The Week in Ransomware – October 22nd 2021 – Striking Back

Between law enforcement operations, REvil’s second shut down, and ransomware gangs’ response to the hacking of their servers, it has been quite the week.

This week’s biggest news is the Reuters report that international law enforcement operation took over REvil’s Tor infrastructure, which ultimately led to the shutdown of the ransomware again last Sunday.

Since then, reactions have been coming in from other ransomware operations, such as Groove, Conti, and Arvin Club.

DarkSide also appears to have reacted to the law enforcement operation by attempting to cash out $7 million in Bitcoin sitting in a wallet.

This week we also learned of an attack on the Sinclair Broadcast Group that disrupted the broadcasting of shows and newscasts. This attack was conducted by a new Evil Corp ransomware known as Macaw Ransomware who has been seen demanding a $40 million ransom from an unidentified victim.

Also Read: NDA Data Protection: The Importance, Its Meaning And Laws

Interesting research we saw this week is that the Karma Ransomware is a rebrand of Nemty and how FIN7 created a fake company to hire legitimate security professionals to conduct ransomware attacks unknowingly.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @malwareforme, @FourOctets, @BleepinComputer, @VK_Intel, @fwosar, @struppigel, @PolarToffee, @LawrenceAbrams, @billtoulas, @Seifreed, @demonslay335, @jorntvdw, @Ionut_Ilascu, @DanielGallagher, @serghei, @Trustwave, @josephmenn, @Bing_Chris, @coveware, @uuallan, @GelosSnake, @elliptic, @SentinelOne, @geminiadvisory, @ddd1ms, @GelosSnake, @siri_urz, and @fbgwls245.

October 17th 2021

REvil ransomware shuts down again after Tor sites were hijacked

The REvil ransomware operation has likely shut down once again after an unknown person hijacked their Tor payment portal and data leak blog.

New J3ster Ransomware

dnwls0719 found the J3ster that appends the .j3ster extension to encrypted files and drops a ransom note named j3ster readme.txt.

October 18th 2021

Sinclair TV stations crippled by weekend ransomware attack

TV stations owned by the Sinclair Broadcast Group broadcast television company went down over the weekend across the US, with multiple sources telling BleepingComputer a ransomware attack caused the downtime.

Suspected Chinese hackers behind attacks on ten Israeli hospitals

A joint announcement from the Ministry of Health and the National Cyber Directorate in Israel describes a spike in ransomware attacks over the weekend that targeted the systems of nine health institutes in the country.

FBI, CISA, NSA share defense tips for BlackMatter ransomware attacks

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) published today an advisory with details about how the BlackMatter ransomware gang operates.

Also Read: Invasion Of Privacy Elements And Its Legal Laws To Comply

October 19th 2021

New Karma ransomware group likely a Nemty rebrand

Threat analysts at Sentinel Labs have found evidence of the Karma ransomware being just another evolutionary step in the strain that started as JSWorm, became Nemty, then Nefilim, Fusion, Milihpen, and most recently, Gangbang.

BlackByte ransomware decryptor released to recover files for free

A free decryptor for the BlackByte ransomware has been released, allowing past victims to recover their files for free.

October 20th 2021

New Foxxy Ransomware

S!Ri found the in-development Foxxy Ransomware that appends the .foxxy extension to encrypted files.

Ransomware: Understand. Prevent. Recover

Allan Liska’s book on ransomware is available for pre-order on Amazon!

October 21st 2021

Evil Corp demands $40 million in new Macaw ransomware attacks

Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.

Hacking gang creates fake firm to hire pentesters for ransomware attacks

The FIN7 hacking group is attempting to join the highly profitable ransomware space by creating fake cybersecurity companies that conduct network attacks under the guise of pentesting.

Reuters: Governments turn tables on ransomware gang REvil by pushing it offline

The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.

Ransomware attackers down shift to ‘Mid-Game’ hunting in Q3 2021

As of publication we are well into National Cyber Security Awareness month and this past quarter has seen an unprecedented amount of domestic and international activity from government and law enforcement to counter the operations of ransomware actors. Despite these initiatives, ransomware actors continue peppering enterprises with more attacks than ever. What we are doing is not working, at least not yet. Why?

October 22nd 2021

DarkSide ransomware rushes to cash out $7 million in Bitcoin

Almost $7 million worth of Bitcoin in a wallet controlled by DarkSide ransomware operators has been moved in what looks like a money laundering rollercoaster.

Groove ransomware calls on all extortion gangs to attack US interests

The Groove ransomware gang is calling on other extortion groups to attack US interests after law enforcement took down REvil’s infrastructure last week.

Italian celebs’ data exposed in ransomware attack on SIAE

The Italian data protection authority Garante per la Protezione dei Dati Personali (GPDP) has announced an investigation into a data breach of the country’s copyright protection agency.

New STOP Ransomware variant

dnwls0719 found a new STOP ransomware variant that appends the .zaps extension to encrypted files.

That’s it for this week! Hope everyone has a nice weekend!