This week we saw a few large scale attacks and various ransomware reports indicating ransom payments are falling, while attacks are increasingly destroying data permanently. The good news is a new ransomware decryptor was released, allowing victims to recover files for free.

As trust in a ransomware operation’s promise to delete stolen data is eroding, Coveware is seeing a decline in ransom payments as companies recover their files from backup.

Unfortunately, Coveware has also seen an increasing trend of ransomware attacks mistakenly causing permanent data destruction as they encrypt data. It unknown if this is caused by buggy software or sloppy and inexperienced attackers.

Some of the attack seen this week includes one against UK Research and Innovation (UKRI) and attacks on Brazilian electric utility companies Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel).

For some good news, a Fonix ransomware decryptor was released this week by Kaspersky that allows victims to recover their files for free. Fonix ransomware shut down its operation last Friday and released the master private decryption key.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @jorntvdw, @VK_Intel, @Seifreed, @demonslay335, @malwrhunterteam, @serghei, @Ionut_Ilascu, @PolarToffee, @struppigel, @LawrenceAbrams, @BleepinComputer, @DanielGallagher, @malwareforme, @FourOctets, @chainalysis, @TrendMicro, @campuscodi, @BrettCallow, @chum1ng0, @TalosSecurity, @coveware, and @Kangxiaopao.

January 30th 2021

UK Research and Innovation (UKRI) suffers ransomware attack

The UK Research and Innovation (UKRI) is dealing with a ransomware incident that encrypted data and impacted two of its services, one offering information to subscribers and the platform for peer review of various parts of the agency.

February 1st 2021

Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands

The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q4 of 2020. Ransomware groups continue to leverage data exfiltration as a tactic. However, the trust that stolen data will be deleted is eroding; defaults are becoming more frequent when exfiltrated data is made public despite the victim paying. As a result, fewer companies are giving in to cyber extortion when they are able to recover from back ups. This inflection led to a large decline in average ransom amounts paid. Stemming the tide of cyber extortion will only happen if the industry is starved of its profitability. This trend was a distinct positive during Q4. 

February 2nd 2021

Babyk Ransomware won’t hit charities, unless they support LGBT, BLM

The Babyk ransomware operation has launched a new data leak site used to publish victim’s stolen data as part of a double extortion strategy. Included is a list of targets they wont attack with some exclusions that definitely stand out.

Netgain ransomware incident impacts local governments

The ransomware incident that Netgain, a provider of managed IT services, had late last year rippled onto its customers. Now, Ramsey County, Minnesota, is informing clients of the Family Health Division program that the hackers may have accessed personal data.

Interview with a LockBit ransomware operator

In September 2020, Cisco Talos established contact with a self-described LockBit operator and experienced threat actor. Over the course of several weeks, we conducted multiple interviews that gave us a rare, first-hand account of a ransomware operator’s cybercriminal activities. Through these exchanges, we gleaned several valuable takeaways for executives and the broader cybersecurity community.

New STOP Ransomware variants

Michael Gillespie found new STOP Djvu ransomware variants that append the .plam and .cosd extensions to encrypted files.

New VashSorena variant

MalwareHunterTeam found a new VashSorena variant that appends the .lucifer extension and drops ransom notes named HELP_DECRYPT_YOUR_FILES.txt and HELP_DECRYPT_YOUR_FILES.html.

New Nefilim variant

MalwareHunterTeam found a new Nefilim ransomware variant that appends the .DERZKO and drops a ransom note named DERZKO-HELP.txt.

Another new Nefilim variant

MalwareHunterTeam found another Nefilim ransomware variant that appends the .MILIHPEN and drops a ransom note named MILIHPEN-INSTRUCT.txt.

February 3rd 2021

New Fonix ransomware decryptor can recover victim’s files for free

Kaspersky has released a decryptor for the Fonix Ransomware (XONIF) that allows victims to recover their encrypted files for free.


Ransomware continues the trend of targeted attacks but with the added challenge of double extortion. Organizations need to be one step ahead of such coercive tactics to avoid potential disruptions, financial losses, and reputational damage.

Trucking company Forward Air said its ransomware incident cost it $7.5 million

Trucking and freight transportation logistics company Forward Air said a recent ransomware attack left a dent of $7.5 million in its Q4 financial results.

February 4th 2021

Ransomware attacks increasingly destroy victims’ data by mistake

More and more ransomware victims are resisting the extortionists and refuse to pay when they can recover from backups, despite hackers’ threats to leak the data stolen before encryption.

Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains

As we’ve covered on our blog, there may be fewer cybercriminals responsible for ransomware attacks than one would initially think given the number of individual attacks, distinct strains, and amount stolen from victims. Cybersecurity researchers point out that many RaaS affiliates carrying out attacks switch between different strains, and many believe that seemingly distinct strains are actually controlled by the same people. Using blockchain analysis, we’ll investigate potential connections between four of 2020’s most prominent ransomware strains: Maze, Egregor, SunCrypt, and Doppelpaymer.

New HDLocker

xiaopao found a HDLocker ransomware that appends the _HD string to encrypted file’s names.

New Xorist ransomware variant

xiaopao found a Xorist ransomware variant that appends the .omfl extension to encrypted file’s names.

February 5th 2021

Eletrobras, Copel energy companies hit by ransomware attacks

Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel), two major electric utilities companies in Brazil have announced that they suffered ransomware attacks over the past week.

That’s it for this week! Hope everyone has a nice weekend!