past two days. The incident was first announced on June 15 as an “IT outage:” |
| 6.2021 | South Korean police arrest computer repairmen who made and distributed ransomware | | South Korean authorities have filed charges today against nine employees of a local computer repair company for creating and installing ransomware on their customers’ computers. |
| 6.2021 | Ukraine arrests Clop ransomware gang members, seizes servers | | Ukrainian law enforcement arrested cybercriminals associated with the Clop ransomware gang and shut down infrastructure used in attacks targeting victims worldwide since at least 2019. |
| 6.2021 | Hades Ransomware Operators Use Distinctive Tactics and Infrastructure | | Hades ransomware has been on the scene since December 2020, but there has been limited public reporting on the threat group that operates it. Secureworks® incident response (IR) engagements in the first quarter of 2021 provided Secureworks Counter Threat Unit™ (CTU) researchers with unique insight into the group’s use of distinctive tactics, techniques, and procedures (TTPs). |
| 6.2021 | Updated Avaddon decryptor released | | Emsisoft released an updated Avaddon decryptor to support more victims. |
| 6.2021 | Paradise Ransomware source code released on a hacking forum | | The complete source code for the Paradise Ransomware has been released on a hacking forum allowing any would-be cyber criminal to develop their own customized ransomware operation. |
| 6.2021 | Avaddon ransomware's exit sheds light on victim landscape | | A new report analyzes the recently released Avaddon ransomware decryption keys to shed light on the types of victims targeted by the threat actors and potential revenue they generated throughout their operation. |
| 6.2021 | Theoretically untouchable, but still struck down with Avaddon | | The reasons for Avaddon's disappearance are not known at this point. Perhaps the international pressure had become too strong for the operators. Unless some errors have started to show a little too much. |
| 6.2021 | Fujifilm resumes normal operations after ransomware attack | | Japanese multinational conglomerate Fujifilm says that it has resumed normal business and customer operations following a ransomware attack that forced it to shut the entire network on June 4. |
| 6.2021 | G7 leaders ask Russia to hunt down ransomware gangs within its borders | | G7 (Group of 7) leaders have asked Russia to urgently disrupt ransomware gangs believed to be operating within its borders, following a stream of attacks targeting organizations from critical sectors worldwide. |
| 6.2021 | REvil ransomware hits US nuclear weapons contractor | | US nuclear weapons contractor Sol Oriens has suffered a cyberattack allegedly at the hands of the REvil ransomware gang, which claims to be auctioning data stolen during the attack. |
| 6.2021 | Negotiating Ransoms: When to Play and When to Fold | | An interview with the CEO of Coveware, which negotiates payments on behalf of ransomware victims. |
| 6.2021 | Ransomware attack hit Teamsters in 2019 — but they refused to pay | | When the Teamsters were hit by a ransomware attack over Labor Day weekend in 2019, the hackers asked for a seven-figure payment. |
| 6.2021 | Relentless REvil, revealed: RaaS as variable as the criminals who use i | | One of the ransomware-as-a-service (RaaS) we encounter most frequently, known alternately as Sodinokibi or REvil, is as conventional a ransomware as we’ve seen: Its routines, configuration, and behavior what we’ve come to expect from a mature family that’s, obviously, well used in the criminal underground. |
| 6.2021 | Avaddon ransomware shuts down and releases decryption keys | | The Avaddon ransomware gang has shut down operation and released the decryption keys for their victims to BleepingComputer.com. |
| 6.2021 | New Anubis ransomware variant | | xiaopao found a new Anubis ransomware variant that appends the .ChupaCabra extension. |
| 6.2021 | New Vice Society ransomware | | Michael Gillespie found a new Vice Society ransomware that appends the .v-society extension when encrypting Linux machines. Appears to be a spin-off of HelloKitty. |
| 6.2021 | Foodservice supplier Edward Don hit by a ransomware attack | | Foodservice supplier Edward Don has suffered a ransomware attack that has caused the company to shut down portions of the network to prevent the attack's spread. |
| 6.2021 | CD Projekt: Data stolen in ransomware attack now circulating online | | CD Projekt is warning today that internal data stolen during their February ransomware attack is circulating on the Internet. |
| 6.2021 | JBS paid $11 million to REvil ransomware, $22.5M first demanded | | JBS, the world's largest beef producer, has confirmed that they paid an $11 million ransom after the REvil ransomware operation initially demanded $22.5 million. |
| 6.2021 | New Ryuk impersonator | | Security Joes found a .NET Ryuk impersonator that can be customized with a ransomware builder. |
| 6.2021 | New HimalayA Ransomware-as-a-Service | | RAKESH KRISHNAN found a new RaaS named HimalayA advertised on the darkweb. |
| 6.2021 | Computer memory maker ADATA hit by Ragnar Locker ransomware | | Taiwan-based leading memory and storage manufacturer ADATA says that a ransomware attack forced it to take systems offline after hitting its network in late May. |
| 6.2021 | Fujifilm refuses to pay ransomware demand, restores network from backups | | Japanese multinational conglomerate Fujifilm said it has refused to pay a ransom demand to the cyber gang that attacked its network in Japan last week and is instead relying on backups to restore operations. |
| 6.2021 | US recovers most of Colonial Pipeline's $4.4M ransomware payment | | The US Department of Justice has recovered the majority of the $4.4 million ransom payment paid by Colonial Pipeline to the DarkSide ransomware operation. |
| 6.2021 | New ransomware hunt | | Michael Gillespie is looking for a ransomware that appends the .ramsome.encrypt(rsw).nat extension and drops a note named readme-instructions.txt. The ransomware turns files into password-protected RAR archives. |
| 6.2021 | New Findnotefile ransomware | | Jirehlov Solace found a new Findnotefile ransomware variant that appends the .reddot extension. |
| 6.2021 | New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions | | The new PayloadBIN ransomware has been attributed to the Evil Corp cybercrime gang, rebranding to evade sanctions imposed by the US Treasury Department's Office of Foreign Assets Control (OFAC). |
| 6.2021 | New variant of the BigLock ransomware | | dnwls0719 found a new variant of the BigLock ransomware that appends the .nermer extension and drops a ransom note named PROTECT_INFO.TXT. |