Ransomware Roundup: 07.22.22

Welcome back to this week’s round up…

Ransom City Blues

Corin Faife at The Verge reports that a small Canadian town, St. Marys, Ontario has been hit by the LockBit group. According to the report, most of the essential services in the town of 7,500 were not impacted but screenshots from the leak site show possible impact to finance, health and safety, sewage treatment, property files and public works. St. Marys is unfortunately not alone in this recent spurt of LockBit activity as the town of Frederick, Colorado’s data is also listed as compromised by the group.

School of Hard Knocks

According to a recent Sophos survey of 5,600 IT workers representing 410 colleges and universities across the globe, nearly 75% of these institutions suffered from successful ransomware attacks.

This astounding statistic (unfortunately) shows that higher education institutions are a rich and profitable hunting ground for ransomware groups with a success rate greater than healthcare or even financial services. As attackers run up against better defenses in other market segments, they will look for targets that, for a variety of reasons, do not commit the necessary resources to protecting their infrastructure. If you’ve been in cybersecurity for long enough, this will not come as a surprise – even with specific education-centric discounted programs the adoption of new cybersecurity products and services in education has always lagged other segments.

Twisted Metal

As we’ve written about in previous Ransomware Roundups, ransomware targeting ESXi environments continues to grow.

While it’s one thing to ransom an endpoint, targeting bare-metal hypervisors that host multiple VMs or even clusters of hosts can have devastating results. DarkReading has an excellent roundup of the growth in Luna and BlackBasta that have cross-platform capabilities to target Windows, Linux and ESXi systems. VMware has disclosed several critical vulnerabilities this year that attackers have been taking advantage of.

It’s yet to be seen whether the targeting of ESXi is driven solely by the opportunity these vulns have provided or if these groups are intentionally going after a new and lucrative market segment.

Ransomware goes Freemium

Getting traction with a new product in a crowded market is always difficult, it’s why Product Led Growth (PLG) is such a hot topic with SaaS companies over the last few years. So, it only makes sense that an up-and-coming group would simply give their ransomware away for free, the stipulation being a higher cut on commission. With Redeemer 2.0’s release, the barrier for entry for anyone to kick off a ransomware campaign has never been lower. Plus, the group has stated if the adoption rate isn’t high enough, they’ll just open source the entire project. What a wonderful new world we’re living in.

Down the Drain

There are reports coming in that an organization that runs sewer systems in the Providence and Blackstone Valley areas of Rhode Island was hit by a yet-to-be-known cyberattack, rumored to be ransomware. While details are scant, the crossover from cyber into physical systems has seemingly been increasing in 2022. Be on the lookout next week, as more details come to light.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

https://www.theverge.com/2022/7/22/23274372/st-marys-canada-lockbit-ransomware-cyber-incident

Author: Corin Faife

https://assets.sophos.com/X24WTUEQ/at/pgvqxjrfq4kf7njrncc7b9jp/sophos-state-of-ransomware-education-2022-wp.pdf

Author: Sophos

https://www.darkreading.com/attacks-breaches/snowballing-ransomware-variants-highlight-growing-threat-to-vmware-esxi-environments

Author: Jai Vijayan

https://www.bleepingcomputer.com/news/security/new-redeemer-ransomware-version-promoted-on-hacker-forums/

Author: Bill Toulas

https://www.providencejournal.com/story/news/local/2022/07/16/ri-sewer-system-narragansett-bay-commission-hit-cyber-attack/10076978002/

Author: Paul Edward Parker

Ransomware Roundup: 07.01.22

A conviction in the fight against ransomware, LockBit announces a bug bounty program (seriously) and ransomware is named the greatest cybersecurity threat - surprising no one.

Read the Blog
No items found.

This week’s round up…

  • It seems like a great side hustle … until it lands you in prison
  • The updated version of AstraLocker is looking for a quick payout
  • UK’s NCSC names the greatest cybersecurity threat of our times
  • Vice Society takes down a medical university
  • So, we found a reason to jeer at a bug bounty program
  • CISA offers warning about MedusaLocker

It seems like a great side hustle … until it lands you in prison

A ransomware affiliate pled guilty to charges in an all too rare instance of legal action against a cybercriminal. Jonathan Greig at The Record Reported that Canada extradited Sebastien Vachon-Desjardins of Quebec to the United States in March 2022 and worked with the NetWalker group to extort a company in Florida.

