The Week in Ransomware – March 5th 2021


This week we have seen ransomware attacks targeting online service providers and MSPs to not only encrypt the victim but also cause significant outages for their customers.

HR and payroll platform PrismHR suffered a ransomware attack this weekend that caused an outage for PEOs and their clients that utilize the system. We also saw CompuCom, a large US MSP, get hit with a DarkSide ransomware attack that led to significant outages for most of their customers.

Clop Ransomware continues to publish the stolen data of victims whose data was stolen from breached Accellion FTA devices in December. Unfortunately, due to the number of organizations that used this service, we will likely continue seeing Accellion-related breaches announced.

Finally, Universal Health Services, which suffered a massive Ryuk ransomware attack in September 2020, reported that the cyberattacks had an estimated cost of $67 million.

As for new ransomware, we continue to see new variants released and new in-development threats, such as a strange one that only decrypts victims if they join the threat actor’s Discord server.

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @VK_Intel, @malwareforme, @Seifreed, @jorntvdw, @fwosar, @LawrenceAbrams, @FourOctets, @BleepinComputer, @DanielGallagher, @demonslay335, @struppigel, @malwrhunterteam, @serghei, @Ionut_Ilascu, @GroupIB, @Sophos, @kjkwak12, @JakubKroustek, @siri_urz, @Kangxiaopao, @Amigo_A_, @petrovic082, @IntezerLabs, @emsisoft, and @BrettCallow.

March 1st 2021

Hackers use black hat SEO to push ransomware, trojans via Google

The delivery system for the Gootkit information stealer has evolved into a complex and stealthy framework, which earned it the name Gootloader, and is now pushing a wider variety of malware via hacked WordPress sites and malicious SEO techniques for Google results.

Universal Health Services lost $67 million due to Ryuk ransomware attack

Universal Health Services (UHS) said that the Ryuk ransomware attack it suffered during September 2020 had an estimated impact of $67 million.

NSW Transport agency extorted by ransomware gang after Accellion attack

The transport system for the Australian state of New South Wales has suffered a data breach after the Clop ransomware exploited a vulnerability to steal files.

New Dharma ransomware variants

Jakub Kroustek found new Dharma ransomware variants that appends the .oral and .urs extension to encrypted files.

New STOP Djvu ransomware variant

Michael Gillespie found a new STOP ransomware variant that appends the .ribd extension to encrypted files.

March 2nd 2021

Payroll giant PrismHR outage likely caused by ransomware attack

Leading payroll company PrismHR is suffering a massive outage after suffering a cyberattack this weekend that looks like a ransomware attack from conversations with customers.

New ‘Corona Locker’ Aurora ransomware variant

xiaopao found a new variant of the Aurora ransomware that calls itself ‘Corona Locker’ and appends the .systems32x extension.

Corona Locker

New Makop ransomware variant

Petrovic found a new Makop ransomware variant that appends the .vassago extension to encrypted files.

When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?

This report uses both dark web research and malware analysis to investigate the connection between the affiliate ransomware service known as SunCrypt and the QNAPCrypt ransomware, the latter of which was used against QNAP and Synology devices back in 2019. While the two ransomware are operated by distinct different threat actors on the dark web, there are strong technical connections in code reuse and techniques, linking the two ransomware to the same author. Just because a malware is a derivative of another malware does not mean it will be deployed in exactly the same way. A new operator may use different targets, tactics, techniques and procedures (TTPs), which can include new evasion techniques. Defenders must remain vigilant.

March 3rd 2021

RansomTrojanLock discovered

S!ri found a new ransomware that appends the .RansomTrojanLock extension to encrypted files.

Beware the Fancy Bear ransomware

S!ri found a new ransomware that we will let the screenshot speak for itself.

Fancy Bear Ransomware

New Help You Ransomware

xiaopao found a new ransomware that appends the .IQ_IQ and drops a ransom note named HOW_TO_RECOVERY_FILES.txt.

Emsisoft Aurora decryptor updated

Emsisoft has updated their Aurora decryptor to support the .systems32x extension.

March 4th 2021

CompuCom MSP hit by DarkSide ransomware cyberattack

US managed service provider CompuCom has suffered a DarkSide ransomware attack leading to service outages and customers disconnecting from the MSP’s network to prevent the spread of malware.

Ransomware is a multi-billion industry and it keeps growing

An analysis from global cybersecurity company Group-IB reveals that ransomware attacks more than doubled last year and increased in both scale and sophistication.

New JesusCrypt Ransomware

MalwareHunterTeam found a new in-development ransomware called JesusCrypt.


March 5th 2021

New ransomware only decrypts victims who join their Discord server

A new ransomware called ‘Hog’ encrypts users’ devices and only decrypts them if they join the developer’s Discord server.


That’s it for this week! Hope everyone has a nice weekend!

You May Also Like…