Ransomware News 2021 January - Úvod 2020 2019 2018 0 1 2 3
2021 - January February March April May June July August September October November December 2021 - January February March April May June July August September October November December
31.1.21 | New Dharma Ransomware variant |  | Ravi found a new Dharma ransomware variant that appends the .NOV extension to encrypted files. |
31.1.21 | New WormLocker ransomware variant |  | xiaopao found the new WormLocker ransomware that does not append an extension to encrypted files. |
31.1.21 | New Paradise ransomware variant | | xiaopao found new Paradise ransomware variant that appends the .Cukiesi extension to encrypted files. |
31.1.21 | Vovalex is likely the first ransomware written in D | | A new ransomware called Vovalex is being distributed through fake pirated software that impersonates popular Windows utilities, such as CCleaner. |
31.1.21 | DarkSide updates list of orgs they wont attack |  | The DarkSide ransomware operation issued a new "press release" stating that they will no longer attack certain organizations. |
31.1.21 | New POLA STOP ransomware variant | | Amigo-A found a new variant of the STOP Ransomware that appends the .pola extension to encrypted files. |
31.1.21 | New Egalyty RaaS | | Rakesh Krishnan found a new Ransomware-as-a-Service Egalyty that is based after Ranion. |
31.1.21 | New Namaste Ransomware | | Petrovic found a new ransomware named Namaste that appends the ._enc extension to encrypted files. |
31.1.21 | US charges NetWalker ransomware affiliate, seizes ransom payments | | The U.S. Justice Department announced today the disruption of the Netwalker ransomware operation and the indictment of a Canadian national for alleged involvement in the file-encrypting extortion attacks. |
31.1.21 | Netwalker ransomware dark web sites seized by law enforcement | | The dark web websites associated with the Netwalker ransomware operation have been seized by law enforcement from the USA and Bulgaria. |
31.1.21 | Europol: Emotet malware will uninstall itself on April 25th | | Law enforcement has started to distribute an Emotet module to infected devices that will uninstall the malware on April 25th, 2021. |
31.1.21 | New Xorist ransomware variants | | xiaopao found new Xoris ransomware variants that append the .zaplat.za klic 2021 and .EnCryp13d extensions. |
31.1.21 | New Xorist ransomware variant |  | xiaopao found a new Xorist Ransomware variant that appends the .CryptPethya extension. |
31.1.21 | Pan-Asian retail giant Dairy Farm suffers REvil ransomware attack | | Massive pan-Asian retail chain operator Dairy Farm Group was attacked this month by the REvil ransomware operation. The attackers claim to have demanded a $30 million ransom. |
31.1.21 | New Xorist ransomware variants | | xiaopao found new Xorist Ransomware variants that append the .@LyDarkr and .ZoToN extensions. |
31.1.21 | New JohnBorn Ransomware | | Amigo-A found a new JohnBorn Ransomware that apppends the .johnborn@cock_li extension and drops a ransom note named RecoveryInstructions.txt. |
31.1.21 | The Nemty affiliate model | | Almost a year after the end of the operations of the Nemty ransomware, we are presenting some internal details of their operations between 2019 and 2020 in order to document the business model and the actors that evolved around that group. |
31.1.21 | Leading crane maker Palfinger hit in global cyberattack | | Leading crane and lifting manufacturer Palfinger is targeted in an ongoing cyberattack that has disrupted IT systems and business operations. |
31.1.21 | Ransomware gang taunts IObit with repeated forum hacks |  | A ransomware gang continues to taunt Windows software developer IObit by hacking its forums to display a ransom demand. |
31.1.21 | New CobraLocker ransomware | | GrujaRS found a new ransomware called CobraLocker that drops a ransom note named readme.txt. |
31.1.21 | Another ransomware now uses DDoS attacks to force victims to pay |  | Another ransomware gang is now using DDoS attacks to force a victim to contact them and negotiate a ransom. |
24.1.21 | New Flamingo ransomware variant | | Amigo_A found a new variant of the Flamingo ransomware that appends the .DoNotWorry exension and drops a ransom note named #ReadThis.TXT and #ReadThis.HTA. |
24.1.21 | Colliers International Group gets slammed by cyberattack | | A spokesperson for Colliers verified that it had been targeted by a cyberattack after IT World Canada confronted the company about a listing on the dark web by the Netfilm ransomware gang – a listing which suggests that the firm was hit by the gang, and that Colliers’ files were copied. |
24.1.21 | TeslaCrypt imposter created | | TheAnalyst found a ransomware pretending to be TeslaCrypt that appends the .0l0lqq extension. The real TeslaCrypt shut down in 2016. |