“United States Attorney for the Middle District of Florida Roger Handberg said Vachon-Desjardins has agreed to plead guilty to four charges: Conspiracy to Commit Computer Fraud, Conspiracy to Commit Wire Fraud, Intentional Damage to a Protected Computer and Transmitting a Demand in Relation to Damaging a Protected Computer,” Greig wrote.

It should be noted that Vachon-Desjardins cybercriminal enterprises were a side hustle and he worked fulltime – wait for it - "for the Canadian government as an IT employee while conducting ransomware attacks on behalf of NetWalker,” Greig reported.

A Canadian court sentenced Vachon-Desjardins to seven years in prison on separate charges in Feb. 2022.  

The updated version of AstraLocker is looking for a quick payout

Lindsey O’Donnell-Welch at Decipher by Duo reported on an updated version of the AstraLocker that can be delivered directly from infected Microsoft Office files. According to the article, the intent is “an unusually quick delivery method leading researchers to believe that the threat actor behind the ransomware is solely interested in making a big impact and receiving a quick payout.”  

“Typically, affiliate threat actors avoid pushing ransomware early, opting instead to push files that allow them to expand their reach within the target environment,” O'Donnell-Welch quoted Joseph Edwards, a researcher with ReversingLabs. “Ransomware almost invariably is deployed last, after compromising the victim's Domain Controller(s), which enables the cybercriminals to use the domain controller (for example: Active Directory) to deploy a group policy object and encrypt all hosts in the affected domains.”

UK’s NCSC names the greatest cybersecurity threat of our times

The United Kingdom’s National Cyber Security Centre declared ransomware the greatest global cybersecurity threat. Danny Palmer at ZDNet reported that “the volume of ransomware has risen significantly with the amount of detected activity in the first quarter of 2022 more than three times what was detected during the same period last year.”

"Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they're increasingly offered by gangs as a service, lowering the bar for entry into cyber crime," Palmer quoted Lindy Cameron, CEO of the NCSC.

Vice Society takes down a medical university

Vice Society – the group that claimed responsibility for extorting the Italian city of Palermo – scored another victim this week. Bill Toulas at Bleeping Computer reports that the cybercriminal group attacked the Medical University of Innsbruck, which “caused severe IT service disruption and the alleged theft of data.”

“On June 21, 2022, the university's IT team proceeded to reset all 3,400 students' and 2,200 employees' account passwords and called everyone to go through a manual process of personally collecting their new credentials.

“In the days that followed, the university gradually restored its online services and returned operations to its main site, which had previously been initially taken offline,” Toulas reported.

Vice Society have been particularly active lately, including “a college in the UK, a hospital in Italy, and two universities in the UK. This makes the Medical University of Innsbruck the fifth disclosed European victim of Vice in the past month” according to Toulas.

So, we found a reason to jeer at a bug bounty program

Usually, the launch of a bug bounty program is a cause for celebration. Unless a ransomware gang announces it, in which case … disgusting.

Adam Janofsky at The Record by Recorded Future reported that the LockBit gang recently released the third version of its ransomware and a new bug bounty program, which ostensibly seeks to crowdsource the improvement of the malware – again, disgusting.

“Although few details were provided about technical changes to the ransomware-as-a-service operation, the group said it was inviting all security researchers and hackers to participate in its bug bounty program, which allegedly offers rewards ranging from $1,000 to $1 million. The group is seeking website bugs, locker errors, and ideas to improve the group’s software, among other things. A $1 million bounty is reserved for discovering the true name of the affiliate program manager, known as LockBitSupp,” Janofsky reported.

CISA offers warning about MedusaLocker

The United States Cybersecurity & Infrastructure Agency (CISA) released an alert about MedusaLocker. The RaaS gang targets specific vulnerabilities and the CISA notice includes indicators of compromise, MITRE ATT&CK Techniques and mitigation details to enable organizations to reduce the risk of infection.

“Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks,” CISA wrote in the alert.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Jonathan Greig at The Record - Recorded Future for their reporting on Netwalker ransomware affiliate agrees to plead guilty to hacking charges.  

Catalin Cimpanu at The Record - Recorded Future for their reporting on NetWalker ransomware affiliate sentenced to seven years in prison.

Lindsey O’Donnell-Welch at Deciper by Duo for their reporting on AstraLocker Ransomware Spread in ‘Smash and Grab’ Attacks.

