The Week in Ransomware – June 16th 2023 – Wave of Extortion
The MOVEit Transfer extortion attacks continue to dominate the news cycle, with the Clop ransomware operation now extorting organizations breached in the attacks.
On Wednesday, the Clop gang started listing the names of breached organizations, warning that data would be leaked in seven days if a ransom was not negotiated.
Many organizations have decided to disclose the breaches rather than negotiating, warning impacted people that their data was exposed.
Known impacted organizations include US federal agencies, the Louisiana and Oregon DMVs, Zellis (BBC, Boots, and Aer Lingus, Ireland’s HSE through Zellis), the University of Rochester, the government of Nova Scotia, the US state of Missouri, the US state of Illinois, BORN Ontario, Ofcam, Extreme Networks, and the American Board of Internal Medicine.
As for Clop, they have now listed thirty-seven organizations impacted by the MOVEit breaches on their website, hoping it will pressure them to negotiate.
This week’s other big news is the FBI arresting a LockBit affiliate in Arizona just as CISA warned that the ransomware operation extorted over $90 million in 1,700 attacks on US organizations.
We also learned more about ransomware attacks this week, with the Medusa operation extorting Argentina’s National Securities Commission (CNV) and Rhysida ransomware leaking data stolen from the Chilean Army.
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @DanielGallagher, @malwrhunterteam, @BleepinComputer, @VK_Intel, @LawrenceAbrams, @PolarToffee, @struppigel, @jorntvdw, @Ionut_Ilascu, @FourOctets, @serghei, @fwosar, @Seifreed, @malwareforme, @demonslay335, @AuCyble, @pcrisk, @FortiGuardLabs, @1ZRR4H, @SentinelOne, @SttyK, @juanbrodersen, @AShukuhi, @BrettCallow, @Jon__DiMaggio, and @snlyngaas.
June 11th 2023
Hackers add the National Securities Commission to their list of victims: they say they have sensitive data
A group of cybercriminals claims to have 1.5 TB (1,500 gigabytes) of information from the National Securities Commission (CNV) , the official body that oversees markets throughout the country. Medusa, the same ransomware cartel that encrypted Garbarino’s data in March of this year, is asking for $500,000 and giving a period of one week to publish the data.
June 12th 2023
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .ahui, .ahgr, and .ahtw extensions.
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that appends the .minime extension.
June 13th 2023
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that appends the .LMAO extension and drops a ransom note named read_it.txt.
June 14th 2023
CISA: LockBit ransomware extorted $91 million in 1,700 U.S. attacks
U.S. and international cybersecurity authorities said in a joint LockBit ransomware advisory that the gang successfully extorted roughly $91 million following approximately 1,700 attacks against U.S. organizations since 2020.
WannaCry ransomware impersonator targets Russian “Enlisted” FPS players
A ransomware operation targets Russian players of the Enlisted multiplayer first-person shooter, using a fake website to spread trojanized versions of the game.
New Techniques: Uncovering Tor Hidden Service with Etag
Report on finding the public IP address for a RagnarLocker Tor site.
This investigation was conducted mainly through publicly available Open source intelligence services such as Shodan, as well as through underground community sources. The related server has already been shut down, and the person believed to be the suspect has been indicted, which prompted the release of the report. The de-anonymization method using Etag is almost unknown to the public, and I believe that it is a valuable contribution to the community.
June 15th 2023
Clop ransomware gang starts extorting MOVEit data-theft victims
The Clop ransomware gang has started extorting companies impacted by the MOVEit data theft attacks, first listing the company’s names on a data leak site—an often-employed tactic before public disclosure of stolen information
Suspected LockBit ransomware affiliate arrested, charged in US
Russian national Ruslan Magomedovich Astamirov was arrested in Arizona and charged by the U.S. Justice Department for allegedly deploying LockBit ransomware on the networks of victims in the United States and abroad.
Rhysida ransomware leaks documents stolen from Chilean Army
Threat actors behind a recently surfaced ransomware operation known as Rhysida have leaked online what they claim to be documents stolen from the network of the Chilean Army (Ejército de Chile).
US government agencies hit in global cyberattack
Editor’s note: More MOVEit Attacks.
Several US federal government agencies have been hit in a global cyberattack by Russian cybercriminals that exploits a vulnerability in widely used software, according to a top US cybersecurity agency.
June 16th 2023
Millions of Oregon, Louisiana state IDs stolen in MOVEit breach
Louisiana and Oregon warn that millions of driver’s licenses were exposed in a data breach after a ransomware gang hacked their MOVEit Transfer security file transfer systems to steal stored data.
Ransomware Roundup — Big Head
FortiGuard Labs came across two new ransomware variants, “Big Head” and another likely used by the same attacker, targeting consumers to extort money.
That’s it for this week! Hope everyone has a nice weekend!
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.