The Week in Ransomware – March 10th 2023 – Police Take Action
This week’s biggest news was the coordinated, international law enforcement operation between Europol, the FBI, the Netherlands, Germany, and Ukraine that targeted the DoppelPaymer operation.
As part of this operation, the police arrested two core members of the DoppelPaymer gang and raided multiple locations where they seized electronics.
DoppelPaymer is believed to be one of the ransomware brands operated by the Evil Corp cybercrime operation, also known for managing and distributing the Dridex malware botnet.
After the U.S. sanctioned Evil Corp in 2019 for causing over $100 million in financial damages, many ransomware recovery and negotiation firms refused to interact with the ransomware operation, causing a significant decrease in ransom payments.
These sanctions led to EvilCorp constantly rebranding their ransomware operations under new names, with DoppelPaymer rebranding as Grief (a.k.a. Pay or Grief) in the summer of 2021.
Another significant news this week came today, with the SEC announcing a settlement with BlackBaud for failing to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers.
New research was also released this week on the ESXi encryptor of the Royal Ransomware and a new IceFire Linux encryptor.
Finally, we learned more about various ransomware attacks this week, including ones on the City of Oakland, Hospital Clínic de Barcelona, Technion, Fonasa, and the Minneapolis Public Schools district.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @serghei, @Seifreed, @malwrhunterteam, @demonslay335, @LawrenceAbrams, @billtoulas, @fwosar, @PolarToffee, @LabsSentinel, @BrettCallow, @security_score, @AhnLab_SecuInfo, @AJVicens, @AlvieriD, @pcrisk, @chum1ng0, and @TrendMicro.
March 4th 2023
Ransomware gang leaks data stolen from City of Oakland
The Play ransomware gang has begun to leak data from the City of Oakland, California, that was stolen in a recent cyberattack.
March 6th 2023
Core DoppelPaymer ransomware gang members targeted in Europol operation
Europol has announced that law enforcement in Germany and Ukraine targeted two individuals believed to be core members of the DoppelPaymer ransomware group.
March 7th 2023
Hospital Clínic de Barcelona severely impacted by ransomware attack
The Hospital Clínic de Barcelona suffered a ransomware attack on Sunday morning, severely disrupting its healthcare services after the institution’s virtual machines were targeted by the attacks.
ESXi Ransomware – A case study of Royal Ransomware
“Royal ransomware joins other ransomware groups targeting ESXi servers. The files are encrypted using the AES algorithm, with the key and IV being encrypted using theRSA public key that is hard-coded in the executable. The process can partially encrypt a filedepending on its size and the value of the “-ep” parameter. The extension of the encrypted filesis changed to “.royal_u”.”
Israel blames prolific Iranian-linked hacking group for February university hack
Iran was behind a cyberattack on a major research university in Israel last month, the Israel National Cyber Directorate announced on Tuesday.
Ransomware Targeting Albanian Government – RoadSweep 2.0
Albanian news outlets have reported two large-scale targeted cyber-attacks of the same type and most likely by the same attackers as another previous ransomware attack on Albania.
New MedusaLocker variant
PCrisk found a new MedusaLocker variant that appends the .acessd extension and drops a ransom note named How_to_back_files.html.
March 8th 2023
Ransomware gang posts video of data stolen from Minneapolis schools
The Medusa ransomware gang is demanding a $1,000,000 ransom from the Minneapolis Public Schools (MPS) district to delete data allegedly stolen in a ransomware attack.
March 9th 2023
IceFire ransomware now encrypts both Linux and Windows systems
Threat actors linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor.
Decryptable iswr Ransomware Being Distributed in Korea
ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the iswr ransomware during the team’s monitoring.
Examining Ransomware Payments From a Data-Science Lens
In this entry, we discuss case studies that demonstrated how data-science techniques were applied in our investigation of ransomware groups’ ransom transactions, as detailed in our joint research with Waratah Analytics, “What Decision-Makers Need to Know About Ransomware Risk.”
New STOP ransomware variant
PCrisk found a STOP variant that appends the .coba extension.
March 10th 2023
Blackbaud to pay $3M for misleading ransomware attack disclosure
Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging that it failed to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers.
BlackCat confirms attack on Fonasa
In a chat on Tox, BlackCat confirmed to DataBreaches that they are responsible for the attack and they say that they will announce it soon on their leaks page. A spokesperson for the group told DataBreaches that they are not giving Fonasa any more time to respond because they have not heard from them at all.
That’s it for this week! Hope everyone has a nice weekend!
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.