The Week in Ransomware – March 26th 2021

The Week in Ransomware – March 26th 2021


Ransomware attacks against the enterprise continue in the form of Accellion data leaks, full-fledged ransomware attacks, and more ransomware gangs targeting Microsoft Exchange.

Early in the week, it was discovered that a threat actor was deploying the Black Kingdom Ransomware on Microsoft Exchange servers. By the end of the week, Microsoft estimates that approximately 1,500 exchange servers were targeted in this group’s attack.

The Clop ransomware gang has continued to leak data stolen in Accellion attacks, with this week’s victims being energy giant Shell, the University of Miami, and the University of Colorado.

We also saw an increase in standard encrypting ransomware attacks targeting enterprise victims, such as Sierra Wireless, Stratus, and insurance giant CNA.

On a different note, Danny Palmer wrote an interesting piece on how a company handled a recent ransomware attack and did not pay the ransom. 

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @Ionut_Ilascu, @demonslay335, @jorntvdw, @PolarToffee, @malwrhunterteam, @FourOctets, @struppigel, @LawrenceAbrams, @malwareforme, @Seifreed, @DanielGallagher, @serghei, @VK_Intel, @fwosar, @CrowdStrike, @BrettCallow, @MalwareTechBlog, @MsftSecIntel, @fbgwls245, @siri_urz, @Amigo_A_, @dannyjpalmer, @campuscodi, @ValeryMarchive, and @alexscroxton.

March 21st 2021

New Pay2Decrypt variant

S!Ri found a new Pay2Decrypt variant that appends the .aes extension.

March 22nd 2021

Microsoft Exchange servers now targeted by Black Kingdom ransomware

Another ransomware operation known as ‘Black Kingdom’ is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers.

Energy giant Shell discloses data breach after Accellion hack

Energy giant Shell has disclosed a data breach after attackers compromised the company’s secure file-sharing system powered by Accellion’s File Transfer Appliance (FTA).

New Dharma ransomware variant

Jakub Kroustek found a new Dharma ransomware variant that appends the .bqd2 extension.

March 23rd 2021

Ransomware attack shuts down Sierra Wireless IoT maker

Sierra Wireless, a world-leading IoT (Internet of Things) solutions provider, today disclosed a ransomware attack that forced it to halt production at all manufacturing sites.

High-availability server maker Stratus hit by ransomware

Stratus Technologies has suffered a ransomware attack that required systems to be taken offline to prevent the attack’s spread.

Ransomware gang leaks data stolen from Colorado, Miami universities

Grades and social security numbers for students at the University of Colorado and University of Miami patient data have been posted online by the Clop ransomware group.

CNA insurance firm hit by a cyberattack, operations impacted

CNA Financial, a leading US-based insurance company, has suffered a cyberattack impacting its business operations and shutting down its website.

March 24th 2021

New Makop variant

dnwls0719 found a new Makop ransomware variant that appends the .pecunia extension and drops a ransom note named readme-warning.txt.

March 25th 2021

Insurance giant CNA hit by new Phoenix CryptoLocker ransomware

Insurance giant CNA has suffered a ransomware attack using a new variant called Phoenix CryptoLocker that is possibly linked to the Evil Corp hacking group.

Evil Corp switches to Hades ransomware to evade sanctions

Hades ransomware has been linked to the Evil Corp cybercrime gang who uses it to evade sanctions imposed by the Treasury Department’s Office of Foreign Assets Control (OFAC).

Ransomware gang leaks data from US military contractor the PDI Group

A major supplier of military equipment to the US Air Force and militaries across the globe appears to have fallen victim to a ransomware attack.

New Stop Ransomware variant

Amigo-A found a new STOP ransomware variant that appends the .ekvf extension.

This company was hit by ransomware. Here’s what they did next, and why they didn’t pay up

It started out as a normal Thursday for Tony Mendoza, senior IT director at Spectra Logic, a data storage company based in Boulder, Colorado. And then the ransomware attack began.

March 26th 2021

FBI exposes weakness in Mamba ransomware, DiskCryptor

An alert from the U.S. Federal Bureau of Investigation about Mamba ransomware reveals a weak spot in the encryption process that could help targeted organizations recover from the attack without paying the ransom.

Ransomware gang urges victims’ customers to fight for their privacy

A ransomware operation known as ‘Clop’ is applying maximum pressure on victims by emailing their customers and asking them to demand a ransom payment to protect their privacy.

Microsoft: Black Kingdom ransomware hacked 1.5K Exchange servers

Microsoft has discovered web shells deployed by Black Kingdom operators on approximately 1,500 Exchange servers vulnerable to ProxyLogon attacks.

Retailer FatFace pays $2m ransom to Conti cyber criminals

Fashion retailer FatFace has paid a $2m ransom to the Conti ransomware gang following a successful cyber attack on its systems that took place in January 2021, Computer Weekly has learned.

New HiddenTear variant

dnwls0719 found a new HiddenTear variant that appends the .HANTA extension and drops a ransom note named how_to_recover.txt.


That’s it for this week! Hope everyone has a nice weekend!

You May Also Like…