Compared to the last few weeks, it has been a relatively quiet week with no ransomware attacks causing widespread disruption.
It was a good week for law enforcement, with Ukrainian police arresting members of the Clop ransomware gang and the South Korean police arresting computer repairment installing ransomware.
We also saw some interesting research released on LockBit and the Hades ransomware, as well as an updated Avaddon Ransomware decryptor that can decrypt more victims’ files.
Finally, President Biden met with Russian President Putin to discuss the recent cyberattacks. Whether something changes from that meeting is too soon to tell.
Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @malwareforme, @PolarToffee, @fwosar, @BleepinComputer, @LawrenceAbrams, @serghei, @VK_Intel, @struppigel, @demonslay335, @malwrhunterteam, @FourOctets, @Ionut_Ilascu, @jorntvdw, @Seifreed, @TrendMicroRSRCH, @IntelAdvanced, @y_advintel, @ZeroLogon, @campuscodi, @GrujaRS, @emsisoft, @LittleRedBean2, , @PogoWasRight, @chum1ng0, @PRODAFT, @Secureworks, and @ValeryMarchive.
June 14th 2021
REvil ransomware hits US nuclear weapons contractor
US nuclear weapons contractor Sol Oriens has suffered a cyberattack allegedly at the hands of the REvil ransomware gang, which claims to be auctioning data stolen during the attack.
G7 leaders ask Russia to hunt down ransomware gangs within its borders
G7 (Group of 7) leaders have asked Russia to urgently disrupt ransomware gangs believed to be operating within its borders, following a stream of attacks targeting organizations from critical sectors worldwide.
Fujifilm resumes normal operations after ransomware attack
Japanese multinational conglomerate Fujifilm says that it has resumed normal business and customer operations following a ransomware attack that forced it to shut the entire network on June 4.
Theoretically untouchable, but still struck down with Avaddon
The reasons for Avaddon’s disappearance are not known at this point. Perhaps the international pressure had become too strong for the operators. Unless some errors have started to show a little too much.
June 15th 2021
Avaddon ransomware’s exit sheds light on victim landscape
A new report analyzes the recently released Avaddon ransomware decryption keys to shed light on the types of victims targeted by the threat actors and potential revenue they generated throughout their operation.
Paradise Ransomware source code released on a hacking forum
The complete source code for the Paradise Ransomware has been released on a hacking forum allowing any would-be cyber criminal to develop their own customized ransomware operation.
Updated Avaddon decryptor released
Emsisoft released an updated Avaddon decryptor to support more victims.
Hades Ransomware Operators Use Distinctive Tactics and Infrastructure
Hades ransomware has been on the scene since December 2020, but there has been limited public reporting on the threat group that operates it. Secureworks® incident response (IR) engagements in the first quarter of 2021 provided Secureworks Counter Threat Unit™ (CTU) researchers with unique insight into the group’s use of distinctive tactics, techniques, and procedures (TTPs).
June 16th 2021
Ukraine arrests Clop ransomware gang members, seizes servers
Ukrainian law enforcement arrested cybercriminals associated with the Clop ransomware gang and shut down infrastructure used in attacks targeting victims worldwide since at least 2019.
South Korean police arrest computer repairmen who made and distributed ransomware
South Korean authorities have filed charges today against nine employees of a local computer repair company for creating and installing ransomware on their customers’ computers.
MA: UMass Lowell closed due to cybersecurity incident
The University of Massachusetts Lowell (UMass Lowell) has suffered a cybersecurity breach that has caused school closures for the past two days. The incident was first announced on June 15 as an “IT outage:”
SCOOP: UnitingCare paid hundreds of thousands of dollars to REvil for decryption key and deletion of files
On April 25, UnitingCare Queensland (UCQ) was the victim of a ransomware attack that impacted multiple Queensland hospitals and aged care centres. The next day, they posted a notice on their web site informing people as to what was happening and its impact. And on May 5, they posted a second update where they revealed that it was REvil (Sodinokibi) threat actors who had attacked them. That update described steps they had taken since the incident to safely recover and restore services.
June 17th 2021
Carnival Cruise hit by data breach, warns of data misuse risk
In December 2020, Carnival was hit by a second (previously undisclosed) ransomware attack with “investigation and remediation phases” still ongoing, according to a 10-Q form filed with the SEC in April 2021.
June 18th 2021
Fake DarkSide gang targets energy, food industry in extortion emails
Threat actors impersonate the now-defunct DarkSide Ransomware operation in fake extortion emails sent to companies in the energy and food sectors.
LockBit RaaS In-Depth Analysis
The PRODAFT Threat Intelligence (PTI) Team has published this report to provide in-depth knowledge about the threat actors who operate LockBit ransomware. The PTI Team has managed to extract decryption tools for most of the victims who were affected by the LockBit. All affiliates of the ransomware group, including the developer, were also identified during the investigation of the PTI Team. This report answers questions such as : How do they select their targets ? How many targets did they breach ? How does the network operate ? Who are the affiliates ?
GrujaRS found a new STOP ransomware variant that appends the .iqll extension to encrypted files.
LittleRedBean found a new STOP ransomware variant that appends the .sspq extension to encrypted files.
That’s it for this week! Hope everyone has a nice weekend!