This week’s ransomware news has been dominated by the attack on Ireland’s Health Service Executive (HSE) that has severely disrupted Ireland’s healthcare system.

The attack was conducted by the Conti ransomware operation who encrypted devices and caused the HSE to disconnect portions of its IT systems to prevent further spread of the attack. Since then, the Conti gang has released a free decryptor but still states that they plan on publishing or selling the data if not paid by Monday.

Other attacks this week include one on AXA insurance, right after they announced they would no longer pay ransoms, and further attacks against Toyota.

Other interesting news is a new variant of the MountLocker ransomware that now includes a worm feature and the shutting down of the QLocker ransomware after earning $350,000 in a month.

Contributors and those who provided new ransomware information and stories this week include: @serghei, @Seifreed, @VK_Intel, @demonslay335, @DanielGallagher, @FourOctets, @struppigel, @Ionut_Ilascu, @PolarToffee, @jorntvdw, @fwosar, @BleepinComputer, @LawrenceAbrams, @malwareforme, @malwrhunterteam, @Ax_Sharma, @GossiTheDog, @AltShiftPrtScn, @elliptic, @JakubKroustek, @conormlally, @WilliamTurton, @KartikayM, @chum1ng0, @PogoWasRight, @LittleRedBean2, @fbgwls245, and @3xp0rtblog.

May 15th 2021

Ireland’s Health Services hit with $20 million ransomware demand

Ireland’s health service, the HSE, says they are refusing to pay a $20 million ransom demand to the Conti ransomware gang after the hackers encrypted computers and disrupted health care in the country.

New Dharma Ransomware variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .eye extension to encrypted files.

New Stop Ransomware variant

LittleRedBean found a new STOP ransomware variant that appends the .igvm extension.

May 16th 2021

Insurer AXA hit by ransomware after dropping support for ransom payments

Branches of insurance giant AXA based in Thailand, Malaysia, Hong Kong, and the Philippines have been struck by a ransomware cyber attack.

May 17th 2021

Ransomware victim shows why transparency in attacks matters

As devastating ransomware attacks continue to have far-reaching consequences, companies still try to hide the attacks rather than be transparent. Below we highlight a company’s response to an attack that should be used as a model for all future disclosures.

Conti ransomware also targeted Ireland’s Department of Health

The Conti ransomware gang failed to encrypt the systems of Ireland’s Department of Health (DoH) despite breaching its network and dropping Cobalt Strike beacons to deploy their malware across the network.

New Ducky Virus ransomware

dnwls0719 found a new ransomware called Ducky Virus that appends the .ducky extension and drops ransom notes named RECOVER YOUR FILES.hta and RECOVER YOUR FILES.txt.

May 18th 2021

DarkSide ransomware made $90 million in just nine months

The DarkSide ransomware gang has collected at least $90 million in ransoms paid by its victims over the past nine months to multiple Bitcoin wallets.

May 19th 2021

MountLocker ransomware uses Windows API to worm through networks

The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks.

Qlocker ransomware shuts down after extorting hundreds of QNAP users

The Qlocker ransomware gang has shut down their operation after earning $350,000 in a month by exploiting vulnerabilities in QNAP NAS devices.

New Dharma Ransomware variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .root extension to encrypted files.

May 20th 2021

Conti ransomware gives HSE Ireland free decryptor, still selling data

The Conti ransomware gang has released a free decryptor for Ireland’s health service, the HSE, but warns that they will still sell or release the stolen data.

Microsoft: Massive malware campaign delivers fake ransomware

A massive malware campaign pushed the Java-based STRRAT remote access trojan (RAT), known for its data theft capabilities and the ability to fake ransomware attacks.

Irish High Court issues injunction to prevent HSE data leak

The High Court of Ireland has issued an injunction against the Conti Ransomware gang, demanding that stolen HSE data be returned and not sold or published.

CNA Financial Paid $40 Million in Ransom After March Cyberattack

CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack.

New STOP ransomware variant

dnwls0719 found a new STOP ransomware variant that appends the .nusm extension.

May 21st 2021

DarkSide affiliates claim gang’s bitcoin deposit on hacker forum

Since the DarkSide ransomware operation shut down a week ago, multiple affiliates have complained about not getting paid for past services and issued a claim for bitcoins in escrow at a hacker forum.

FBI: Conti ransomware attacked 16 US healthcare, first responder orgs

The Federal Bureau of Investigation (FBI) says the Conti ransomware gang has attempted to breach the networks of over a dozen U.S. healthcare and first responder organizations.

QNAP confirms Qlocker ransomware used HBS backdoor account

QNAP is advising customers to update the HBS 3 disaster recovery app to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices.

Toyota rear-ended by twin cyber attacks that left ransomware-shaped dents

The first hit the European operations of its subsidiary Daihatsu Diesel Company, a Toyota-owned company entity that designs engines. In a statement [PDF] dated May 16th, Daihatsu said it “experienced a problem in accessing its file server in the internal system on 14 May 2021.”

That’s it for this week! Hope everyone has a nice weekend!