The Week in Ransomware – October 13th 2023 – Increasing Attacks

Sign with ransomware ahead written on it

Ransomware gangs continue to pummel the enterprise, with attacks causing disruption in business operations and resulting in data breaches if a ransom is not paid.

This week, we learned of three attacks impacting well-known companies, with BianLian claiming the attack on Air Canada and ALPHV claiming an attack on state courts across Northwest Florida (part of the First Judicial Circuit) last week.

A cyberattack on Simpson Manufacturing caused the company to shut down IT systems, but it has not been confirmed as a ransomware attack.

In other news, a threat actor released the source code for the first version of Hello Kitty ransomware, claiming to be developing a new one that will rival LockBit.

Finally, researchers and government agencies released some interesting news this week:

  • A new Q3 2023 Ransomware Trends Summary shows that ransomware continues to explode, with Q3 being the most successful quarter ever recorded.
  • The FBI shared technical details, defense tips, and IOCs for the AvosLocker ransomware, which has not been active lately.
  • Ransomware attacks have now started to target unpatched WS_FTP servers. However, these attacks are more encryption-focused rather than for data theft.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @demonslay335, @billtoulas, @Ionut_Ilascu, @serghei, @BleepinComputer, @malwrhunterteam, @Seifreed, @LawrenceAbrams, @SophosXOps, @3xp0rtblog, @AlvieriD, @pcrisk, @cyber_int, and @LikelyMalware.

October 8th 2023

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .mlwq and .mlrd extensions to encrypted files.

October 9th 2023

ALPHV ransomware gang claims attack on Florida circuit court

The ALPHV (BlackCat) ransomware gang has claimed an attack that affected state courts across Northwest Florida (part of the First Judicial Circuit) last week.

HelloKitty ransomware source code leaked on hacking forum

A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .mlza and .mlap extensions to encrypted files.

New Hazard ransomware variant

PCrisk found a Hazard ransomware variant that appends the .hazard18 (the digit may be different per victim) and drops a ransom note named HOW_TO_BACK_FILES.html.

New MedusaLocker ransomware variant

PCrisk found a MedusaLocker ransomware variant that appends the .locknet and drops a ransom note named HOW_TO_BACK_FILES.html.

October 10th 2023

Air Europa data breach: Customers warned to cancel credit cards

Spanish airline Air Europa, the country’s third-largest airline and a member of the SkyTeam alliance, warned customers on Monday to cancel their credit cards after attackers accessed their card information in a recent data breach.

October 11th 2023

BianLian extortion group claims recent Air Canada breach

The BianLian extortion group claims to have stolen 210GB of data after breaching the network of Air Canada, the country’s largest airline and a founding member of Star Alliance.

Simpson Manufacturing shuts down IT systems after cyberattack

Simpson Manufacturing disclosed via a SEC 8-K filing a cybersecurity incident that has caused disruptions in its operations, which are expected to continue.

Distribution of Magniber Ransomware Stops (Since August 25th)

Through a continuous monitoring process, AhnLab Security Emergency response Center (ASEC) is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which abuses typos in domain addresses. After the blocking rules of the injection technique used by Magniber were distributed, ASEC published a post about the relevant information on August 10th.

Ransomware Trends 2023, Q3 Report

Q3 will be remembered as a new record for the ransomware industry as it was the most successful quarter ever recorded.

October 12th 2023

FBI shares AvosLocker ransomware technical details, defense tips

The U.S. government has updated the list of tools AvosLocker ransomware affiliates use in attacks to include open-source utilities along with custom PowerShell, and batch scripts.

Ransomware attacks now target unpatched WS_FTP servers

Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks.

That’s it for this week! Hope everyone has a nice weekend!


Original Source



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.