The Week in Ransomware – March 10th 2023 – Police Take Action

Police arresting a hacker

This week’s biggest news was the coordinated, international law enforcement operation between Europol, the FBI, the Netherlands, Germany, and Ukraine that targeted the DoppelPaymer operation.

As part of this operation, the police arrested two core members of the DoppelPaymer gang and raided multiple locations where they seized electronics.

DoppelPaymer is believed to be one of the ransomware brands operated by the Evil Corp cybercrime operation, also known for managing and distributing the Dridex malware botnet.

After the U.S. sanctioned Evil Corp in 2019 for causing over $100 million in financial damages, many ransomware recovery and negotiation firms refused to interact with the ransomware operation, causing a significant decrease in ransom payments.

These sanctions led to EvilCorp constantly rebranding their ransomware operations under new names, with DoppelPaymer rebranding as Grief (a.k.a. Pay or Grief) in the summer of 2021.

Another significant news this week came today, with the SEC announcing a settlement with BlackBaud for failing to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers.

New research was also released this week on the ESXi encryptor of the Royal Ransomware and a new IceFire Linux encryptor.

Finally, we learned more about various ransomware attacks this week, including ones on the City of Oakland, Hospital Clínic de Barcelona, Technion, Fonasa, and the Minneapolis Public Schools district.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @serghei, @Seifreed, @malwrhunterteam, @demonslay335, @LawrenceAbrams, @billtoulas, @fwosar, @PolarToffee, @LabsSentinel, @BrettCallow, @security_score, @AhnLab_SecuInfo, @AJVicens, @AlvieriD, @pcrisk, @chum1ng0, and @TrendMicro.

March 4th 2023

Ransomware gang leaks data stolen from City of Oakland

The Play ransomware gang has begun to leak data from the City of Oakland, California, that was stolen in a recent cyberattack.

March 6th 2023

Core DoppelPaymer ransomware gang members targeted in Europol operation

Europol has announced that law enforcement in Germany and Ukraine targeted two individuals believed to be core members of the DoppelPaymer ransomware group.

March 7th 2023

Hospital Clínic de Barcelona severely impacted by ransomware attack

The Hospital Clínic de Barcelona suffered a ransomware attack on Sunday morning, severely disrupting its healthcare services after the institution’s virtual machines were targeted by the attacks.

ESXi Ransomware – A case study of Royal Ransomware

“Royal ransomware joins other ransomware groups targeting ESXi servers. The files are encrypted using the AES algorithm, with the key and IV being encrypted using theRSA public key that is hard-coded in the executable. The process can partially encrypt a filedepending on its size and the value of the “-ep” parameter. The extension of the encrypted filesis changed to “.royal_u”.”

Israel blames prolific Iranian-linked hacking group for February university hack

Iran was behind a cyberattack on a major research university in Israel last month, the Israel National Cyber Directorate announced on Tuesday.

Ransomware Targeting Albanian Government – RoadSweep 2.0

Albanian news outlets have reported two large-scale targeted cyber-attacks of the same type and most likely by the same attackers as another previous ransomware attack on Albania.

New MedusaLocker variant

PCrisk found a new MedusaLocker variant that appends the .acessd extension and drops a ransom note named How_to_back_files.html.

March 8th 2023

Ransomware gang posts video of data stolen from Minneapolis schools

The Medusa ransomware gang is demanding a $1,000,000 ransom from the Minneapolis Public Schools (MPS) district to delete data allegedly stolen in a ransomware attack.

March 9th 2023

IceFire ransomware now encrypts both Linux and Windows systems

Threat actors linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor.

Decryptable iswr Ransomware Being Distributed in Korea

ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the iswr ransomware during the team’s monitoring.

Examining Ransomware Payments From a Data-Science Lens

In this entry, we discuss case studies that demonstrated how data-science techniques were applied in our investigation of ransomware groups’ ransom transactions, as detailed in our joint research with Waratah Analytics, “What Decision-Makers Need to Know About Ransomware Risk.”

New STOP ransomware variant

PCrisk found a STOP variant that appends the .coba extension.

March 10th 2023

Blackbaud to pay $3M for misleading ransomware attack disclosure

Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging that it failed to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers.

BlackCat confirms attack on Fonasa

In a chat on Tox, BlackCat confirmed to DataBreaches that they are responsible for the attack and they say that they will announce it soon on their leaks page. A spokesperson for the group told DataBreaches that they are not giving Fonasa any more time to respond because they have not heard from them at all.

That’s it for this week! Hope everyone has a nice weekend!


Original Source


 


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below


Digital Patreon Wordmark FieryCoralv2

buymeacoffee

To keep up to date follow us on the below channels.

join
Click Above for Telegram
discord
Click Above for Discord
reddit
Click Above for Reddit
hd linkedin
Click Above For LinkedIn