The Week in Ransomware – April 21st 2023 – Macs in the Crosshairs
A lot of news broke this week related to ransomware, with the discovery of LockBit testing macOS encryptors to an outage on NCR, causing massive headaches for restaurants.
By far, the biggest news was the discovery of a LockBit Apple Silicon encryptor by MalwareHunterTeam. While quite buggy and needing a lot of development to work correctly, LockBit confirmed to BleepingComputer that it is being actively developed.
Some interesting research on ransomware was also released this week, including:
- Ransomware gangs now abusing the Action1 RMM.
- Ex-Conti members and FIN7 are pushing a Domino malware.
- A technical write-up about Rorschach.
- Play ransomware uses custom data theft and info-stealing malware.
- Trigona is targeting Microsoft SQL servers.
- Process Explorer driver is abused in ransomware attacks.
Finally, we learned about some ransomware attacks, with an NCR outage confirmed to be ransomware and Capita confirming that data was stolen in a cyberattack.
Contributors and those who provided new ransomware information and stories this week include @billtoulas, @fwosar, @BleepinComputer, @LawrenceAbrams, @Ionut_Ilascu, @serghei, @demonslay335, @jorntvdw, @malwrhunterteam, @Seifreed, @AShukuhi, @patrickwardle, @Kostastsale, @BlackBerry, @TrendMicro, @WhichbufferArda, @NCCGroupplc, @BroadcomSW, @IBMSecurity, @AhnLab_man, @SophosXOps, @SentinelOne, @pcrisk, @AlvieriD, @BrettCallow, and @siri_urz.
April 15th 2023
Hackers start abusing Action1 RMM in ransomware attacks
Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.
NCR suffers Aloha POS outage after BlackCat ransomware attack
NCR is suffering an outage on its Aloha point of sale platform after being hit by an ransomware attack claimed by the BlackCat/ALPHV gang.
April 16th 2023
LockBit ransomware encryptors found targeting Mac devices
The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to ever specifically target macOS.
The LockBit ransomware (kinda) comes for macOS
In this blog post we’ll tear apart the sample, showing that ultimately, while yes it can indeed run on Apple Silicon, that is basically the extent of it’s impact. Thus macOS users have nothing to worry about …for now!
A technical analysis of the LockBit macOS encryptor
“Brief analysis of #Lockbit 3.0 for macOS ARM M1/M2 It’s using simple XOR routine to decrypt all config data. XOR key is static value ’57′”
April 17th 2023
Ex-Conti members and FIN7 devs team up to push new Domino malware
Ex-Conti ransomware members have teamed up with the FIN7 threat actors to distribute a new malware family named ‘Domino’ in attacks on corporate networks.
New Phobos variant
PCrisk found a new Phobos ransomware variant that appends the .sdk extension.
New VoidCrypt ransomware variant
PCrisk found a new VoidCrypt ransomware variant that appends the .Recov extension and drops a ransom note named Dectryption-guide.txt.
New CrossLock ransomware found
S!Ri found a new CrossLock ransomware that appends the .crlk extension and drops the —CrossLock_readme_To_Decrypt—.txt ransom note.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .coty extension.
April 18th 2023
LockBit for Mac | How Real is the Risk of macOS Ransomware?
On April 16th, Twitter user @malwrhunterteam tweeted details of a sample of the LockBit ransomware compiled for Apple’s macOS arm64 architecture. LockBit claims to be “the oldest ransomware affiliate program on the planet”, and news that one of the major cybercrime outfits in the ransomware landscape was now targeting macOS devices has predictably raised concerns about the ransomware threat on Mac devices.
An Analysis of the BabLock (aka Rorschach) Ransomware
A ransomware called BabLock (aka Rorschach) has recently been making waves due to its sophisticated and fast-moving attack chain that uses subtle yet effective techniques. Although primarily based on LockBit, the ransomware is a hodgepodge of other different ransomware parts pieced together into what we now call BabLock (detected as Ransom.Win64.LOCKBIT.THGOGBB.enc). Note, however, that we do not believe that this ransomware originates from the threat actors behind LockBit, which is now in its third iteration.
New MedusaLocker ransomware variants
PCrisk found new MedusaLocker ransomware variants that append the .skynetlock and .tangem extensions.
April 19th 2023
March 2023 broke ransomware attack records with 459 incidents
March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% compared to March 2022.
Play ransomware gang uses custom Shadow Volume Copy data-theft tool
The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks.
Microsoft SQL servers hacked to deploy Trigona ransomware
Attackers are hacking into poorly secured and Interned-exposed Microsoft SQL (MS-SQL) servers to deploy Trigona ransomware payloads and encrypt all files.
Fortra shares findings on GoAnywhere MFT zero-day attacks
Fortra has completed its investigation into the exploitation of CVE-2023-0669, a zero-day flaw in the GoAnywhere MFT solution that the Clop ransomware gang exploited to steal data from over a hundred companies.
Ransomware gangs abuse Process Explorer driver to kill security software
Threat actors use a new hacking tool dubbed AuKill to disable Endpoint Detection & Response (EDR) Software on targets’ systems before deploying backdoors and ransomware in Bring Your Own Vulnerable Driver (BYOVD) attacks.
April 20th 2023
Capita confirms hackers stole data in recent cyberattack
London-based professional outsourcing giant Capita has published an update on the cyber-incident that impacted it at the start of the month, now admitting that hackers exfiltrated data from its systems.
BlackBit Ransomware Being Distributed in Korea
AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed since September last year.
New MedusaLocker ransomware variant
PCrisk found new MedusaLocker ransomware variant that appends the .attackuk extension.
That’s it for this week! Hope everyone has a nice weekend!
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.