The Week in Ransomware – April 21st 2023 – Macs in the Crosshairs

macOS logo with storms in the background

A lot of news broke this week related to ransomware, with the discovery of LockBit testing macOS encryptors to an outage on NCR, causing massive headaches for restaurants.

By far, the biggest news was the discovery of a LockBit Apple Silicon encryptor by MalwareHunterTeam. While quite buggy and needing a lot of development to work correctly, LockBit confirmed to BleepingComputer that it is being actively developed.

Some interesting research on ransomware was also released this week, including:

Finally, we learned about some ransomware attacks, with an NCR outage confirmed to be ransomware and Capita confirming that data was stolen in a cyberattack.

Contributors and those who provided new ransomware information and stories this week include @billtoulas, @fwosar, @BleepinComputer, @LawrenceAbrams, @Ionut_Ilascu, @serghei, @demonslay335, @jorntvdw, @malwrhunterteam, @Seifreed, @AShukuhi, @patrickwardle, @Kostastsale, @BlackBerry, @TrendMicro, @WhichbufferArda, @NCCGroupplc, @BroadcomSW, @IBMSecurity, @AhnLab_man, @SophosXOps, @SentinelOne, @pcrisk, @AlvieriD, @BrettCallow, and @siri_urz.

April 15th 2023

Hackers start abusing Action1 RMM in ransomware attacks

Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.

NCR suffers Aloha POS outage after BlackCat ransomware attack

NCR is suffering an outage on its Aloha point of sale platform after being hit by an ransomware attack claimed by the BlackCat/ALPHV gang.

April 16th 2023

LockBit ransomware encryptors found targeting Mac devices

The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to ever specifically target macOS.

The LockBit ransomware (kinda) comes for macOS

In this blog post we’ll tear apart the sample, showing that ultimately, while yes it can indeed run on Apple Silicon, that is basically the extent of it’s impact. Thus macOS users have nothing to worry about …for now!

A technical analysis of the LockBit macOS encryptor

“Brief analysis of #Lockbit 3.0 for macOS ARM M1/M2 It’s using simple XOR routine to decrypt all config data. XOR key is static value ’57′”

April 17th 2023

Ex-Conti members and FIN7 devs team up to push new Domino malware

Ex-Conti ransomware members have teamed up with the FIN7 threat actors to distribute a new malware family named ‘Domino’ in attacks on corporate networks.

New Phobos variant

PCrisk found a new Phobos ransomware variant that appends the .sdk extension.

New VoidCrypt ransomware variant

PCrisk found a new VoidCrypt ransomware variant that appends the .Recov extension and drops a ransom note named Dectryption-guide.txt.

New CrossLock ransomware found

S!Ri found a new CrossLock ransomware that appends the .crlk extension and drops the —CrossLock_readme_To_Decrypt—.txt ransom note.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .coty extension.

April 18th 2023

LockBit for Mac | How Real is the Risk of macOS Ransomware?

On April 16th, Twitter user @malwrhunterteam tweeted details of a sample of the LockBit ransomware compiled for Apple’s macOS arm64 architecture. LockBit claims to be “the oldest ransomware affiliate program on the planet”, and news that one of the major cybercrime outfits in the ransomware landscape was now targeting macOS devices has predictably raised concerns about the ransomware threat on Mac devices.

An Analysis of the BabLock (aka Rorschach) Ransomware

A ransomware called BabLock (aka Rorschach) has recently been making waves due to its sophisticated and fast-moving attack chain that uses subtle yet effective techniques. Although primarily based on LockBit, the ransomware is a hodgepodge of other different ransomware parts pieced together into what we now call BabLock (detected as Ransom.Win64.LOCKBIT.THGOGBB.enc). Note, however, that we do not believe that this ransomware originates from the threat actors behind LockBit, which is now in its third iteration.

New MedusaLocker ransomware variants

PCrisk found new MedusaLocker ransomware variants that append the .skynetlock and .tangem extensions.

April 19th 2023

March 2023 broke ransomware attack records with 459 incidents

March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% compared to March 2022.

Play ransomware gang uses custom Shadow Volume Copy data-theft tool

The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks.

Microsoft SQL servers hacked to deploy Trigona ransomware

Attackers are hacking into poorly secured and Interned-exposed Microsoft SQL (MS-SQL) servers to deploy Trigona ransomware payloads and encrypt all files.

Fortra shares findings on GoAnywhere MFT zero-day attacks

Fortra has completed its investigation into the exploitation of CVE-2023-0669, a zero-day flaw in the GoAnywhere MFT solution that the Clop ransomware gang exploited to steal data from over a hundred companies.

Ransomware gangs abuse Process Explorer driver to kill security software

Threat actors use a new hacking tool dubbed AuKill to disable Endpoint Detection & Response (EDR) Software on targets’ systems before deploying backdoors and ransomware in Bring Your Own Vulnerable Driver (BYOVD) attacks.

April 20th 2023

Capita confirms hackers stole data in recent cyberattack

London-based professional outsourcing giant Capita has published an update on the cyber-incident that impacted it at the start of the month, now admitting that hackers exfiltrated data from its systems.

BlackBit Ransomware Being Distributed in Korea

AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed since September last year.

New MedusaLocker ransomware variant

PCrisk found new MedusaLocker ransomware variant that appends the .attackuk extension.

That’s it for this week! Hope everyone has a nice weekend!


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn