While the beginning of this week was fairly quiet, it definitely ended with a bang as news came out of the largest ransom demand yet.

It was revealed at the end of the week that computer maker Acer suffered a REvil ransomware attack where the threat actors are demanding a massive $50,000,000 ransom.

REvil also made this news this week with the addition of a new -smode argument that causes Windows to reboot into Safe Mode with Networking to perform the encryption. REvil’s ‘Unknown’ also conducted an interview with TheRecord.

Finally, we saw an FBI warning about PYSA and new variants of ransomware families released.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @struppigel, @LawrenceAbrams, @Seifreed, @DanielGallagher, @VK_Intel, @fwosar, @malwrhunterteam, @FourOctets, @demonslay335, @BleepinComputer, @serghei, @jorntvdw, @Ionut_Ilascu, @PolarToffee, @Amigo_A_, @GrujaRS, @ddd1ms, @campuscodi, @ValeryMarchive, @3xp0rtblog, @Kangxiaopao, and @fbgwls245.

March 13th 2021

New RunExeMemory ransomware variant

GrujaRSA found a new variant of the RunExeMemory that appends the .z8sj2c extension and drops a ransom note named Read me, if you want to recover your files.txt.

March 16th 2021

FBI warns of escalating Pysa ransomware attacks on education orgs

The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions.

An interview with REvil’s Unknown

Unknown talked to Recorded Future expert threat intelligence analyst Dmitry Smilyanets recently about using ransomware as a weapon, staying out of politics, experimenting with new tactics, and much more. The interview was conducted in Russian and translated to English with the help of a professional translator, and has been edited for clarity.

New Liz Dharma ransomware variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .liz extension.

New Rapid ransomware variant

dnwls0719 found a new Rapid ransomware variant that appends the .lock extension.

New Xorist ransomware variant

xiaopao found a new variant of the SFile ransomware that appends the .sandboxtest extension.

March 17th 2021

Missed opportunity: Bug in LockBit ransomware allowed free decryptions

A member of the cybercriminal community has discovered and disclosed a bug in the LockBit ransomware that could have been used for free decryptions.

New Hakbit ransomware variant

xiaopao found a new variant of the SFile ransomware that appends the .PROM extension.

New SFile ransomware variant

xiaopao found a new variant of the SFile ransomware that appends the .zuadr extension and drops a ransom note named RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt.

March 18th 2021

New PewPew Ransomware variant

Amigo-A found a new PewPew Ransomware variant that calls itself ‘Artemis’ and appends the .optimus extension to encrypted files.

New Stop ransomware variant

dnwls0719 found a new STOP Djvu ransomware variant that appends the .enfp and drops a ransom note named _readme.txt.

STOP Ransomware ransom note

March 19th 2021

REvil ransomware has a new ‘Windows Safe Mode’ encryption mode

The REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection by security software and for greater success when encrypting files.

Computer giant Acer hit by $50 million ransomware attack

Electronics giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000.

Cyberattaque : une rançon de 50 millions de dollars demandée à Acer

Les opérateurs du rançongiciel Revil, aussi connu sous le nom Sodinokibi, ont ajouté le constructeur à la liste de victimes. Ils laissent encore près de 9 jours à Acer pour négocier, faute de quoi ils doubleront leurs exigences.

Ransomware statistics for 2020: Year in summary

2020, the year of the pandemic, was another lucrative year for ransomware. As nations around the world scrambled to slow the spread of the virus, cybercriminals attempted to capitalize on the chaos.

New SFile ransomware variant

xiaopao found a new variant of the SFile ransomware that appends the .Technomous-zbtrqyd extension.

That’s it for this week! Hope everyone has a nice weekend!