The Week in Ransomware – May 12th 2023 – New Gangs Emerge

Two people wearing purge masks in front of cars

This week we have multiple reports of new ransomware families targeting the enterprise, named Cactus and Akira, both increasingly active as they target the enterprise.

The Cactus operation launched in March and has been found to exploit VPN vulnerabilities to gain access to corporate networks.

The encryptor requires an encryption key to be passed on the command line to decrypt the configuration file used by the malware. If the proper configuration key is not passed, the encryptor will terminate, and nothing will be encrypted.

This method is to evade detection by security researchers and antivirus software.

BleepingComputer also reported on the Akira ransomware, a new operation launched in March that quickly amassed sixteen victims on its data leak site.

The Akira operation uses a retro-looking data leak site that requires you to enter commands as if you’re using a Linux shell.

Akira data leak site
Akira data leak site
Source: BleepingComputer

We also learned about new attacks and significant developers in previous ones.

On May 7th, multinational automation firm ABB suffered a Black Basta ransomware attack, disrupting their network and factories.

ABB is the developer of numerous SCADA and industrial control systems (ICS) for energy suppliers and manufacturing, raising concerns about whether data was stolen and what it contained.

News also came out last week that the Money Message ransomware operation published source code belonging to MSI, which contained private keys for Intel Boot Guard.

Binarly warned that these leaked keys could be used to digitally sign UEFI malware that can bypass Intel Boot Guard on MSI devices.

Finally, researchers and law enforcement released new reports:

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwrhunterteam, @Ionut_Ilascu, @demonslay335, @struppigel, @malwareforme, @BleepinComputer, @billtoulas, @FourOctets, @serghei, @VK_Intel, @fwosar, @LawrenceAbrams, @Seifreed, @jorntvdw, @DanielGallagher, @LabsSentinel, @BrettCallow, @matrosov, @binarly_io, @Checkmarx, @KrollWire, @yinzlovecyber, and @pcrisk.

May 7th 2023

Meet Akira — A new ransomware operation targeting the enterprise

The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms.

New Cactus ransomware encrypts itself to evade antivirus

A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of “large commercial entities.”

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .qore extension.

May 8th 2023

Intel investigating leak of Intel Boot Guard private keys after MSI breach

Intel is investigating the leak of alleged private keys used by the Intel Boot Guard security feature, potentially impacting its ability to block the installation of malicious UEFI firmware on MSI devices.

May 9th 2023

New GlobeImposter ransomware variant

PCrisk found a new GlobeImposter ransomware variant that appends the .Suffering extension and drops a ransom note named how_to_back_files.html.

New Solix ransomware

PCrisk found a new ransomware variant that appends the .Solix extension.

New MedusaLocker ransomware

PCrisk found a new ransomware variant that appends the .newlocker extension and drops a ransom note named HOW_TO_RECOVER_DATA.html.

New BrightNite ransomware

PCrisk found a new ransomware variant that appends the .BrightNight extension and drops a ransom note named README.txt.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .gash extension.

May 10th 2023

New ransomware decryptor recovers data from partially encrypted files

A new ‘White Phoenix’ ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption.

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .SIGSCH extension and drops a ransom note named README_SIGSCH.txt.

New Army Signal ransomware

PCrisk found a new Xorist ransomware variant that appends the .zipp3rs extension.

May 11th 2023

Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers

An increasing number of ransomware operations are adopting the leaked Babuk ransomware source code to create Linux encryptors targeting VMware ESXi servers.

Multinational tech firm ABB hit by Black Basta ransomware attack

Swiss multinational company ABB, a leading electrification and automation technology provider, has suffered a Black Basta ransomware attack, reportedly impacting business operations.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .gatz extension.

May 12th 2023

FBI: Bl00dy Ransomware targets education orgs in PaperCut attacks

The FBI and CISA issued a joint advisory to warn that the Bl00dy Ransomware gang is now also actively exploiting a PaperCut remote-code execution vulnerability to gain initial access to networks.

That’s it for this week! Hope everyone has a nice weekend!


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn