The Week in Ransomware – June 11th 2021


It has been quite the week when it comes to ransomware, with ransoms being paid, ransoms being taken back, and a ransomware gang shutting down.

This week’s biggest news was the FBI announcing that they were able to recover the majority of the $4.4 million ransom payment paid by Colonial Pipeline. It is not entirely clear how they obtained the private key for the cryptocurrency wallet, but it is believed DarkSide stored it on a seized server.

We also learned that JBS paid $11 million to the REvil ransomware operation to retrieve a decryptor and prevent stolen files from being leaked.

In a bit of good news, the Avaddon ransomware operation shut down and released the decryption keys of close to 3,000 victims to BleepingComputer. Using these, cybersecurity firm Emsisoft was able to release a free decryptor.

Finally, news broke this week that memory maker ADATA and food services supplier Edward Don suffered ransomware attacks.

Contributors and those who provided new ransomware information and stories this week include: @Ionut_Ilascu, @demonslay335, @FourOctets, @Seifreed, @fwosar, @jorntvdw, @BleepinComputer, @struppigel, @malwrhunterteam, @PolarToffee, @serghei, @DanielGallagher, @LawrenceAbrams, @VK_Intel, @malwareforme, @jonallendc, @kevincollier, @RobertScammell@KimZetter@RakeshKrish12, @fbgwls245, @Jirehlov, @SecurityJoes, @Kangxiaopao, and @GrujaRS.

June 5th 2021

New BigLock ransomware

dnwls0719 found a new ransomware named BigLock that appends the .nermer extension and drops a ransom note named PROTECT_INFO.TXT.

June 6th 2021

New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions

The new PayloadBIN ransomware has been attributed to the Evil Corp cybercrime gang, rebranding to evade sanctions imposed by the US Treasury Department’s Office of Foreign Assets Control (OFAC).

New Findnotefile ransomware

Jirehlov Solace found a new Findnotefile ransomware variant that appends the .reddot extension.

New ransomware hunt

Michael Gillespie is looking for a ransomware that appends the .ramsome.encrypt(rsw).nat extension and drops a note named readme-instructions.txt. The ransomware turns files into password-protected RAR archives.

June 7th 2021

US recovers most of Colonial Pipeline’s $4.4M ransomware payment

The US Department of Justice has recovered the majority of the $4.4 million ransom payment paid by Colonial Pipeline to the DarkSide ransomware operation.

Fujifilm refuses to pay ransomware demand, restores network from backups

Japanese multinational conglomerate Fujifilm said it has refused to pay a ransom demand to the cyber gang that attacked its network in Japan last week and is instead relying on backups to restore operations.

June 8th 2021

Computer memory maker ADATA hit by Ragnar Locker ransomware

Taiwan-based leading memory and storage manufacturer ADATA says that a ransomware attack forced it to take systems offline after hitting its network in late May.

New HimalayA Ransomware-as-a-Service

RAKESH KRISHNAN found a new RaaS named HimalayA advertised on the darkweb.

HimalayA RaaS

June 9th 2021

New Ryuk impersonator

Security Joes found a .NET Ryuk impersonator that can be customized with a ransomware builder.

Ryuk ransomware builder

June 10th 2021

JBS paid $11 million to REvil ransomware, $22.5M first demanded

JBS, the world’s largest beef producer, has confirmed that they paid an $11 million ransom after the REvil ransomware operation initially demanded $22.5 million.

CD Projekt: Data stolen in ransomware attack now circulating online

CD Projekt is warning today that internal data stolen during their February ransomware attack is circulating on the Internet.

Foodservice supplier Edward Don hit by a ransomware attack

Foodservice supplier Edward Don has suffered a ransomware attack that has caused the company to shut down portions of the network to prevent the attack’s spread.

New Vice Society ransomware

Michael Gillespie found a new Vice Society ransomware that appends the .v-society extension when encrypting Linux machines. Appears to be a spin-off of HelloKitty.

New Anubis ransomware variant

xiaopao found a new Anubis ransomware variant that appends the .ChupaCabra extension.

June 11th 2021

Avaddon ransomware shuts down and releases decryption keys

The Avaddon ransomware gang has shut down operation and released the decryption keys for their victims to

Relentless REvil, revealed: RaaS as variable as the criminals who use it

One of the ransomware-as-a-service (RaaS) we encounter most frequently, known alternately as Sodinokibi or REvil, is as conventional a ransomware as we’ve seen: Its routines, configuration, and behavior what we’ve come to expect from a mature family that’s, obviously, well used in the criminal underground.

Ransomware attack hit Teamsters in 2019 — but they refused to pay

When the Teamsters were hit by a ransomware attack over Labor Day weekend in 2019, the hackers asked for a seven-figure payment.

Negotiating Ransoms: When to Play and When to Fold

An interview with the CEO of Coveware, which negotiates payments on behalf of ransomware victims.

That’s it for this week! Hope everyone has a nice weekend!

You May Also Like…