Ransomware Roundup: 05.27.22

This week’s round up…

‍

• Ransomware attack on school system exposes more than a half million records of student and teachers
• The tale of the Chaos ransomware kit
• Cheerscrypt has ESXi Devices in its sights
• Goodwill ransomware urges doing good by doing bad
• The Verizon 2022 DBIR is now available
• Thanks to the authors‍
  ‍

Ransomware attack on school system exposes more than a half million records of student and teachers

‍

A vendor – Battelle for Kids - that serves the Chicago Public Schools (CPS) system – sent a notification that they had been breached in December 2021. This included notice that the records for 500,000 students (nearly half the population of Montana) were exposed.  

‍

Jonathan Greig at the Record reported that “the personal information of students from 2015-19 was involved in the attack on Battelle for Kids — a nonprofit tech company that stores student course information and assessment data for teacher evaluations” in the notification letter sent by CPS on May 20, 2022.  

‍

The timing of these notices is important. The attack occurred on Dec. 1, 2022, and Greig quotes an FAQ posted by CPS “that Battelle for Kids waited until April 26 to tell officials about the incident, and it was until May 11 that CPS received information on the affected 495,448 student records and 56,138 staff records.”  

‍

The FAQ further explained that “Our vendor, Battelle for Kids, informed us that the reason for the delayed notification to CPS was the length of time that it took for Batelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter.”

‍

Unfortunately, there is evidence that attacks on Battelle have affected more than CPS. Valley View High School in Germantown, Ohio announced that student data was compromised in an April 2021 attack.

‍

The tale of the Chaos ransomware kit

‍

This week the BlackBerry Research & Intelligence Team released a report on the Chaos ransomware kit, which describes a twisted drama of marketing missteps, rebranding and technical iteration.  

‍

The author of Chaos originally touted it as the .NET version of Ryuk in 2021 and even went so far as to include “Ryuk branding on its GUI” reported Tara Seals on ThreatPost, which apparently did not go over well in the criminal marketplace.

‍

“While this attempt to ride Ryuk’s coat tails did generate a lot of attention for the builder, it was resoundingly negative. Users of many dark web forums called out the creator for this deceptive naming. Some of this negative publicity must have stuck with the author, as within a few weeks, the builder was rebranded as Chaos, and quickly followed by the release of Chaos V2.0 and Chaos V3.0,” the BlackBerry Research & Intelligence Team wrote in its report.

‍

The most recent versions of Chaos, dubbed Yasma by the author, iterate on the foundations of previous versions and includes the abilities to encrypt files larger than 2 megabytes without corrupting these (a bug fix, really) and location awareness.  

‍

The latter feature allows the payload to understand where the host machine is residing and terminate if found to be somewhere undesirable. This is a ploy often leveraged by ransomware attackers to avoid the attention of law enforcement in their home countries.

‍

Cheerscrypt has ESXi Devices in its sights

‍

Trend Micro is tracking a new ransomware strain named Cheerscrypt (presumably named because the payload replaces the victim files extension with “.cheer”) that targets “VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage.”  

‍

Endpoint devices have traditionally been the target of attackers, but according to TrendMicro Cheerscrpyt is noteworthy because “compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices.”

‍

Goodwill ransomware urges doing good by doing bad

‍

Michael Kan at PC Magazine reports that a ransomware campaign currently infecting victims in India is requesting payment in – wait for it – charitable donations. “As the threat group’s name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons,” Kan quoted a report by security firm CloudSek.

‍

The Verizon 2022 DBIR is now available

‍

The 2022 edition of Verizon’s Data Breach Investigation Report is out, and it provides the typical marathon of eye-popping findings on the state of information security. Most relevant to this article is the executive summary of the ransomware landscape.

‍

“This year Ransomware has continued its upward trend with an almost 13% increase–a rise as big as the last five years combined (for a total of 25% this year). It’s important to remember, Ransomware by itself is really just a model of monetizing an organization’s access. Blocking the four key paths mentioned above helps to block the most common routes Ransomware uses to invade your network.”

‍

Thanks to the reporters and researchers

‍

Shout out to the following people for their original reporting and research referenced in to this week’s Ransomware Roundup. ‍

‍

Jonathan Greig at The Record  for their reporting on Ransomware attack on nonprofit causes data breach of 500,000 students, teachers in Chicago.

• LinkedIn
• Twitter

The Blackberry Threat & Intelligence Team for their research on Yashma Ransomware, Tracing the Chaos Family Tree.

• Website

Tara Seals, previously at Threat Post and now at Dark Reading, for their reporting on Chaos Malware Walks Line Between Ransomware and Wiper.

• LinkedIn
• Twitter

Arianne Dela Cruz, Byron Gelera, McJustine De Guzman and Warren Sto. Tomas at Trend Micro for their research on New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices.

• Arianne Dela Cruz (LinkedIn)
• Byron Gelera (LinkedIn)
• McJustine De Guzman (LinkedIn)
• Warren Sto. Tomas (LinkedIn)

Michael Kan at PC Mag, for their reporting on This Ransomware Demands Victims Donate to the Needy to Free Their PCs.

• LinkedIn
• Twitter