The Week In Ransomware December 22nd 2023 Blackcat Hacked
Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action.
The FBI revealed this week that they hacked the BlackCat/ALPHV ransomware operation, which raked in $300 million from over 1,000 victims. While quietly surveilling the ransomware gang, law enforcement retrieved decryption and Tor private keys.
Law enforcement says that they were able to help decrypt 400 victims for free using the retrieved decryptors and used the Tor private keys to seize the URLs for the gang’s data leak site and negotiation sites.
Source: BleepingComputer.com
However, as the threat actors and the FBI have the same keys, there has been a constant tug of war as they both “reseize” the URL.
Some have seen this constant change in ownership of the URL as a failed operation by law enforcement. However, retrieving 400 decryption keys and likely more data from the hacked servers has significantly tarnished the ransomware operation’s reputation.
BleepingComputer has learned that this has caused some affiliates to contact victims directly via email, as they have lost trust in the ransomware gang’s ability to secure the servers. Others are said to have moved to competing ransomware operations, such as LockBit.
Now, LockBitSupp (the operator of LockBit) and the BlackCat operator have discussed creating a “cartel,” to join forces against law enforcement.
Source: 3xp0rt
Previous “ransomware cartels” allegedly created by Maze didn’t succeed in helping the ransomware operation, as Ukrainian police arrested gang members after they rebranded as Egregor.
We also learned this week about new ransomware attacks or information about old ones, including:
- Akira claimed the ransomware attack on Nissan Australia.
- A ransomware attack on ESO Solutions exposed the data of 2.7 million people.
- University of Buenos Aires (UBA) suffered a ransomware cyberattack.
- Vans, North Face, Supreme owner VF Corp hit by ransomware attack.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @BleepinComputer, @demonslay335, @Seifreed, @billtoulas, @Ionut_Ilascu, @fwosar, @serghei, @LawrenceAbrams, @BrettCallow, @PRODAFT, @AShukuhi, @uuallan, @SophosXOps, @pcrisk, @3xp0rtblog, @oct0xor, @MorganDemboski, and @juanbrodersen.
December 18th 2023
Mortgage giant Mr. Cooper data breach affects 14.7 million people
Mr. Cooper is sending data breach notifications warning that a recent cyberattack has exposed the data of 14.7 million customers who have, or previously had, mortgages with the company.
FBI: Play ransomware breached 300 victims, including critical orgs
The Federal Bureau of Investigation (FBI) says the Play ransomware gang has breached roughly 300 organizations worldwide between June 2022 and October 2023, some of them critical infrastructure entities.
Vans and North Face owner VF Corp hit by ransomware attack
American global apparel and footwear giant VF Corporation, the owner of brands like Supreme, Vans, Timberland, and The North Face, has disclosed a security incident that caused operational disruptions
The UBA suffered a ransomware cyber attack: teachers and students cannot access the systems
The University of Buenos Aires (UBA) suffered a ransomware cyberattack , a type of malicious program that encrypts the victim’s files, makes them inaccessible and demands a ransom money in exchange. Since Thursday, servers in part of the educational institution have been compromised and this prevents teachers and students from managing grades, enrolling in summer courses and more.
December 19th 2023
FBI disrupts Blackcat ransomware operation, creates decryption tool
The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation’s servers to monitor their activities and obtain decryption keys.
How the FBI seized BlackCat (ALPHV) ransomware’s servers
An unsealed FBI search warrant revealed how law enforcement hijacked the ALPHV/BlackCat ransomware operations websites and seized the associated URLs.
FBI: ALPHV ransomware raked in $300 million from over 1,000 victims
The ALPHV/BlackCat ransomware gang has made over $300 million in ransom payments from more than 1,000 victims worldwide as of September 2023, according to the Federal Bureau of Investigation (FBI).
Smoke and Mirrors: Understanding The Workings of Wazawaka
This research provides a comprehensive analysis of Wazawaka’s background, affiliations, and tactics in the threat landscape associated with his activities. It includes information about Wazawaka’s team and his close relations with other threat actors.
December 20th 2023
Healthcare software provider data breach impacts 2.7 million
ESO Solutions, a provider of software products for healthcare organizations and fire departments, disclosed that data belonging to 2.7 million patients has been compromised as a result of a ransomware attack.
Fake F5 BIG-IP zero-day warning emails push data wipers
The Israel National Cyber Directorate warns of phishing emails pretending to be F5 BIG-IP zero-day security updates that deploy Windows and Linux data wipers.
New BO Team ransomware
PCrisk found a new ransomware that appends the .bot extension and drops a ransom note named How To Restore Your Files.txt.
December 21st 2023
Akira, again: The ransomware that keeps on taking
Following our initial report on Akira ransomware, Sophos has responded to over a dozen incidents involving Akira impacting various sectors and regions. According to our dataset, Akira has primarily targeted organizations located in Europe, North America, and Australia, and operating in the government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunication sectors.
Windows CLFS and five exploits used by ransomware operators
Seeing a Win32k driver zero-day being used in attacks isn’t really surprising these days, as the design issues with that component are well known and have been exploited time and time again. But we had never seen so many CLFS driver exploits being used in active attacks before, and then suddenly there are so many of them captured in just one year.
New Phobos ransomware variant
PCrisk found a new ransomware that appends a unique extension and drops ransom notes named info.txt and info.hta.
New Tprc ransomware
PCrisk found a new ransomware that appends the .tprc extension and drops a ransom note named !RESTORE!.txt.
December 22nd 2023
Nissan Australia cyberattack claimed by Akira ransomware gang
Japanese car maker Nissan is investigating a cyberattack that targeted its systems in Australia and New Zealand, which may have let hackers access personal information.