The Week in Ransomware – October 27th 2023 – Breaking Records
Ransomware attacks are increasing significantly, with reports indicating that last month was a record month for ransomware attacks in 2023.
According to NCC Group data, ransomware groups launched 514 attacks in September, surpassing March 2023 activity, which included 459 attacks that were heavily skewed by Clop’s Fortra GoAnywhere data theft attacks.
This increase in attacks was also seen by Check Point Software, who said they are seeing a 3% increase in attacks for 2023.
A July report by Chainalysis also predicted that 2023 would be a record-breaking year for ransomware payments based on projected data, which indicates that ransom payments may exceed $500 million by the end of the year.
In other news, Microsoft released a report on the Octo Tempest extortion group, stating they are among the “most dangerous financial criminal groups.”
Octo Tempest is also known as Scattered Spider, Oktapus, and UNC3944 and is believed to be behind recent ransomware attacks on MGM Resorts and Caesars and past attacks on Reddit, MailChimp, Twilio, DoorDash, and Riot Games.
The threat actors are known to utilize a wide variety of advanced social engineering and hacking tactics, along with SIM-swapping attacks to breach accounts. In some cases, Microsoft says the threat actors have resorted to threats of violence to attempt to gain access to corporate credentials.
This group stands out as they are believed to be a loose-knit group of English-speaking threat actors who are affiliates of the BlackCat ransomware gang, which generally only works with Russian-speaking affiliates.
We also learned of new cyberattacks or more information was shared about existing ones, including:
- American Family Insurance finally confirms a cyberattack caused their outage.
- BHI Energy provided a very transparent report on how Akira breached them.
- TransForm warns that a ransomware attack is impacting five hospitals in Ontario, Canada.
- France’s ASVEL basketball team confirms a data breach after a ransomware attack.
- The Rorschach ransomware gang hit the Chilean telecom giant GTD.
- Seiko confirms a ransomware attack exposed customer data.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @LawrenceAbrams, @billtoulas, @Ionut_Ilascu, @demonslay335, @fwosar, @BleepinComputer, @serghei, @malwrhunterteam, @Avast, @kaspersky, @1ZRR4H, @NCCGroupplc, @Imperva, @Webroot, @MsftSecIntel, @pcrisk, @BushidoToken, @BrettCallow, and @security_score.
October 21st 2023
American Family Insurance confirms cyberattack is behind IT outages
Insurance giant American Family Insurance has confirmed it suffered a cyberattack and shut down portions of its IT systems after customers reported website outages all week.
October 23rd 2023
US energy firm shares how Akira ransomware hacked its systems
In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack.
University of Michigan employee, student data stolen in cyberattack
The University of Michigan says in a statement today that they suffered a data breach after hackers broke into its network in August and accessed systems with information belonging to students, applicants, alumni, donors, employees, patients, and research study participants.
A Deep Dive into Cactus Ransomware
A technical analysis of the Cactus Ransomware.
October 24th 2023
September was a record month for ransomware attacks in 2023
Ransomware activity in September reached unprecedented levels following a relative lull in August that was still way above regular standards for summer months.
Cyberattack on health services provider impacts 5 Canadian hospitals
A cyberattack on shared service provider TransForm has impacted operations in five hospitals in Ontario, Canada, impacting patient care and causing appointments to be rescheduled.
ASVEL basketball team confirms data breach after ransomware attack
French professional basketball team LDLC ASVEL (ASVEL) has confirmed that data was stolen after the NoEscape ransomware gang claimed to have attacked the club.
Analysis: A Ransomware Attack on a PostgreSQL Database
In 2017, we reported on a database ransomware campaign targeting MySQL and MongoDB. Since then, we’ve observed similar attack tactics on a PostgreSQL database in Imperva Threat Research lab.
Stealer for PIX payment system, new Lumar stealer and Rhysida ransomware
In this article, we share excerpts from our reports on malware that has been active for less than a year: the GoPIX stealer targeting the PIX payment system, which is gaining popularity in Brazil; the Lumar multipurpose stealer advertised on the dark web; and the Rhysida ransomware supporting old Windows versions.
New JarJets ransomware
PCrisk found a new JarJets ransomware that appends then .Jarjets extension and drops a ransom note named Jarjets_ReadMe.txt.
October 25th 2023
Chilean telecom giant GTD hit by the Rorschach ransomware gang
Chile’s Grupo GTD warns that a cyberattack has impacted its Infrastructure as a Service (IaaS) platform, disrupting online services.
Seiko says ransomware attack exposed sensitive customer data
Japanese watchmaker Seiko has confirmed it suffered a Black Cat ransomware attack earlier this year, warning that the incident has led to a data breach, exposing sensitive customer, partner, and personnel information.
A Continuing Cyber-Storm with Increasing Ransomware Threats and a Surge in Healthcare and APAC region
As we step into October, the month dedicated to global cyber awareness, it is crucial to illuminate the evolving landscape of cyber threats that impact us all. Check Point Research’s latest report provides a comprehensive view of the storm brewing in the digital realm, specifically for the timeframe of Q1-Q3 of 2023.
Webroots Nastiest Malware 2023
Now lets dive into what our experts have picked as the top Ransomware families of 2023.
New STOP Ransomware variants
PCrisk found new STOP ransomware variants that append the .zpas, .zput, and .zpww extensions.
New BlackDream ransomware
PCrisk found a new JarJets ransomware that appends then .BlackDream extension and drops a ransom note named ReadME-Decrypt.txt.
October 26th 2023
Rhysida Ransomware Technical Analysis
The Rhysida encryptor comes as a 32-bit or 64-bit Windows PE file, compiled by MinGW GNU version 6.3.0 and linked by the GNU linker v 2.30. The first public version comes as a debug version, which makes its analysis easier.
Microsoft: Octo Tempest is one of the most dangerous financial hacking groups
Microsoft has published a detailed profile of a native English-speaking threat actor with advanced social engineering capabilities it tracks as Octo Tempest, that targets companies in data extortion and ransomware attacks.
That’s it for this week! Hope everyone has a nice weekend!
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.