Joseph Edwards at ReversingLabs  for their research on Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs.

Danny Palmer at ZDNet for their reporting on Ransomware is the biggest global cyber threat. And the attacks are still evolving.

Bill Toulas at Bleeping Computer for their reporting on Vice Society claims ransomware attack on Med. University of Innsbruck.

Adam Janofsky at The Record - Recorded Future for their reporting on LockBit adds a bug bounty program in its revamped ransomware-as-a-service operation.

Cybersecurity & Infrastructure Security Agency for their #StopRansomware: MedusaLocker alert.

Ransomware Roundup: 07.15.22

Well, turns out Bandcai Namco got popped by BlackCat, patients trying to pay for their health procedures had their PII leaked, and June was a better month for ransomware defenders.

Read the Blog
No items found.

This week’s round up …

  • Doxxed: Because paying for that surgery wasn’t enough
  • BlackCat claims credit for Bandai Namco breach
  • Ransomware statistics for June are out, and it’s kind of encouraging (narrator: It is not)
  • A new player has joined the game: Lilith ransomware
  • From North Korea, with love

Doxxed: Because paying for that surgery wasn’t enough

Professional Finance Company issued a statement that a ransomware group was able to access databases holding personal information of patients at 657 healthcare organizations in Feb. 2022. PFC handles payments for many hospitals and the information includes names, addresses and Social Security numbers of account holders.

“PFC found no evidence that personal information has been specifically misused; however, it is possible that the following information could have been accessed by an unauthorized third party: first and last name, address, accounts receivable balance and information regarding payments made to accounts, and, in some cases, date of birth, social security number, and health insurance and medical treatment information,” the company wrote in a statement.

PFC states that they had notified the affected organizations and an investigation is ongoing. However, the Quantum ransomware group has been attributed to the attack.  

BlackCat claims credit for Bandai Namco breach

The malware intelligence group, vx-underground, posted a screenshot on their official Twitter account that shows the (ALPHV) BlackCat ransomware group seemingly taking credit for the Bandai Namco breach that occurred this week.

“On July 3, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorized access by third party to the internal systems of several Group companies in Asian regions (excluding Japan). After we confirmed the unauthorized access, we have taken measures such as blocking access to the servers to prevent the damage from spreading. In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause,” the company wrote in an official statement.

Bandai Namco is a video game publisher of popular franchises such as Elden Ring, Soulcaliber and Dark Souls.

A new player has joined the game: Lilith ransomware

An independent malware hunter discovered a new ransomware operation, dubbed Lilith, that claimed its first victim in South Africa.

“Lilith is a C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices,” reported Bill Toulas at Bleeping Computer.

Threat Intelligence firm Cyble published a report detailing the technical analysis of Lilith. Admittedly, the RaaS group is in the early days of operations but worth watching.  

From North Korea, with love

The Microsoft Threat Intelligence Security Center (MSTIC) released research detailing the HolyGh0st ransomware group (whom Microsoft tracks as DEV-0530), which has been active since 2021 and is reportedly acting out of North Korea. Attribution is notoriously fraught for malware researchers, but the MSTIC team provides compelling evidence.

“MSTIC assesses there is likely some overlap between DEV-0530 and PLUTONIUM. PLUTONIUM is a North Korean threat actor group affiliated with clusters of activity that are also known as DarkSeoul and Andariel. Active since at least 2014, PLUTONIUM has primarily targeted the energy and defense industries in India, South Korea, and the United States using a variety of tactics and techniques.

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” the team wrote in their report.

HolyGh0st attempted to legitimize their activities by claiming to help increase victim organizations’ security posture but … you know, extortion.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Jonathan Greig at The Record - Recorded Future for their reporting on Medical debt collection firm says ransomware attack exposed info on 650+ healthcare orgs and Bandai Namco confirms cyberattack after ransomware group threatens leak.  

Sergiu Gatlan at Bleeping Computer for their reporting on Quantum ransomware attack affects 657 healthcare orgs. 

Adam Janofsky at The Record - Recorded Future for their reporting on Ransomware tracker: the latest figures [July 2022].

vx-underground at for their research on vx-underground on Twitter: "ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.

JAMESWT at for their reporting on JAMESWT on Twitter: "#Ransomware #Lilith.