24.1.21 | CNH Ransomware discovered |  | 0x4143 discovered a new ransomware that appends the .cnh extension to encrypted files. |
24.1.21 | CHwapi hospital hit by Windows BitLocker encryption cyberattack | | The CHwapi hospital in Belgium is suffering from a cyberattack where threat actors claim to have encrypted 40 servers and 100 TB of data using Windows Bitlocker. |
24.1.21 | New Cring Ransomware | | Amigo-A found the Cring Ransomware that appends the .cring extension and drops a ransom note named deReadMe!!!.txt. |
24.1.21 | Ucar victim of a cyberattack | | The vehicle rental company reveals that it was the victim of a computer attack at the start of the year. Thanks to a data backup, the activity was not affected. |
24.1.21 | Pulp Fiction ransomware | | Amigo-A found a ransomware with a Pulp Fiction theme that uses the company name or domain as the extension, and drops a ransom note named read_this.txt. |
24.1.21 | New STOP Ransomware variant | | Amigo-A found a new STOP ransomware variant that appends the .wbxd extension. |
24.1.21 | New COOS STOP Ransomware variant | | Raavan Extended found a new STOP ransomware variant that appends the .COOS extension. |
24.1.21 | The city of Angers in turn bears the brunt of a cyberattack by ransomware | | The services of the metropolis are also affected by an attack which entered its final phase on the night of Friday 15 to Saturday 16 January. A “long” cleaning and restoration process is expected. |
24.1.21 | Swanky Wentworth golf club hacked, details of 4000 members stolen in ransomware attack | | Members of one of England’s most exclusive golf clubs has warned its 4000 members that their personal details may have fallen into the hands of hackers following a ransomware attack. |
24.1.21 | DeCovid19Bot ransomware discovered | | S!ri found a new ransomware that appends the .locked extension and drops a ransom note named ATTENTION!!!!0.txt. |
24.1.21 | IObit forums hacked to spread ransomware to its members | | Windows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members. |
24.1.21 | New DIS Dharma ransomware variant | | Jakub Kroustek found a new Dharma ransomware variant that appends the .dis extension to encrypted files. |
24.1.21 | New DeroHE ransomware |  | A new ransomware was distributed via a IObit forums hack that appends the .DeroHE extension and drops a ransom note named READ_TO_DECRYPT.html. |
24.1.21 | New FCorp Ransomware |  | GrujaRS found a new HiddenTear variant that appends the .fcorp extension and drops a ransom note named READ_IT.txt. |
| 16.1.21 | New Epsilon ransomware |  | GrujaRS found a new Epsilon Ransomware that appends the .boom extension and drops a ransom note named READ_ME.hta. |
| 16.1.21 | New BlackHeel HiddenTear variant | | GrujaRS found a new BlackHeel HiddenTear variant that appends the .a extension to encrypted files. |
| 16.1.21 | Scotland environmental regulator hit by ‘ongoing’ ransomware attack | | The Scottish Environment Protection Agency (SEPA) confirmed on Thursday that some of its contact center, internal systems, processes and internal communications were affected following a ransomware attack that took place on Christmas Eve. |
| 16.1.21 | DarkSide found to be very similar to REvil | | Vitali Kremez analyzed a new sample of REvil and found it be very similar to the DarkSide ransomware. |
| 16.1.21 | New ByteLocker Ransomware |  | GrujaRS found a new HiddenTear variant called ByteLocker that encrypts files without adding an extension. |
| 16.1.21 | New variant of the Lucy Ransomware for Android | | MalwareHunterTeam found a new malicious Android app that includes ransomware capabilities. Lukas Stefanko states that this is a new variant of the Lucy Ransomware. |
| 16.1.21 | Inside of CL0P’s ransomware operation | | TA505 (also known as FIN11) is a financially motivated cybercrime actor. They conduct Big Game Hunting operations, such as deployment of ransomware and extortion of large ransom payment. In the past, I explained how they operate and I scrutinized their tools. If you are not familiar with TA505 and CL0P then I recommend you to read our threat actor profile of TA505 first. |
| 16.1.21 | New Judge ransomware | | xiaopao found a new ransomware that appends the .judge exension and drops a ransom note named info.txt. |
| 16.1.21 | Capcom: 390,000 people may be affected by ransomware data breach | | Capcom has released a new update for their data breach investigation and state that up to 390,000 people may now be affected by their November ransomware attack. |
| 16.1.21 | New Flamingo ransomware variant | | Amigo-A found a new variant of the Flamingo Ransomware variant that appends the .LIZARD extension and drops a ransom note named ReadThis.txt. |
| 16.1.21 | New STOP ransomware variant | | Amigo-A found a new STOP Ransomware variant that appends the .coos extension. |
| 16.1.21 | New STOP ransomware variant | | Raavan Extended found a new STOP Ransomware variant that appends the .qlkm extension. |
