The Week in Ransomware – January 3rd 2020 – Busy Holiday Season – BleepingComputer

Normally ransomware activity slows down over the December break, but this year was an exception with a quite a few interesting, and sad, stories such as FBI alerts being issued, companies being shut down, and organizations being encrypted by a variety of ransomware, and stolen data being released.

Maze continues their attack on victim's who have not paid by publishing stolen data, which led to them being sued by one of their victims, Southwire, who was able to get the Maze news site shutdown in Ireland.

In addition we saw attacks on a university in the Netherlands by Clop and a disclosure by the U.S. Coast Guard that Ryuk took down a maritime facility.

Sadly, ransomware also caused a company to temporarily shut down right before Christmas because they could not afford to keep running after a ransomware attack.

On the bizarre side, we also had ransomware attackers offering discounts and season's greetings for the holidays.

Finally, like any other week, we continue to see new variants of existing ransomware being released with new extensions and improvements to their malware executables and infection procedures.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @BleepinComputer, @PolarToffee, @malwrhunterteam, @Seifreed, @malwareforme, @FourOctets, @demonslay335, @DanielGallagher, @jorntvdw, @fwosar, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @VK_Intel, @coveware. @M_Shahpasandi. @thyrex2002, @Tesorion_NL, @malwareforme, @Amigo_A_, and @siri_urz.

Michael Gillespiefound new variants of the Stop Djvu Ransomwarethat append the .piny or .redlextensions to encrypted files.

The FBI has issued a warning to private industry recipients to provide information and guidance on the LockerGoga and MegaCortex Ransomware.

Wary of alarming investors, companies victimized by ransomware attacks often tell the SEC that malware or a security incident disrupted their operations.

A Sherwood telemarketing agency has unexpectedly closed its doors, leaving over 300 employees without jobs a few days before Christmas.

Michael Gillespie found a new variant of the Matrix Ransomware that appends the.BDDYand drops a ransom note named #BDDY_README#.rtf.

The actors behind the Maze Ransomware have released 2GB of files that were allegedly stolen from the City of Pensacola during their ransomware attack.

A new version of the Ryuk Ransomware was released that will purposely avoidencrypting folders commonly seen in *NIX operating systems.

Alex Sviridfound a new variant of the WannaCash ransomware that appends the ".happy new year" extension to encrypted file names.

The U.S. Coast Guard (USCG) published a marine safety alert to inform of a Ryuk Ransomware attack that took down the entire corporate IT network of a Maritime Transportation Security Act (MTSA) regulated facility.

Maastricht University (UM) announced that almost all of its Windows systems have been encrypted by ransomware following a cyber-attackthat took place on Monday, December 23.

M. Shahpasandifound a new Phobos Ransomware variant that appends the .Dever extension to encrypted files.

Jackfound a new ransomware called c0hen Locker that appends the.c0hen extension to encrypted files. The unlock key is12309482354ab2308597u235fnq30045f.

The anonymous operators behind the Maze Ransomwareare being sued by a victim for illegally accessing their network, stealing data, encrypting computers, and publishing the stolen data after a ransom was not paid.

To celebrate the holidays, ransomware operators are providing discounts or season'sgreetings to entice victims into paying a ransom demand.

The breadth and magnitude of ransomware attacks occurring today suggest that the cyber extortion industry has evolved exponentially over the past 12 months. It is as difficult to keep up with the headlines as the security advice that follows. In the face of this media firehose, it is important to step back and understand how we got to the state. We feel there are three primary elements that have lead to the current state of cyber extortion, and ransomware in particular.

Tesorion has previously releaseddecryptorsfor the Nemty ransomware up to version 1.6. Recently, new versions of Nemty have appeared in the wild. In this blog post we describe how a weird variant of AES-128 counter mode (CTR) encryption is used in Nemty 2.2 and 2.3 for its file encryption. We also announce the availability of afree decryptorfor common office documents encrypted by Nemty 2.2 and 2.3.

Michael Gillespie found a new Dharma Ransomware variant that appends the.RIDIKextension to encrypted files.

Michael Gillespie found a new WannCryFake variant called AWT Ransomware that appends the .AWT extension to encrypted files and drops a ransom note named ReadMe.txt.

S!Rifound a new ransomware called Zeoticus that appends the .zeoticus extension to encrypted files.

Organizations in the private sector received an alert from the F.B.I. about operators of the Maze ransomware focusing on companies in the U.S. to encrypt information on their systems after stealing it first.

The Clop Ransomware continues to evolve with a new and integrated process killer that targets some interesting processes belonging to Windows 10 apps, text editors, programming IDEs and languages, and office applications.

MalwareHunterTeamfound a new in-development ransomware called "SlankCryptor Profit Only" that appends.slank extension to encrypted files.

Link:
The Week in Ransomware - January 3rd 2020 - Busy Holiday Season - BleepingComputer

Related Posts

Comments are closed.