The Week in Ransomware – September 25th 2020 – A Modern-Day Gold Rush

This week showed continued attacks against large organizations as new ransomware operations rush to join a modern-day ransomware gold rush.

Over the past week, ransomware attacks targeted two large organizations and disrupted operations.

The first is eyewear giant Luxottica, who got hit last Sunday, and government technology services provider Tyler Technologies who got hit by RansomExx later in the week.

News also broke this week about how an insurance company utilizes security scans to find exposed and vulnerable devices on clients’ networks. These proactive scans have reduced their ransomware claims by 65%!

Finally, we have a newcomer to the ransomware gold rush named Mount Locker, who has been operating since the end of July and demanding multi-million dollar ransoms.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @demonslay335, @PolarToffee, @jorntvdw, @struppigel, @LawrenceAbrams, @serghei, @BleepinComputer, @VK_Intel, @FourOctets, @malwrhunterteam, @Ionut_Ilascu, @fwosar, @DanielGallagher, @Seifreed, @thinkcz, @AvastThreatLabs, @campuscodi, @Tesorion_NL, @jeffstone500, @joakimkennedy, @Kangxiaopao, @JAMESWT_MHT, @siri_urz, @GrujaRS, and @3xp0rtblog.

Also Read: 7 Key Principles of Privacy by Design that Business Should Adopt

September 19th 2020

New Egregor ransomware

Michael Gillespie and PolarToffee found a new ransomware called Egregor that appears to be a Sekhmet spinoff. It uses a random extension and drops a ransom note named RECOVER-FILES.txt.

New LeakThemAll variant

Michael Gillespie found a new variant of the LeakThemAll ransomware that appends .montana and drops a ransom note of !HELP!.txt.

New Zhen Ransomware

GrujaRS found a new ransomware that appends the .zhen extension to encrypted files.

September 20th 2020

New STOP Ransomware variant

Michael Gillespie found a new variant of the STOP ransomware that appends the .kolz extension to encrypted files.

September 21st 2020

ThunderX ransomware: analysis and a free decryptor!

In this blog post we describe our findings on the new ransomware family ThunderX that was recently discovered.  We also announce a free decryptor that we are making available to help victims at no charge.

‘Dark Overlord’ hacker pleads guilty, sentenced to 5 years for extortion threats

Years after he threatened to publicly release information from hacking victims unless they agreed to his digital extortion demands, Nathan Wyatt is headed to a U.S. prison.

Ransomware hunt

Michael Gillespie found a new ransomware that appends the .encrypted extension and drops a ransom note named SOLVE ENCRYPTED FILES.txt.

New Matrix Ransomware variant

Michael Gillespie found a new variant of the Matrix Ransomware that appends the .JB88 extension and drops a ransom note JB88_README.rtf.

New Nefilim variant

Xiaopao found new Nefilim variant that appends the .TRAPGET extension and drops a ransom note named TRAPGET-INSTRUCTION.txt.

Also Read: Free 8 Steps Checklist for Companies to Prevent Data Breach

September 22nd 2020

Ray-Ban owner Luxottica confirms ransomware attack, work disrupted

Italy-based eyewear and eyecare giant Luxottica has reportedly suffered a cyberattack that has led to the shutdown of operations in Italy and China.

Cyber insurer’s security scans reduced ransomware claims by 65%

A cyber insurer’s security scans during the underwriting phase and post-issuance have led to a 65% reduction in ransomware claims.

New Matrix ransomware variant

Michael Gillespie found a new Matrix variant that appends the .FG69 extension and drops a ransom note named FG69_README.rtf.

New Matrix variant

Xiaopao found new Matrix ransomware variant that appends the .AW46extension and drops a ransom note named !AW46_INFO!.rtf.

New CRPTD ransomware

GrujaRS found a new ransomware that appends the .CRPTD extension to encrypted files.

Ransomware being sold for $2,000

3xp0rt found a ransomware actor selling a complete ransomware kit for $2,000.

September 23rd 2020

Government software provider Tyler Technologies hit by ransomware

Leading government technology services provider Tyler Technologies has suffered a ransomware attack that has disrupted its operations.

AgeLocker ransomware targets QNAP NAS devices, steals data

QNAP NAS devices are being targeted in attacks by the AgeLocker ransomware, which encrypts the device’s data, and in some cases, steal files from the victim.

New ransomware actor OldGremlin uses custom malware to hit top orgs

A new ransomware group has been targeting large corporate networks using self-made backdoors and file-encrypting malware for the initial and final stages of the attack.

Cyber attack narrowly avoided

METHUEN — An attempt over the summer by Eastern European hackers to gain entry into the city’s computer system — with its information about taxpayers, employees and much more — was nearly successful, according to city officials, but quick action helped keep the information secure.

Ransomware impersonates REvil

Joakim Kennedy found a new ransomware written in Golang that is pretending to be REvil. Strange one, as there would be no way for a victim to recover a files as there is no contact info that would work for them. May be a wiper?

September 24th 2020

Mount Locker ransomware joins the multi-million dollar ransom game

​A new ransomware operation named Mount Locker is underway stealing victims’ files before encrypting and then demanding multi-million dollar ransoms.

Polish police shut down hacker super-group involved in bomb threats, ransomware, SIM swapping

Polish authorities have shut down today a hacker super-group that has had its fingers in a multitude of cybercrime operations, such as ransomware attacks, malware distribution, SIM swapping, banking fraud, running fake online stores, and even making bomb threats at the behest of paying customers.

New Dusk Ransomware

S!ri found the new Dusk v1.0 Ransomware that drops a ransom note named !#!READ-ME!#!.txt ransom note.

New Exorcist 2.0 ransomware

JAMESWT found  a sample of the new Exorcist 2.0 ransomware.

September 25th 2020

The Fresh Smell of ransomed coffee

We turned a coffee maker into a dangerous machine asking for ransom by modifying the maker’s firmware. While we could, could someone else do it too? As you might expect, the answer is: Yes. Follow us on a journey where we show you that firmware is the new software. 

New Stop ransomware variant

Michael Gillespie found a new Stop variant that appends the .copa extension to encrypted files.

New Matrix ransomware variant

Michael Gillespie found a new Matrix variant that appends the .DEUS extension and drops a ransom note named DEUS_INFO.rtf.

That’s it for this week! Hope everyone has a nice weekend!