| 16.1.21 | DarkSide ransomware decryptor recovers victims' files for free | | Romanian cybersecurity firm Bitdefender has released a free decryptor for the DarkSide ransomware to allow victims to recover their files without paying a ransom. |
| 16.1.21 | Intel adds hardware-based ransomware detection to 11th gen CPUs | | Intel announced today at CES 2021 that they have added hardware-based ransomware detection to their newly announced 11th generation Core vPro business-class processors. |
| 16.1.21 | Three new Dharma ransomware variants | | Jakub Kroustek found three new Dharma ransomware variants that append the .hub, .aol, or .14x extension to encrypted files. |
| 16.1.21 | Hacker used ransomware to lock victims in their IoT chastity belt | | The source code for the ChastityLock ransomware that targeted male users of a specific adult toy is now publicly available for research purposes. |
| 10.1.21 | New Niros Ransomware |  | S!ri found the new Niros Ransomware. |
| 10.1.21 | New Bonsoir ransomware | | Emmanuel_ADC-Soft found the new Bonsoir Ransomware that appends the .bonsoir and drops a ransom note named HOW-RECOVER-MY-FILES.txt. |
| 10.1.21 | Dassault Falcon Jet reports data breach after ransomware attack | | Dassault Falcon Jet has disclosed a data breach that may have led to the exposure of personal information belonging to current and former employees, as well as their spouses and dependents. |
| 10.1.21 | New Solaso Ransomware | | 0x4143 found the new Solaso Ransomware that appends the .solaso extension and drops a ransom note named __READ_ME_TO_RECOVER_YOUR_FILES. It may be a variant of the 'Encrp ransomware.' |
| 10.1.21 | FBI warns of Egregor ransomware extorting businesses worldwide | | The US Federal Bureau of Investigation (FBI) has sent a security alert warning private sector companies that the Egregor ransomware operation is actively targeting and extorting businesses worldwide. |
| 10.1.21 | Ryuk ransomware Bitcoin wallets point to $150 million operation | | Security researchers following the money circuit from Ryuk ransomware victims into the threat actor's pockets estimate that the criminal organization made at least $150 million. |
| 10.1.21 | Anti-Secrecy Activists Publish a Trove of Ransomware Victims' Data | | FOR YEARS, RADICAL transparency-focused activists like WikiLeaks have blurred the line between whistle-blowing and hacking. Often, they've published any data they consider to be of public interest, no matter how questionable the source. But now one leak-focused group is mining a controversial new vein of secrets: the massive caches of data stolen by ransomware crews and dumped online when victims refuse to pay. |
| 10.1.21 | New Makop ransomware variant | | GrujaRS found a new Makop ransomware variant that appends the .moloch extension. |
| 10.1.21 | New HiddenTear ransomware variant | | GrujaRS found a new HiddenTear variant that appends the .ZIEBF_4561drgf extension. |
| 10.1.21 | New COVID21 MBRLocker |  | S!ri found a new MBRLocker calling itself Covid21. |
| 10.1.21 | Ryuk ransomware is the top threat for the healthcare sector | | Healthcare organizations continue to be a prime target for cyberattacks of all kinds, with ransomware incidents, Ryuk in particular, being more prevalent. |
| 10.1.21 | Babuk Locker is the first new enterprise ransomware of 2021 | | It's a new year, and with it comes a new ransomware called Babuk Locker that targets corporate victims in human-operated attacks. |
| 10.1.21 | New Knot Ransomware | | MalwareHunterTeam found the new Knot Ransomware that appends the .encrypted extension to encrypted files. |
| 10.1.21 | New In-dev Sharp Ransomware | | GrujaRS found the new in-development Sharp ransomware that appends the .0x0M4R extension to encrypted files. |
| 10.1.21 | Male chastity belt ransomware discovered | | Yeah, this is real. Keeps you, uh, locked up unless you pay a ransom. |
| 10.1.21 | China's APT hackers move to ransomware attacks | | Security researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that the attacks may be the work of a hacker group believed to operate on behalf of China. |
| 10.1.21 | TransLink confirms ransomware data theft, still restoring systems | | Metro Vancouver's transportation agency TransLink has confirmed that the Egregor ransomware operators who breached its network at the beginning of December 2020 also accessed and potentially stole employees' banking and social security information. |
| 10.1.21 | Apex Laboratory confirms ransomware attack; only recently discovered data theft | | DataBreaches.net recently reported that Apex Laboratory Inc. had apparently been attacked by DoppelPaymer ransomware threat actors. Apex was added to their leak site on December 15. |
