The Week in Ransomware – November 20th 2020 – Don’t Mess With The Turkey
This week we saw two massive attacks that had a signifcant impact on the food supply industry, as well as a demonstration of Egregor’s annoying ransom note print bombs.
Last weekend, Latin American retail giant Cencosud suffered an attack by the Egregor ransomware gang that caused technical difficulties at numerous retail stores, including supermarkets and grocery stores. During this attack we also got a demonstration of Egregor’s annoying tactic of print bombing printers with ransom notes.
Cold storage warehouse operator Americold was also hit with a ransomware attack this weekend that caused significant food distribution problems for numerous supermarkets who utilize them in the USA. One food distribution logistics operator who was having trouble picking up food deliveries told BleepingComputer that this attack came at the worst time as they gear up for Thanksgiving.
Finally, the TrickBot gang has started spamming out a new lightweight reconnaissance tool called LightBot to collect information about a victim’s network before potentially deploying ransomware. Just one more thing to keep an eye out for as we come to the weekend.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @malwareforme, @malwrhunterteam, @jorntvdw, @struppigel, @fwosar, @serghei, @PolarToffee, @LawrenceAbrams, @VK_Intel, @Seifreed, @FourOctets, @BleepinComputer, @DanielGallagher, @Ionut_Ilascu, @GroupIB_GIB, @Intel471Inc, @coveware, @juanbrodersen, @identidadrobada, @Kangxiaopao, @fbgwls245, @TalosSecurity, @0x4143, @JakubKroustek, @campuscodi, @siri_urz, and the @FBI.
November 14th 2020
Retail giant Cencosud hit by Egregor Ransomware attack, stores impacted
Chilean-based multinational retail company Cencosud has suffered a cyberattack by the Egregor ransomware operation that impacts services at stores.
New STOP Djvu ransomware variant
Michael Gillespie found a new STOP Djvu ransomware variant that appends the .vvoa extension.
New HiddenTear variant
dnwls0719 found a new HiddenTear variant that appends the .ZqVIkE extension and drops a ransom note named @[email protected].
Also Read: How To Prevent WhatsApp Hack: 7 Best Practices
November 15th 2020
DarkSide ransomware’s Iranian hosting raises U.S. sanction concerns
Ransomware negotiation firm Coveware has placed the DarkSide operation on an internal restricted list after the threat actors announced plans to host infrastructure in Iran.
New VoidCrypt variant
xiaopao found a new variant of the VoidCrypt Ransomware that appends the .honor extension.
November 16th 2020
Capcom confirms data breach after gamers’ data stolen in cyberattack
Japanese game giant Capcom has announced a data breach after confirming that attackers stole sensitive customer and employee information during a recent ransomware attack.
Dozens of ransomware gangs partner with hackers to extort victims
Ransomware-as-a-service (RaaS) crews are actively looking for affiliates to split profits obtained in outsourced ransomware attacks targeting high profile public and private organizations.
Cold storage giant Americold hit by cyberattack, services impacted
Cold storage giant Americold is currently dealing with a cyberattack impacting their operations, including phone systems, email, inventory management, and order fulfillment.
New STOP Djvu ransomware variant
Michael Gillespie found a new STOP Djvu ransomware variant that appends the .epor extension.
New Flamingo Ransomware variant
Michael Gillespie spotted a new Flamingo Ransomware variant that appends the .LIZARD extension and drops a ransom note named #READ ME.TXT.
New MXX Ransomware hunt
Michael Gillespie spotted a new unidentified ransomware that appends the .MXX extension and drops a ransom note named How To Recover Your Files!!!!.txt.
New Phobos Ransomware variant
xXToffeeXx spotted a new Phobos ransomware variant that appends the .ELDAOLSA extension.
New Joker Ransomware
@0x4143 found the new Joker’s Ransomware that appends the .joker extension and drops a ransom note named POWER-JOKER-PASSWORD.txt.
New Dharma Ransomware variants
Jakub Kroustek found a bunch of Dharma Ransomware variants that append the .dex, .sss, .zimba, and .help extensions.
November 17th 2020
Nibiru ransomware variant decryptor
The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string “Nibiru” to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant.
New Matrix ransomware variant
xiaopao found a new Matrix Ransomware variant that appends the .TG33 extension.
New HiddenTear ransomware variant
xiaopao found a new HiddenTear ransomware variant that appends the .r2block extension.
New ZIN Dharma ransomware variant
xiaopao found a new Dharma Ransomware variant that appends the .ZIN extension.
New Pulpit Ransomware
Siri found a new ransomware that appends .pulpit extension.
Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup
November 18th 2020
REvil ransomware hits Managed.com hosting provider, 500K ransom
Managed web hosting provider Managed.com has taken their servers and web hosting systems offline as they struggle to recover from a weekend REvil ransomware attack.
Egregor ransomware bombards victims’ printers with ransom notes
The Egregor ransomware uses a novel approach to get a victim’s attention after an attack – shoot ransom notes from all available printers.
New Lola Ransomware
MalwareHunterTeam found a new ransomware pretending to be a Blockchain Generator that appends the .lola extension and drops a ransom note named Please_Read.txt.
November 19th 2020
Mount Locker ransomware now targets your TurboTax tax returns
The Mount Locker ransomware operation is gearing up for the tax season by specifically targeting TurboTax returns for encryption.
New STOP Djvu ransomware variant
Michael Gillespie found a new STOP Djvu ransomware variant that appends the .sglh extension.
New REDROMAN Ransomware
MalwareHunterTeam found a new ransomware that appends the .REDROMAN and drops ransom notes names RR_README.html, OPENTHIS.html, and README.html.
November 20th 2020
QBot partners with Egregor ransomware in bot-fueled attacks
The Qbot banking trojan has dropped the ProLock ransomware in favor of the Egregor ransomware who burst into activity in September.
LightBot: TrickBot’s new reconnaissance malware for high-value targets
The notorious TrickBot has gang has released a new lightweight reconnaissance tool used to scope out an infected victim’s network for high-value targets.
FBI warns of increasing Ragnar Locker ransomware activity
The U.S. Federal Bureau of Investigation (FBI) Cyber Division has warned private industry partners of increased Ragnar Locker ransomware activity following a confirmed attack from April 2020.
New Ransomware hunt
Michael Gillespie spotted a new unidentified ransomware that appends the .esexz and drops a ransom note named readme.txt.
New SWP Dharma ransomware variant
xiaopao found a new Dharma Ransomware variant that appends the .SWP extension.
The malware that usually installs ransomware and you need to remove right away
This article focuses on the known malware strains that have been used over the past two years to install ransomware.
Sportfondsen Nederland swimming pool operator hit with ransomware
During the lock down of the past two weeks, we were hit by an IT failure caused by a computer virus (ransomware). As a result, we are difficult to reach and we have to deal with systems that do not work.
Ransomware with hidden message
MalwareHunterTeam found a ransomware with an interesting hidden message.
Hospital hit with custom ransomware
Michael Gillespie found that a hospital was hit with a custom ransomware.
New Dharma Ransomware variants
Jakub Kroustek found a bunch of Dharma Ransomware variants that append the .cvc extension.
0 Comments