Ransomware news is slow this week, with mostly small ransomware variants being released and a small number of attacks reported.
This week’s biggest news is threat actors hacking the IObit forums to host malware for an IObit phishing scam that infected numerous people with the DeroHE ransomware.
This week’s other interesting news is a new threat actor utilizing Windows BitLocker and Diskcryptor to encrypt organization’s file and backup servers. A known attack by this group encrypted 40 servers in an attack on the CHwapi Hospital in Belgium, which disrupted medical care.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @DanielGallagher, @LawrenceAbrams, @malwrhunterteam, @serghei, @struppigel, @demonslay335, @VK_Intel, @jorntvdw, @FourOctets, @fwosar, @PolarToffee, @Ionut_Ilascu, @malwareforme, @Seifreed, @GrujaRS, @JakubKroustek, @ffforward, @chum1ng0, @gcluley, @ValeryMarchive, @ExtendedRaavan, @0x4143, @siri_urz, and @Amigo_A_.
January 16th 2021
GrujaRS found a new HiddenTear variant that appends the .fcorp extension and drops a ransom note named READ_IT.txt.
January 17th 2021
New DeroHE ransomware
A new ransomware was distributed via a IObit forums hack that appends the .DeroHE extension and drops a ransom note named READ_TO_DECRYPT.html.
Jakub Kroustek found a new Dharma ransomware variant that appends the .dis extension to encrypted files.
January 18th 2021
IObit forums hacked to spread ransomware to its members
Windows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members.
S!ri found a new ransomware that appends the .locked extension and drops a ransom note named ATTENTION!!!!0.txt.
Swanky Wentworth golf club hacked, details of 4000 members stolen in ransomware attack
Members of one of England’s most exclusive golf clubs has warned its 4000 members that their personal details may have fallen into the hands of hackers following a ransomware attack.
The city of Angers in turn bears the brunt of a cyberattack by ransomware
The services of the metropolis are also affected by an attack which entered its final phase on the night of Friday 15 to Saturday 16 January. A “long” cleaning and restoration process is expected.
Raavan Extended found a new STOP ransomware variant that appends the .COOS extension.
January 19th 2021
Amigo-A found a new STOP ransomware variant that appends the .wbxd extension.
Amigo-A found a ransomware with a Pulp Fiction theme that uses the company name or domain as the extension, and drops a ransom note named read_this.txt.
January 20th 2021
Ucar victim of a cyberattack
The vehicle rental company reveals that it was the victim of a computer attack at the start of the year. Thanks to a data backup, the activity was not affected.
Amigo-A found the Cring Ransomware that appends the .cring extension and drops a ransom note named deReadMe!!!.txt.
January 21st 2021
CHwapi hospital hit by Windows BitLocker encryption cyberattack
The CHwapi hospital in Belgium is suffering from a cyberattack where threat actors claim to have encrypted 40 servers and 100 TB of data using Windows Bitlocker.
0x4143 discovered a new ransomware that appends the .cnh extension to encrypted files.
January 22nd 2021
TheAnalyst found a ransomware pretending to be TeslaCrypt that appends the .0l0lqq extension. The real TeslaCrypt shut down in 2016.
Colliers International Group gets slammed by cyberattack
A spokesperson for Colliers verified that it had been targeted by a cyberattack after IT World Canada confronted the company about a listing on the dark web by the Netfilm ransomware gang – a listing which suggests that the firm was hit by the gang, and that Colliers’ files were copied.
Amigo_A found a new variant of the Flamingo ransomware that appends the .DoNotWorry exension and drops a ransom note named #ReadThis.TXT and #ReadThis.HTA.
That’s it for this week! Hope everyone has a nice weekend!