The Week in Ransomware – April 28th 2023 – Clop at it again
It has been a very quiet week for ransomware news, with only a few reports released and not much info about cyberattacks.
However, an item of interest was Microsoft linking the recent PaperCut server attacks on the Clop and LockBit ransomware operation.
Clop claims to have started exploiting PaperCut servers on April 13th, the same day Microsoft began seeing active exploitation of the vulnerabilities.
The ransomware operation told BleepingComputer that they utilized these exploits for initial access to corporate networks rather than to steal archived documents on the server.
Other ransomware reports released this week include:
- An exposé on the initial-access broker and ransomware affiliate known as BassterLord.
- A VMware ESXi encryptor for RTM Locker
- A technical write-up on the new UNIZA Ransomware.
Finally, we learned that Yellow Pages Canada suffered a BlackBasta ransomware attack.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @DanielGallagher, @malwareforme, @malwrhunterteam, @FourOctets, @billtoulas, @struppigel, @LawrenceAbrams, @Ionut_Ilascu, @Seifreed, @demonslay335, @BleepinComputer, @fwosar, @jorntvdw, @PolarToffee, @uptycs, @Trellix, @MsftSecIntel, @AlvieriD, @Jon__DiMaggio, @Fortinet, and @pcrisk.
April 24th 2023
Yellow Pages Canada confirms cyber attack as Black Basta leaks data
Yellow Pages Group, a Canadian directory publisher has confirmed to BleepingComputer that it has been hit by a cyber attack.
New Dharma ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .rea extension.
New Xorist ransomware variant
PCrisk found a new Xorist ransomware variant that appends the .VoNiX extension and drops a ransom note named HOW TO DECRYPT FILES.txt.
April 25th 2023
Ransomware Diaries: Volume 2 – A Ransomware Hacker Origin Story
The story I will tell you is not mine, but it is the account of a man who was once no different than you or me. Unfortunately, poor decisions and hardships in his life pushed him to a dark place, from which he never returned.
This is Bassterlord’s story.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .foza extension.
April 26th 2023
Microsoft: Clop and LockBit ransomware behind PaperCut server hacks
?Microsoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the vulnerabilities to steal corporate data.
New MedusaLocker ransomware variant
PCrisk found a new Xorist ransomware variant that appends the .attack7 (number may change) extension and drops a ransom note named how_to_back_files.html.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .foty extension.
April 27th 2023
Linux version of RTM Locker ransomware targets VMware ESXi servers
RTM Locker is the latest enterprise-targeting ransomware operation found to be deploying a Linux encryptor that targets virtual machines on VMware ESXi servers.
Ransomware Roundup – UNIZA Ransomware
FortiGuard Labs recently came across a new ransomware variant called UNIZA. Like other ransomware variants, it encrypts files on victims’ machines in an attempt to extort money. It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that appends the .devinn extension and drops a ransom note named unlock_here.txt.
That’s it for this week! Hope everyone has a nice weekend!
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.