Ransomware attacks continue over the past two weeks with a continuation of the massive initial ransom demands we have seen recently.
Over the past two weeks, we have learned of attacks against Asteelflash, the Broward County Public Schools, Applus Technologies, Pierre Fabre, and Harris Federation, with many of the attack’s initial ransoms ranging between $24 – $40 million.
The Applus Technologies attack was particularly disruptive as it prevented emissions testing in eight US states.
Accellion FTA-related data breaches continue with the Clop ransomware gang leaking the data for Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @fwosar, @Seifreed, @LawrenceAbrams, @Ionut_Ilascu, @VK_Intel, @DanielGallagher, @jorntvdw, @demonslay335, @struppigel, @malwrhunterteam, @BleepinComputer, @malwareforme, @serghei, @FourOctets, @R3MRUM, @kaspersky, @PogoWasRight, @CheckPointSW, @troyhunt, @alexscroxton, @ValeryMarchive, @snlyngaas, @fbgwls245, @Amigo_A_, @campuscodi, @siri_urz, @chum1ng0, and @GrujaRS.
March 27th 2021
FatFace sends controversial data breach email after ransomware attack
British clothing brand FatFace has sent a controversial ‘confidential’ data breach notification to customers after suffering a ransomware attack earlier this year.
March 28th 2021
Ransomware admin is refunding victims their ransom payments
After recently announcing the end of the operation, the administrator of Ziggy ransomware is now stating that they will also give the money back.
CompuCom MSP expects over $20M in losses after ransomware attack
American managed service provider CompuCom is expecting losses of over $20 million following this month’s DarkSide ransomware attack that took down most of its systems.
March 29th 2021
Harris Federation hit by ransomware attack affecting 50 schools
The IT systems and email servers of London-based nonprofit multi-academy trust Harris Federation were taken down by a ransomware attack on Saturday.
March 30th 2021
Microsoft Exchange attacks increase while WannaCry gets a restart
The recently patched vulnerabilities in Microsoft Exchange have sparked new interest among cybercriminals, who increased the volume of attacks focusing on this particular vector.
Michael Gillespie found a new STOP ransomware variant that appends the .ytbn extension to encrypted files.
April 1st 2021
Jakub Kroustek found new Dharma ransomware variants that append the .4o4 and .ctpl extensions to encrypted files.
April 2nd 2021
Asteelflash electronics maker hit by REvil ransomware attack
Asteelflash, a leading French electronics manufacturing services company, has suffered a cyberattack by the REvil ransomware gang who is demanding a $24 million ransom.
Qualys says Accellion hackers did not breach production systems
Cybersecurity firm Qualys said today that the attackers who breached its Accellion FTA server didn’t infiltrate the company’s production and corporate environments.
Ransomware gang wanted $40 million in Florida schools cyberattack
Fueled by large payments from victims, ransomware gangs have started to demand ridiculous ransoms from organizations that can not afford to pay them. An example of this is a recently revealed ransomware attack on the Broward County Public Schools district where threat actors demanded a $40,000,000 payment.
As ransomware stalks the manufacturing sector, victims are still keeping quiet
In addition to Norsk Hydro, CyberScoop requested interviews with a dozen manufacturers in Europe and the U.S. that have reportedly had their production disrupted by ransomware incidents in the last two and half years. Nearly all either declined to comment, did not respond or said an executive was unavailable by press time.
dnwls0719 found a new Makop ransomware variant that appends the .dark extension and drops a ransom note named readme-warning.txt.
S!Ri has discovered a new ransomware called WhiteBlackGroup that appends the .encrpt3d extension to encrypted files.
April 3rd 2021
Malware attack is preventing car inspections in eight US states
A malware cyberattack on emissions testing company Applus Technologies is preventing vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin.
Ransomware gang leaks data from Stanford, Maryland universities
Personal and financial information stolen from Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California was leaked online by the Clop ransomware group.
Sepa spends nearly £800,000 on cyber attack response
Figures released to BBC Scotland under freedom of information laws show a total of £790,000 has been spent on Sepa’s response and recovery actions so far
Michael Gillespie found a new STOP ransomware variant that appends the .fdcz extension to encrypted files.
GrujaRS found a new Jigsaw ransomware variant that appends the .cat extension.
April 4th 2021
Sierra Wireless resumes production after ransomware attack
Canadian IoT solutions provider Sierra Wireless announced that it resumed production at its manufacturing sites halted after a ransomware attack that hit its internal network and corporate website on March 20.
Michael Gillespie found a new STOP ransomware variant that appends the .urnb extension to encrypted files.
April 5th 2021
dnwls0719 found the Jormungand ransomware that appends the .glock extension and drops a ransom note named READ-ME-NOW.txt.
April 6th 2021
Windows XP makes ransomware gangs work harder for their money
A recently created ransomware decryptor illustrates how threat actors have to support Windows XP, even when Microsoft dropped supporting it seven years ago.
Ransomware hits TU Dublin and National College of Ireland
The National College of Ireland (NCI) and the Technological University of Dublin have announced that ransomware attacks hit their IT systems.
April 7th 2021
New Cring ransomware hits unpatched Fortinet VPN devices
A vulnerability impacting Fortinet VPNs is being exploited by a new human-operated ransomware strain known as Cring to breach and encrypt industrial sector companies’ networks.
REvil ransomware now changes password to auto-login in Safe Mode
A recent change to the REvil ransomware allows the threat actors to automate file encryption via Safe Mode after changing Windows passwords.
S!Ri has discovered a new ransomware called Wintenzz Security Tool that appends the .wintenzz extension to encrypted files and drops a ransom note named BUY_WINTENZZ.txt.
April 8th 2021
dnwls0719 found a new VHD ransomware variant that appends the .beaf extension and drops a ransom note named DecryptGuide.txt.
April 9th 2021
Leading cosmetics group Pierre Fabre hit with $25 million ransomware attack
Leading French pharmaceutical group Pierre Fabre suffered a REvil ransomware attack where the threat actors initially demanded a $25 million ransom, BleepingComputer learned today.
Michael Gillespie found a new STOP ransomware variant that appends the .lmas extension to encrypted files.
dnwls0719 found a new VHD ransomware variant that appends the .gehenna and drops a ransom note named GEHENNA-README-WARNING.html.
Maze/Egregor ransomware cartel estimated to have made $75 million
The group behind the Maze and Egregor ransomware operations are believed to have earned at least $75 million worth of Bitcoin from ransom payments following intrusions at companies all over the world.
GrujaRS found a new ransomware called RIP_lmao that appends the .crypted extension and drops a ransom note named ___RECOVER__FILES__.crypted.txt.
That’s it for this week! Hope everyone has a nice weekend!