| 3.1.21 | US Treasury warns of ransomware targeting COVID-19 vaccine research | | The US Treasury Department's Financial Crimes Enforcement Network (FinCEN) warned financial institutions of ransomware actively targeting vaccine research organizations. |
| 3.1.21 | New Lockedv1 ransomware | | dnwls0719 found a new ransomware that appends the .lockedv1 extension and drops a ransom note named READMEV1.txt. |
| 3.1.21 | Home appliance giant Whirlpool hit in Nefilim ransomware attack | | Home appliances giant Whirlpool suffered a ransomware attack by the Nefilim ransomware gang who stole data before encrypting devices. |
| 3.1.21 | New PThree ransomware |  | Jirehlov Solace found a new ransomware named PThree that appends the .16x extension to encrypted files. |
| 3.1.21 | New Mijnal Ransomware | | Jirehlov Solace found a new ransomware that appends the .mijnal extension and drops a ransom note named OpenTheTorBrouser.html. |
| 3.1.21 | Unknown ransomware thinks it's funny | | MalwareHunterTeam found a new ransomware that appends the .HaHaHaHaHaHaHaHa extension to encrypted files. |
| 3.1.21 | New igal STOP Ransomware variant | | Amigo-A found a new STOP ransomware variant that appends the .igal extension. |
| 3.1.21 | New BlueEagle ransomware | | xiaopao found a new ransomware called BlueEagle that appends the ..MaxSteel.Saher Blue Eagle extension. |
| 3.1.21 | New 21btc Dharma ransomware variant | | xiaopao found a new Dharma ransomware variant that appends the .21btc extension to encrypted files. |
| 3.1.21 | New RansomeToad ransomware |  | xiaopao discovered a new ransomware called RansomeToad that appends the .rtcrypted extension. |
| 3.1.21 | New LOL Ransomware |  | xiaopao discovered the LOL ransomware that appends the .jcrypt extension to encrypted files. |
| 3.1.21 | FreePBX developer Sangoma hit with Conti ransomware attack | | Sangoma disclosed a data breach after files were stolen during a recent Conti ransomware attack and published online. |
| 3.1.21 | Story of the week: Ransomware on the Darkweb | W4 Dec | | S2W LAB publishes weekly reports of the Ransomware activities that took place at Dark Web. Report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operator, etc. |
| 3.1.21 | New v316 ransomware | | MalwareHunterTeam found a new v316 Jigsaw variant that pretends to be a ProtonVPN installer. |
| 3.1.21 | Safe-Inet, Insorg VPN services shut down by law enforcemen | | Law enforcement agencies around the world in a coordinated effort took down and seized the infrastructure supporting Safe-Inet and Insorg VPN and proxy services known for catering to cybercriminal activity. |
| 3.1.21 | Magniber Ransomware Changed Vulnerability (CVE-2019-1367 -> CVE-2020-0968) and Attempted to Bypass Behavior Detection | | Since September 23, 2019, CVE-2019-1367 vulnerability, which the developer of Magniber used for distribution, stopped operating in the systems with emergency security patch (Version 1903) applied. In response, the developer changed the latest vulnerability to CVE-2020-0968, expanding the infection target range. On top of this occurrence, CVE-2020-0968 security patch (distributed on April 15, 2020) cannot be applied to Windows 7 as it is no longer supported as of January 14, 2020. For better understanding of the changes, see figures below which are the comparisons between the codes before the change (including POC) and the those after the change. |
| 3.1.21 | New cuteRansomware discovered |  | S!ri discovered a new ransomware called cuteRansomware. |
| 3.1.21 | BlackMamba Ransomware 2.0 discovered |  | S!ri discovered the BlackMamba 2.0 ransomware. |
| 3.1.21 | The Institute for Security and Technology (IST) Launches Multi-Sector Ransomware Task Force (RTF) | | The Institute for Security and Technology (IST) — in partnership with a broad coalition of experts in industry, government, law enforcement, nonprofits, cybersecurity insurance, and international organizations — is today launching a new Ransomware Task Force (RTF) to tackle this increasingly prevalent and destructive type of cybercrime. The RTF’s founding members understand that ransomware is too large of a threat for any one entity to address, and have come together to provide clear recommendations for both public and private action that will significantly reduce the threat posed by this criminal enterprise. |
| 3.1.21 | Trucking giant Forward Air hit by new Hades ransomware gang | | Trucking and freight logistics company Forward Air has suffered a ransomware attack by a new ransomware gang that has impacted the company's business operations. |
| 3.1.21 | Flavors designer Symrise halts production after Clop ransomware attack | | Flavor and fragrance developer Symrise has suffered a Clop ransomware attack where the attackers allegedly stole 500 GB of unencrypted files and encrypted close to 1,000 devices. |
| 3.1.21 | New ANCrypted Ransomware |  | M. Shahpasandi found a new ransomware called ANCrypted. |