Ransomware Roundup: 07.15.22

This week’s round up …

‍

• Doxxed: Because paying for that surgery wasn’t enough
• BlackCat claims credit for Bandai Namco breach
• Ransomware statistics for June are out, and it’s kind of encouraging (narrator: It is not)
• A new player has joined the game: Lilith ransomware
• From North Korea, with love

‍

Doxxed: Because paying for that surgery wasn’t enough

‍

Professional Finance Company issued a statement that a ransomware group was able to access databases holding personal information of patients at 657 healthcare organizations in Feb. 2022. PFC handles payments for many hospitals and the information includes names, addresses and Social Security numbers of account holders.

‍

“PFC found no evidence that personal information has been specifically misused; however, it is possible that the following information could have been accessed by an unauthorized third party: first and last name, address, accounts receivable balance and information regarding payments made to accounts, and, in some cases, date of birth, social security number, and health insurance and medical treatment information,” the company wrote in a statement.

‍

PFC states that they had notified the affected organizations and an investigation is ongoing. However, the Quantum ransomware group has been attributed to the attack.  

‍

BlackCat claims credit for Bandai Namco breach

‍

The malware intelligence group, vx-underground, posted a screenshot on their official Twitter account that shows the (ALPHV) BlackCat ransomware group seemingly taking credit for the Bandai Namco breach that occurred this week.

‍

“On July 3, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorized access by third party to the internal systems of several Group companies in Asian regions (excluding Japan). After we confirmed the unauthorized access, we have taken measures such as blocking access to the servers to prevent the damage from spreading. In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause,” the company wrote in an official statement.

Bandai Namco is a video game publisher of popular franchises such as Elden Ring, Soulcaliber and Dark Souls.

‍

A new player has joined the game: Lilith ransomware

‍

An independent malware hunter discovered a new ransomware operation, dubbed Lilith, that claimed its first victim in South Africa.

‍

“Lilith is a C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices,” reported Bill Toulas at Bleeping Computer.

‍

Threat Intelligence firm Cyble published a report detailing the technical analysis of Lilith. Admittedly, the RaaS group is in the early days of operations but worth watching.  

‍

From North Korea, with love

‍

The Microsoft Threat Intelligence Security Center (MSTIC) released research detailing the HolyGh0st ransomware group (whom Microsoft tracks as DEV-0530), which has been active since 2021 and is reportedly acting out of North Korea. Attribution is notoriously fraught for malware researchers, but the MSTIC team provides compelling evidence.

‍

“MSTIC assesses there is likely some overlap between DEV-0530 and PLUTONIUM. PLUTONIUM is a North Korean threat actor group affiliated with clusters of activity that are also known as DarkSeoul and Andariel. Active since at least 2014, PLUTONIUM has primarily targeted the energy and defense industries in India, South Korea, and the United States using a variety of tactics and techniques.

‍

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” the team wrote in their report.

‍

HolyGh0st attempted to legitimize their activities by claiming to help increase victim organizations’ security posture but … you know, extortion.

‍

Thanks to the reporters and researchers

‍

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

‍

Jonathan Greig at The Record - Recorded Future for their reporting on Medical debt collection firm says ransomware attack exposed info on 650+ healthcare orgs and Bandai Namco confirms cyberattack after ransomware group threatens leak.  

• LinkedIn
• Twitter

Sergiu Gatlan at Bleeping Computer for their reporting on Quantum ransomware attack affects 657 healthcare orgs.

• LinkedIn
• Twitter

Adam Janofsky at The Record - Recorded Future for their reporting on Ransomware tracker: the latest figures [July 2022].

• LinkedIn
• Twitter

vx-underground at for their research on vx-underground on Twitter: "ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.

• Twitter

JAMESWT at for their reporting on JAMESWT on Twitter: "#Ransomware #Lilith.

• Twitter

Bill Toulas at Bleeping Computer for their reporting on New Lilith ransomware emerges with extortion site, lists first victim.

• LinkedIn
• Twitter

Cyble for their research on New Ransomware Groups on the Rise.

• LinkedIn
• Twitter

Microsoft Threat Intelligence Center at Microsoft Threat Intelligence for their research on North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware - Microsoft Security Blog.

• Twitter