Ransomware gangs continue to target organizations large and small, including a brazen attack on the Washington DC police department.
This week, we learned of attacks affecting the Metropolitan Police Department, Merseyrail UK rail operator, the Whistler Resort Municipality, and an attack on Brazil’s court systems in Rio Grande do Sul.
We also reported that the Qlocker ransomware targeting QNAP devices had made $260,000 by Sunday, which is likely much higher now.
Finally, after threatening to release data for the Metropolitan Police Department, Babuk Locker has suddenly decided to no longer encrypt systems and focus entirely on the ransoming of stolen data.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @PolarToffee, @Seifreed, @struppigel, @jorntvdw, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @malwareforme, @demonslay335, @serghei, @malwrhunterteam, @FourOctets, @DanielGallagher, @VK_Intel, @ValeryMarchive, @emsisoft, @fbgwls245, @Amigo_A_, @chum1ng0, @pcrisk, @GrujaRS, @BruteBee, @FireEye, @ddd1ms, @coveware, @campuscodi, and @JakubKroustek.
April 24th 2021
A ransomware gang made $260,000 in 5 days using the 7zip utility
A ransomware gang has made $260,000 in just five days simply by remotely encrypting files on QNAP devices using the 7zip archive program.
Jakub Kroustek found a new Dharma ransomware variant that appends the .bdev extension to encrypted files.
April 25th 2021
GrujaRS found a variant of the Stupid Ransomware calling itself NoCry that appends the .Cry extension.
GrujaRS found a new variant of the Conti Ransomware that appends the .GFYPK extension.
April 26th 2021
DC Police confirms cyberattack after ransomware gang leaks data
The Metropolitan Police Department has confirmed that they suffered a cyberattack after the Babuk ransomware gang leaked screenshots of stolen data.
Ransomware gang now warns they will leak new Apple logos, iPad plans
The REvil ransomware gang has mysteriously removed Apple’s schematics from their data leak site after privately warning Quanta that they would leak drawings for the new iPad and new Apple logos.
Accellion data breaches drive up average ransom price
The data breaches caused by the Clop ransomware gang exploiting a zero-day vulnerability have led to a sharp increase in the average ransom payment calculated for the first three months of the year.
dnwls0719 found a new Dharma ransomware variant that appends the .ALNBR extension to encrypted files.
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q1 of 2021. Data exfiltration extortion continues to be prevalent and we have reached an inflection point where the vast majority of ransomware attacks now include the theft of corporate data. Q1 saw a reversal of average and median ransom amounts. The averages in Q1 were pulled up by a raft of data exfiltration attacks by one specific threat actor group that opportunistically leveraged a unique vulnerability (more on this below).
PCrisk found a new Phobos ransomware variant that appends the .lookfornewitguy extension.
April 27th 2021
Ransomware : Revil enchaîne les victimes… qui ne paient pas
Oui, le groupe Revil, qui pilote le rançongiciel Sodinokibi, est très actif ces temps-ci. Et il semble décidé à enchaîner les coups d’éclat. Mais ses activités semblent de moins en moins couronnées de succès. Et de plus en plus, ce qu’il exhibe comme un tableau de chasse prend des airs de triste galerie de ses échecs.
The cost of ransomware in 2021: A country-by-country analysis
The statistics below show the devastating economic toll ransomware has taken in a number of key markets. The data includes ransom demands, the cost of downtime, and the overall global cost of ransomware, as well as separate statistics focused on the public and private sectors.
Ransomware gang targets Microsoft SharePoint servers for the first time
Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs.
April 28th 2021
UK rail network Merseyrail likely hit by Lockbit ransomware
UK rail network Merseyrail has confirmed a cyberattack after a ransomware gang used their email system to email employees and journalists about the attack.
dnwls0719 found a new Dharma ransomware variant that appends the .cum extension to encrypted files.
April 29th 2021
Security expert coalition shares actions to disrupt ransomware
The Ransomware Task Force, a public-party coalition of more than 50 experts, has shared a framework of actions to disrupt the ransomware business model.
Whistler resort municipality hit by new ransomware operation
The Whistler municipality in British Columbia, Canada, has suffered a cyberattack at the hands of a new ransomware operation.
Brazil’s Rio Grande do Sul court system hit by REvil ransomware
Brazil’s Tribunal de Justiça do Estado do Rio Grande do Sul was hit with an REvil ransomware attack yesterday that encrypted employee’s files and forced the courts to shut down their network.
New ransomware group uses SonicWall zero-day to breach networks
A financially motivated threat actor exploited a zero-day bug in Sonicwall SMA 100 Series VPN appliances to deploy new ransomware known as FiveHands on the networks of North American and European targets.
QNAP warns of AgeLocker ransomware attacks on NAS devices
QNAP customers are once again urged to secure their Network Attached Storage (NAS) devices to defend against Agelocker ransomware attacks targeting their data.
Babuk ransomware readies ‘shut down’ post, plans to open source malware
After just a few months of activity, the operators of Babuk ransomware briefly posted a short message about their intention to quit the extortion business after having achieved their goal.
MalwareHunterTeam found a new ‘CryBaby’ ransomware.
April 30th 2021
Babuk quits ransomware encryption, focuses on data-theft extortion
A new message today from the operators of Babuk ransomware clarifies that the gang has decided to close the affiliate program and move to an extortion model that does not rely on encrypting victim computers.
That’s it for this week! Hope everyone has a nice weekend!