This week we saw an existing operation rise in attacks while existing ransomware operations turn to Windows vulnerabilities to elevate their privileges.
Over the past week, we have seen increasing LockBit 2.0 ransomware operation attacks, with the Australian government issuing an alert.
It was also revealed that the ransomware gang pulled off a successful attack on IT giant Accenture and began leaking their data for a short time.
We also saw REvil’s universal decryption key used in the Kaseya attack leaked on a hacking forum, and ransomware gangs begin using the Windows PrintNightmare vulnerability to gain elevated privileges on compromised devices.
Finally, the SynAck ransomware operation released their master decryption keys after rebranding as the El_Cometa group.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @DanielGallagher, @malwareforme, @FourOctets, @jorntvdw, @malwrhunterteam, @PolarToffee, @Ionut_Ilascu, @LawrenceAbrams, @serghei, @VK_Intel, @Seifreed, @demonslay335, @fwosar, @struppigel, @pcrisk, @markloman, @SophosLabs, @TalosSecurity, @pancak3lullz, @Unit42_Intel, @LiviuArsene, @CrowdStrike, @PogoWasRight, @chum1ng0, @fbgwls245, and @AuCyble.
August 7th 2021
dnwls0719 found a new Zeppelin Ransomware variant that appends the .payfast500 extension.
August 8th 2021
The Australian Cyber Security Centre (ACSC) warns of an increase of LockBit 2.0 ransomware attacks against Australian organizations starting July 2021.
August 9th 2021
Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in ongoing brute-force attacks that lead to ransomware infections.
Microsoft says that the Azure Sentinel cloud-native SIEM (Security Information and Event Management) platform is now able to detect potential ransomware activity using the Fusion machine learning model.
In late July, a new RaaS appeared on the scene. Calling itself BlackMatter, the ransomware claims to fill the void left by DarkSide and REvil – adopting the best tools and techniques from each of them, as well as from the still-active LockBit 2.0.
PCrisk found a new STOP Ransomware variant that appends the .repg extension.
PCrisk found a new Dharma Ransomware variant that appends the .JRB extension.
August 10th 2021
A newly discovered eCh0raix ransomware variant has added support for encrypting both QNAP and Synology Network-Attached Storage (NAS) devices.
Game developer and publisher Crytek has confirmed that the Egregor ransomware gang breached its network in October 2020, encrypting systems and stealing files containing customers’ personal info later leaked on the gang’s dark web leak site.
As a preface, we note that Pysa are not the only ransomware threat actors attacking the k-12 sector, which has a reputation of being “low-hanging fruit” for hacks. We have also seen many other groups attacking k-12 districts. A partial listing of ransomware attacks on k-12 is embedded below this discussion of Pysa victims.
August 11th 2021
The universal decryption key for REvil’s attack on Kaseya’s customers has been leaked on hacking forums allowing researchers their first glimpse of the mysterious key.
Accenture, a global IT consultancy giant has allegedly been hit by a ransomware cyberattack from the LockBit ransomware gang.
In the course of our routine threat hunting exercise, the Cyble Research Lab discovered that Pine Labs, an Indian merchant platform company that provides financing and last-mile retail transaction technology, was impacted by a ransomware attack. Our investigation showcased that the BlackMatter ransomware group is behind the attack on Pine Labs. The group has been garnering considerable media attention because of this attack.
dnwls0719 found a new Phobos Ransomware variant that appends the .HORSEMONEY extension.
August 12th 2021
Ransomware operators have added PrintNightmare exploits to their arsenal and are targeting Windows servers to deploy Magniber ransomware payloads.
August 13th 2021
The Vice Society ransomware gang is now also actively exploiting Windows print spooler PrintNightmare vulnerability for lateral movement through their victims’ networks.
The SynAck ransomware gang released the master decryption keys for their operation after rebranding as the new El_Cometa group.