The Week in Ransomware – November 3rd 2023 – Hive’s Back
Over the past couple of months, ransomware attacks have been escalating as new operations launch, old ones return, and existing operations continue to target the enterprise.
This week, the Toronto Public Library was attacked by the Black Basta ransomware gang, taking many of its online services offline.
Other attacks we learned about this week include ACE Hardware, Mr. Cooper, and the British Library. While these are not confirmed to be ransomware attacks, they share many signs usually associated with such attacks.
Due to the increasing number of attacks, an alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransom demanded.
However, this may be an empty pledge, as federal governments typically do not pay ransomware demands, and it does not prevent local governments from giving into extortion demands.
Microsoft also pledges to bolster security as part of its ‘Secure Future’ initiative by improving the built-in security of its products and platforms to better protect customers against escalating cybersecurity threats.
Finally, new research was released this week about ransomware, including:
- A report on GhostSec, who is now using a ransomware encryptor in attacks.
- Threat actors are exploiting Apache ActiveMQ flaws to deploy HelloKitty ransomware.
- The U.S. Department of Health and Human Services released an analyst note on the 8Base ransomware.
- Sophos walked us through a step-by-step MoneyMessage attack.
- A new BiBi-Linux wiper was spotted used in attacks on Israeli orgs.
- Finally, we released a report on the new Hunters International ransomware gang, which is believed to be a rebrand of Hive.
Hive’s possible return is particularly interesting, as they were previously disrupted after the FBI hacked Hive’s servers and seized infrastructure.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @malwrhunterteam, @demonslay335, @billtoulas, @serghei, @Ionut_Ilascu, @LawrenceAbrams, @fwosar, @BleepinComputer, @SecurityJoes, @rivitna2, @BushidoToken, @AlvieriD, @rapid7, @BradSmi, @uptycs, @pcrisk, @PogoWasRight, and @BrettCallow.
October 28th 2023
Stanford University Investigating “Cybersecurity Incident”
Earlier in the day, the Akira ransomware group had listed Stanford University on its leak site with a note, “Soon the university will be also known for 430Gb of internal data leaked online. Private information, confidential documents etc.”
October 29th 2023
New Hunters International ransomware possible rebrand of Hive
A new ransomware-as-a-service brand named Hunters International has emerged using code used by the Hive ransomware operation, leading to the valid assumption that the old gang has resumed activity under a different flag.
October 30th 2023
New BiBi-Linux wiper malware targets Israeli orgs in destructive attacks
A new malware wiper known as BiBi-Linux is being used to destroy data in attacks targeting Linux systems belonging to Israeli companies.
Toronto Public Library services down following weekend cyberattack
The Toronto Public Library (TPL) is warning that many of its online services are offline after suffering a cyberattack over the weekend, on Saturday, October 28.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .ppvs, .ppvt, and .ppvw extensions.
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that appends the .BlackHatUP extension and drops a ransom note named read_it.txt.
New Ran Ransomware
PCrisk found a new Ran ransomware that appends the .Ran extension and drops a ransom note named Payment.txt.
October 31st 2023
British Library knocked offline by weekend cyberattack
The British Library has been hit by a major IT outage affecting its website and many of its services following a “cyber incident” that impacted its systems on Saturday, October 28.
Dozens of countries will pledge to stop paying ransomware gangs
An alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransoms demanded by cybercriminal groups.
Step-by-step through the Money Message ransomware
Money Message is an insidious ransomware family known for resisting detection and remediation in various ways. We walk through a recent case
November 1st 2023
Toronto Public Library outages caused by Black Basta ransomware attack
The Toronto Public Library is experiencing ongoing technical outages due to a Black Basta ransomware attack.
Advarra hacked, threat actors threatening to leak data
On or about October 25, Advarra was hacked and data was exfiltrated. According to one of the people involved in the attack, the executives knew about the breach on October 25 but would not pay or even negotiate with them.
Daixin Team claims responsibility for attacks affecting Canadian hospitals, starts leaking data
Daixin Team is now claiming responsibility for — and leaking data from — an attack that has significantly impacted five Canadian hospitals in Ontario.
HC3: Analyst Note – 8Base Ransomware
A recent attack on a U.S.-based medical facility in October 2023 highlights the potential threat of the ransomware gang, 8Base, to the Healthcare and Public Health (HPH) sector. Active since March 2022, 8Base became highly active in the summer of 2023, focusing their indiscriminate targeting on multiple sectors primarily across the United States.
November 2nd 2023
Microsoft pledges to bolster security as part of ‘Secure Future’ initiative
Microsoft announced today the ‘Secure Future Initiative,’ pledging to improve the built-in security of its products and platforms to better protect customers against escalating cybersecurity threats.
Boeing confirms cyberattack amid LockBit ransomware claims
Aerospace giant Boeing is investigating a cyberattack that impacted its parts and distribution business after the LockBit ransomware gang claimed that they breached the company’s network and stole data.
HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks
The HelloKitty ransomware operation is exploiting a recently disclosed Apache ActiveMQ remote code execution (RCE) flaw to breach networks and encrypt devices.
Mortgage giant Mr. Cooper hit by cyberattack impacting IT systems
U.S. mortgage lending giant Mr. Cooper was breached in a cyberattack that caused the company to shut down IT systems, including access to their online payment portal.
BlackCat ransomware claims breach of healthcare giant Henry Schein
The BlackCat (ALPHV) ransomware gang claims it breached the network of healthcare giant Henry Schein and stole dozens of terabytes of data, including payroll data and shareholder information.
November 3rd 2023
GhostSec: From Fighting ISIS to Possibly Targeting Israel with RaaS
The hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework called GhostLocker. They provide comprehensive assistance to customers interested in acquiring this service through a dedicated Telegram channel. Presently, GhostSec is focusing its attacks on Israel. This move represents a surprising departure from their past activities and stated agenda.
That’s it for this week! Hope everyone has a nice weekend!
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.