The Week in Ransomware – September 29th 2023 – Dark Angels
This week has been a busy ransomware week, with ransomware attacks having a massive impact on organizations and the fallout of the MOVEit breaches to be disclosed.
BleepingComputer also exclusively broke the story that building and automation giant Johnson Controls International suffered a Dark Angels ransomware attack, with the threat actors claiming to have stolen 27 TB of data from 25 file servers.
The cyberattack was reportedly launched in Asia offices, from which the threat actors spread to the rest of the corporate network. During this time, the attackers claim to have stolen DWG files, engineering documents, databases, confidential documents, and client contracts.
Soon after BleepingComputer broke the news, Johnson Controls submitted a FORM 8-K filing with the SEC, confirming they suffered a cyberattack.
We also continue to see the effects of Clop’s massive MOVEit data-theft attacks, with the National Student Clearinghouse warning of a data breach that impacted 890 schools and the BORN Ontario child registry breach impacting 3.4 million people, including patients at the Hospital for Sick Children (SickKids).
Cybersecurity firms, journalists, and law enforcement also released interesting reports this week:
- A threat actor named ShadowSyndicate is linked to 7 ransomware operations.
- Hackers are actively exploiting OpenFire flaws to encrypt servers.
- The Snatch extortion gang left their server status page open, allowing anyone to see who was connecting to the server.
- The FBI warned that ransomware affiliates are accelerating double-encryption attacks.
- A look at Akira’s new PowerRanges variant, internally called Megazord.
Contributors and those who provided new ransomware information and stories this week include @serghei, @Ionut_Ilascu, @BleepinComputer, @fwosar, @Seifreed, @demonslay335, @billtoulas, @LawrenceAbrams, @malwrhunterteam, @MalGamy12, @billseagull, @coveware, @GroupIB_TI, @briankrebs, @pcrisk, @FBI, @jgreigj, and @DrWeb_antivirus.
September 23rd 2023
National Student Clearinghouse data breach impacts 890 schools
U.S. educational nonprofit National Student Clearinghouse (NSC) has disclosed a data breach affecting 890 schools using its services across the United States.
September 25th 2023
BORN Ontario child registry data breach affects 3.4 million people
The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, has announced that it is among the victims of Clop ransomware’s MOVEit hacking spree.
Megazord: a ransomware written in RUST
Technical writeup on Akira’s new PowerRanges variant, internally called Megazord.
Megazord ransomware is a new variant of Akira ransomware. Akira ransomware appeared in March 2023, and a Linux version appeared in June. The encryption method is a combination of RSA + AES to encrypt files. Megazord ransomware is different from the previous one in that it is written in Rust language and uses a combination of curve25519 elliptic curve asymmetric encryption algorithm and sosemanuk symmetric encryption algorithm to encrypt. The suffix of the encrypted file is .powerranges, and it is also included in each folder. Drop a ransomware document.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .azhi, .azqt, and .azop extensions.
New Phobos ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .deep extension.
September 26th 2023
SickKids impacted by BORN Ontario data breach that hit 3.4 million
The Hospital for Sick Children, more commonly known as SickKids, is among healthcare providers that were impacted by the recent breach at BORN Ontario.
ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers
Security researchers have identified infrastructure belonging to a threat actor now tracked as ShadowSyndicate, who likely deployed seven different ransomware families in attacks over the past year.
Hackers actively exploiting Openfire flaw to encrypt servers
Hackers are actively exploiting a high-severity vulnerability in Openfire messaging servers to encrypt servers with ransomware and deploy cryptominers.
New Night Crow ransomware
PCrisk found a new ransomware named Night Crow that appends the .NIGHT_CROW and drops a ransom note named NIGHT_CROW_RECOVERY.txt.
Kettering logistics firm enters administration with 730 jobs lost
A logistics and training firm targeted by a “significant” cyber attack has entered administration.
September 27th 2023
Building automation giant Johnson Controls hit by ransomware attack
Johnson Controls International has suffered what is described as a massive ransomware attack that encrypted many of the company devices, including VMware ESXi servers, impacting the company’s and its subsidiaries’ operations.
‘Snatch’ Ransom Group Exposes Visitor IP Addresses
The victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, KrebsOnSecurity has found. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.
New Dharma variant
PCrisk found a new Dharma variant that appends the .DOOK extension.
New Xorist variant
PCrisk found a new Xorist variant that appends the .Got extension.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .mzhi, .mzop, and .mzqt extensions.
September 28th 2023
FBI: Dual ransomware attack victims now get hit within 48 hours
The FBI has warned about a new trend in ransomware attacks where multiple strains are deployed on victims’ networks to encrypt systems in under two days.
New Medusa variant
PCrisk found a new Medusa variant that appends the .meduza24 extension.
September 29th 2023
Large Michigan healthcare provider confirms ransomware attack
One of the largest healthcare systems in Michigan confirmed that it is dealing with a ransomware attack after a notorious hacker gang boasted about the incident.
New Electronic Ransomware
PCrisk found a new ransomware variant that appends the .ELCTRONIC and drops a ransom note named README ELECTRONIC.txt.
That’s it for this week! Hope everyone has a nice weekend!
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
