Ransomware news is slow this week, with mostly small ransomware variants being released and a small number of attacks reported.

This week’s biggest news is threat actors hacking the IObit forums to host malware for an IObit phishing scam that infected numerous people with the DeroHE ransomware.

This week’s other interesting news is a new threat actor utilizing Windows BitLocker and Diskcryptor to encrypt organization’s file and backup servers. A known attack by this group encrypted 40 servers in an attack on the CHwapi Hospital in Belgium, which disrupted medical care.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @DanielGallagher, @LawrenceAbrams, @malwrhunterteam, @serghei, @struppigel, @demonslay335, @VK_Intel, @jorntvdw, @FourOctets, @fwosar, @PolarToffee, @Ionut_Ilascu, @malwareforme, @Seifreed, @GrujaRS, @JakubKroustek, @ffforward, @chum1ng0, @gcluley, @ValeryMarchive, @ExtendedRaavan, @0x4143, @siri_urz, and @Amigo_A_.

January 16th 2021

New FCorp Ransomware

GrujaRS found a new HiddenTear variant that appends the .fcorp extension and drops a ransom note named READ_IT.txt.

Fcorp

January 17th 2021

New DeroHE ransomware

A new ransomware was distributed via a IObit forums hack that appends the .DeroHE extension and drops a ransom note named READ_TO_DECRYPT.html.

DeroHE ransomware

New DIS Dharma ransomware variant

Jakub Kroustek found a new Dharma ransomware variant that appends the .dis extension to encrypted files.

January 18th 2021

IObit forums hacked to spread ransomware to its members

Windows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members.

DeCovid19Bot ransomware discovered

S!ri found a new ransomware that appends the .locked extension and drops a ransom note named ATTENTION!!!!0.txt.

Swanky Wentworth golf club hacked, details of 4000 members stolen in ransomware attack

Members of one of England’s most exclusive golf clubs has warned its 4000 members that their personal details may have fallen into the hands of hackers following a ransomware attack.

The city of Angers in turn bears the brunt of a cyberattack by ransomware

The services of the metropolis are also affected by an attack which entered its final phase on the night of Friday 15 to Saturday 16 January. A “long” cleaning and restoration process is expected.

New COOS STOP Ransomware variant

Raavan Extended found a new STOP ransomware variant that appends the .COOS extension.

January 19th 2021

New STOP Ransomware variant

Amigo-A found a new STOP ransomware variant that appends the .wbxd extension.

Pulp Fiction ransomware

Amigo-A found a ransomware with a Pulp Fiction theme that uses the company name or domain as the extension, and drops a ransom note named read_this.txt.

January 20th 2021

Ucar victim of a cyberattack

The vehicle rental company reveals that it was the victim of a computer attack at the start of the year. Thanks to a data backup, the activity was not affected.  

New Cring Ransomware

Amigo-A found the Cring Ransomware that appends the .cring extension and drops a ransom note named deReadMe!!!.txt.

January 21st 2021

CHwapi hospital hit by Windows BitLocker encryption cyberattack

The CHwapi hospital in Belgium is suffering from a cyberattack where threat actors claim to have encrypted 40 servers and 100 TB of data using Windows Bitlocker.

CNH Ransomware discovered

0x4143 discovered a new ransomware that appends the .cnh extension to encrypted files.

CNH

January 22nd 2021

TeslaCrypt imposter created

TheAnalyst found a ransomware pretending to be TeslaCrypt that appends the .0l0lqq extension. The real TeslaCrypt shut down in 2016.

Colliers International Group gets slammed by cyberattack

A spokesperson for Colliers verified that it had been targeted by a cyberattack after IT World Canada confronted the company about a listing on the dark web by the Netfilm ransomware gang – a listing which suggests that the firm was hit by the gang, and that Colliers’ files were copied.

New Flamingo ransomware variant

Amigo_A found a new variant of the Flamingo ransomware that appends the .DoNotWorry exension and drops a ransom note named #ReadThis.TXT and #ReadThis.HTA.

That’s it for this week! Hope everyone has a nice weekend!