The Week In Ransomware – October 23rd 2020 – From Russia With Love

This week has been busy with ransomware related news, including new charges against Russian state-sponsored hackers and numerous attacks against well-known organizations.

In 2017, there was an attack utilizing the NotPetya ransomware to destroy data on systems worldwide. This week, the US govt indicted six Russian intelligence operatives, known to be part of the notorious ‘Sandworm’ group, for hacking operations, including NotPetya.

We also learned of numerous attacks against large organizations, such as Barnes & Noble, the Monreal public transit system (STM), Sopra Steria, and Boyne Resorts.

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @demonslay335, @VK_Intel, @BleepinComputer, @Seifreed, @PolarToffee, @serghei, @jorntvdw, @struppigel, @fwosar, @malwareforme, @Ionut_Ilascu, @LawrenceAbrams, @FourOctets, @malwrhunterteam, @ValeryMarchive, @Sophos, @BrettCallow, @thepacketrat, @Kangxiaopao, @siri_urz, @MarceloRivero, @JakubKroustek, @Glacius_, and @GrujaRS

October 17th 2020

New Dharma ransomware variants

Jakub Kroustek found new Dharma ransomware variants that append the .Crypt and .LCK extension to encrypted files.

New Pransomware ransomware

@Glacius_ found a copy of BlackKingdom ransomware that was renamed to Pransomware.

Also Read: The Scope Of Singapore Privacy: How We Use It In A Right Way

October 18th 2020

New STOP Djvu ransomware variant

Michael Gillespie found a new STOP ransomware variant that appends the .efji extension to encrypted files.

October 19th 2020

US indicts Russian GRU ‘Sandworm’ hackers for NotPetya, worldwide attacks

The U.S. Department of Justice has charged six Russian intelligence operatives for hacking operations related to the Pyeongchang Winter Olympics, the 2017 French elections, and the notorious NotPetya ransomware attack.

New Vaggen Ransomware

Marcelo Rivero found a new ransomware named Vaggen that appends the .VAGGEN extension and drops ransom notes named ABOUT_UR_FILES.txt and AboutYourFiles.txt.

October 20th 2020

Darkside ransomware donates $20K of extortion money to charities

The operators of Darkside ransomware have donated some of the money they made extorting victims to nonprofits Children International and The Water Project.

Barnes & Noble hit by Egregor ransomware, strange data leaked

The Egregor ransomware gang is claiming responsibility for the cyberattack on U.S. Bookstore giant Barnes & Noble on October 10th, 2020. The attackers state that they stole unencrypted files as part of the attack.

New Dharma ransomware variant

Jakub Kroustek found a new Dharma ransomware variant that appends the .259 extension to encrypted files.

New STOP Djvu ransomware variant

Michael Gillespie found a new STOP ransomware variant that appends the .nypg extension to encrypted files.

New Black Heart ransomware variant

Siri found a new Black Heart ransomware variant that appends the .Viper extension to encrypted files.

Also Read: How To Make A PDPC Complaint: With Its Importance And Impact

New ransomware discovered

Siri found a new ransomware that appends the .32aa extension to encrypted files.

October 21st 2020

LockBit ransomware moves quietly on the network, strikes fast

LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim network.

Montreal’s STM public transport system hit by ransomware attack

Montreal’s Société de transport de Montréal (STM) public transport system was hit with a RansomExx ransomware attack that has impacted services and online systems.

New Dharma ransomware variant

Marcelo Rivero found a new Dharma ransomware variant that appends the .bH4T extension.

October 22nd 2020

French IT giant Sopra Steria hit by Ryuk ransomware

French IT services giant Sopra Steria suffered a cyberattack on October 20th, 2020, that reportedly encrypted portions of their network with the Ryuk ransomware.

Venom RAT adds ransomware module

Karsten Hahn discovere that Venom RAT has added a ransomware module that appends the .Venom extension.

October 23rd 2020

WastedLocker ransomware hits Boyne Resorts ski resort operator

US-based ski and golf resort operator Boyne Resorts has suffered a cyberattack by the WastedLocker operation that has impacted company-wide reservation systems.

New RAT malware gets commands via Discord, has ransomware feature

The new ‘Abaddon’ remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC. Even worse, a ransomware feature is being developed for the malware.

New ransomware discovered

Siri found a new HiddenTear ransomware variant that pretends to be a GTA V instaler, but encrypts your files with the .AnoymouS extension.

New Dharma ransomware variant

xiaopao found a new Dharma ransomware variant that appends the .Acuf2 extension.

New Clay ransomware

xiaopao found the new Clay Ransomware.ransomware called Clay.

New Yatron Decrypt0r 2.0

GrujaRS found a new Yatron Decrypt0r variant that appends the .Down_With_Usa extension to encrypted files.

New #Szymekk #Ransomware

GrujaRS found a new Syzmekk ransomware variant that appends the .Szymekk extension.

That’s it for this week! Hope everyone has a nice weekend!