The Week in Ransomware – February 26th 2021


The number of attacks had slowed down after the winter holidays, but after the past two weeks, it’s evident that the ransomware attacks are back at full speed.

Over the past two weeks, we had some significant attacks, including attacks on Discount Car and Truck Rentals, an alleged attack on Kia Motors/Hyundai, UL, TietoEVRY, Ecuador’s Ministry of Finance, and its largest bank, Banco Pichincha.

A recent ransomware attack at Automatic Funds Transfer Services (AFTS) also led to a series of data breach notifications from US cities that used them as a payment processor.

Finally, Mandiant reported that recent Accellion FTA breaches had been conducted by hackers affiliated with the Clop ransomware operation.

In a win for law enforcement, an operation between the USA, France, and Ukraine has led to numerous Egregor members’ arrests, practically shutting down the ransomware operation.

On the technical side, we learned that Ryuk now has worm-like functionality allowing it to spread to other Windows devices.

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @PolarToffee, @DanielGallagher, @LawrenceAbrams, @demonslay335, @VK_Intel, @BleepinComputer, @Ionut_Ilascu, @malwareforme, @fwosar, @Seifreed, @struppigel, @serghei, @malwrhunterteam, @FourOctets, @chum1ng0, @cyb5r3Gene, @Mandiant, @CISecurity, @JakubKroustek, @coveware, @fbgwls245, @c3rb3ru5d3d53c, @Amigo_A_, @petrovic082, @siri_urz, and @1ZRR4H.

February 13th 2021

CD Projekt’s stolen source code allegedly sold by ransomware gang

A ransomware gang who says they stole unencrypted source code for the company’s most popular games and then encrypted CD Projekt’s servers claims to have sold the data.

Leading Canadian rental car company hit by DarkSide ransomware

Canadian Discount Car and Truck Rentals has been hit with a DarkSide ransomware attack where the hackers claim to have stolen 120GB of data.

Tortoise ransomware decryptor released

Cerberus released a decryptor for the Tortoise Ransomware.

February 14th 2021

Egregor ransomware affiliates arrested by Ukrainian, French police

A joint operation between French and Ukrainian law enforcement has reportedly led to the arrests of several members of the Egregor ransomware operation in Ukraine.

February 17th 2021

Kia Motors America suffers ransomware attack, $20 million ransom

Kia Motors America has suffered a ransomware attack by the DoppelPaymer gang, demanding $20 million for a decryptor and not to leak stolen data.

New Makop variant

Petrovic found a new variant of the Makop ransomware that appends the .vassago extension.

New Stop ransomware variant

Michael Gillespie found a new ransomware that appends the .cadq extension to encrypted files.

February 18th 2021

US cities disclose data breaches after vendor’s ransomware attack

A ransomware attack against the widely used payment processor ATFS has sparked data breach notifications from numerous cities and agencies within California and Washington.

February 19th 2021

CIS now offers free ransomware protection to all US hospitals

The Center for Internet Security (CIS), a non-profit dedicated to securing IT systems and data, has announced the launch of free ransomware protection for US private hospitals through the Malicious Domain Blocking and Reporting (MDBR) service.

Underwriters Laboratories (UL) certification giant hit by ransomware

UL LLC, better known as Underwriters Laboratories, has suffered a ransomware attack that encrypted its servers and caused them to shut down systems while they recover.

February 21st 2021

Lakehead University shuts down campus network after cyberattack

Canadian undergraduate research university Lakehead has been dealing with a cyberattack that forced the institution earlier this week to cut off access to its servers.

New Dharma ransomware variant

Jakub Kroustek found a new Dharma ransomware variant that appends the .pauq extension to encrypted files.

February 22nd 2021

Global Accellion data breaches linked to Clop ransomware gang

Threat actors associated with financially-motivated hacker groups combined multiple zero-day vulnerabilities and a new web shell to breach up to 100 companies using Accellion’s legacy File Transfer Appliance and steal sensitive files.

New ‘Four’ Dharma ransomware variant

Jakub Kroustek found a new Dharma ransomware variant that appends the .four extension to encrypted files.

February 23rd 2021

Finnish IT services giant TietoEVRY discloses ransomware attack

Finnish IT services giant TietoEVRY has suffered a ransomware attack that forced them to disconnect clients’ services.

New ‘Urs’ Dharma ransomware variant

Emmanuel_ADC-Soft found a new Dharma ransomware variant that appends the .urs extension to encrypted files.

Q4 2020 Doxxing Victim Trends: Industrial Sector Emerges as Primary Ransom “Non-Payor”

The analysis that follows is based on an examination of ransomware doxxing victims whose identities were published between September and December of 2020. The data for this blog post was collected from 100% public sources. Unlike the majority of research on cyber extortion trends, which is based on information collected from self-identified victims of ransomware, these data points are collected from the threat actor’s own public ledgers of victims and are not subject to the same limitations of self-reporting. At this time one year ago, only two or three ransomware gangs had developed the practice of naming-and-shaming victims who failed to pay the ransom. 

New ThunderX/Ranzy variant

dnwls0719 found a new ThunderX/Ranzy ransomware variant that appends the .RANZYLOCKED extension to encrypted files.

February 24th 2021

Cyberpunk 2077 patch 1.2 delayed by CD Projekt ransomware attack

CD Projekt Red announced today that they are delaying the anticipated Cyberpunk 2077 Patch 1.2 to the second half of March 2021 due to their recent cyberattack.

Ransomware gang extorts jet maker Bombardier after Accellion breach

Business jet maker Bombardier is the latest company to suffer a data breach by the Clop ransomware gang after attackers exploited a zero-day vulnerability to steal company data.

New ‘Clman’ Dharma ransomware variant

Jakub Kroustek found a new Dharma ransomware variant that appends the .clman extension to encrypted files.

February 25th 2021

Dutch Research Council (NWO) confirms ransomware attack, data leak

The recent cyberattack that forced the Dutch Research Council (NWO) to take its servers offline and suspend grant allocation processes was caused by the DoppelPaymer ransomware gang.

Looking for the Snoopdoog ransomware

Michael Gillespie found a new ransomware that appends the .Snoopdoog and drops a ransom note named Decrypt-me.txt.

New Team Assist ransomware

S!ri found a new ransomware that appends the .assist extension.

February 26th 2021

Ryuk ransomware now self-spreads to other Windows LAN devices

A new Ryuk ransomware variant with worm-like capabilities that allow it to spread to other devices on victims’ local networks has been discovered by the French national cyber-security agency while investigating an attack in early 2021.

Ransomware gang hacks Ecuador’s largest private bank, Ministry of Finance

​A hacking group called ‘Hotarus Corp’ has hacked Ecuador’s Ministry of Finance and the country’s largest bank, Banco Pichincha, where they claim to have stolen internal data.

That’s it for this week! Hope everyone has a nice weekend!

You May Also Like…