Bill Toulas at Bleeping Computer for their reporting on New Lilith ransomware emerges with extortion site, lists first victim. 

Cyble for their research on New Ransomware Groups on the Rise.

Microsoft Threat Intelligence Center at Microsoft Threat Intelligence for their research on North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware - Microsoft Security Blog. 

Ransomware Roundup: 07.08.22

AstraLocker author is probably, possibly, maybe leaving ransomware for cryptojacking. Feds warn of Maui … from North Korea. The new version of Hive is 100% Rustier.

Read the Blog
No items found.

This week’s round up …

  • AstraLocker calls it quits … on ransomware, not cybercrime
  • Fed warns of Maui ransomware – plot twist: it’s North Korean, not Hawaiian
  • Attackers are adopting Brute (Ratel) force tactics
  • Hive gets Rusty

AstraLocker calls it quits … on ransomware, not cybercrime

The AstraLocker developer told BleepingComputer that they are “done with ransomware for now. I'm going in cryptojaking lol." This comes on the heels of a recent campaign in which they were infecting computers directly from malicious Microsoft Word attachments.

There have been recent reports that the effect of inflation on cryptocurrency markets is tarnishing the shine of ransomware for cybercriminals, which may have provided some motivation for the change.

“The widespread fall has forced cybercriminals to recalculate their ransoms, security professionals say, and has pushed out of business some of the services that handle their ill-gotten gains, such as dark web crypto-swapping marketplaces. It's also accelerating a preexisting shift toward crimes such as malware attacks and corporate phishing scams that target actual dollars, rather than crypto,” Bree Fowler at CNet reported.

This shines a dubious light on the AstraLocker developer’s claims of getting into cryptojacking, but good judgment amongst criminals is generally in short supply.

The updated version of AstraLocker is looking for a quick payout

Lindsey O’Donnell-Welch at Decipher by Duo reported on an updated version of the AstraLocker that can be delivered directly from infected Microsoft Office files. According to the article, the intent is “an unusually quick delivery method leading researchers to believe that the threat actor behind the ransomware is solely interested in making a big impact and receiving a quick payout.”  

“Typically, affiliate threat actors avoid pushing ransomware early, opting instead to push files that allow them to expand their reach within the target environment,” O'Donnell-Welch quoted Joseph Edwards, a researcher with ReversingLabs. “Ransomware almost invariably is deployed last, after compromising the victim's Domain Controller(s), which enables the cybercriminals to use the domain controller (for example: Active Directory) to deploy a group policy object and encrypt all hosts in the affected domains.”

Fed warns of Maui ransomware – plot twist: it is North Korean, not Hawaiian

Several federal agencies in the United States released a cybersecurity advisory of the Maui ransomware that targets healthcare organizations and is alleged to be sponsored by the government of North Korea. The nation is under heavy sanctions, which makes generating revenue difficult for the totalitarian regime.

“The warning is the starkest alert to date that North Korea, which the U.S. has long alleged uses its hackers to raise money for state programs like its nuclear weapons development, has turned to locking up essential American services as a new way to generate money for the state,” Kevin Collier at NBC New reports.

The joint alert posted by the U.S. Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigations and the Department of Treasury urges victims to refrain from paying the ransom “as doing so does not guarantee files and records will be recovered and may pose sanctions risks.”

Attackers are adopting Brute (Ratel) force tactics

Lawrence Abrams at Bleeping Computer reports on malicious actors switching from Cobalt Strikea long time favorite – to Brute Ratel as the post-exploitation kit of choice. Abrams quotes research conducted by Palo Alto Networks’ Unit 42, which finds that these tools are potentially disastrous in the hands of ransomware groups.

“Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal,” the researchers wrote in the report.

Hive gets Rusty

A report by the Microsoft Threat Intelligence Center found that Ransomware as a Service group Hive is taking a page from BlackCat’s playbook and has migrated their malicious payload to the Rust programming language. The Hive ransomware was previously written in the Go language, and according to Microsoft, Rust provides benefits in that it has access to lower-level resources and it is relatively more difficult to analyze or reverse engineer.

“The upgrades in the latest variant are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method. The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237,” MSTIC wrote in the report.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Sergiu Gatlan at Bleeping Computer for their reporting on AstraLocker ransomware shuts down and releases decryptors.

Bree Fowler at CNet for their reporting on Crypto Crash Rattles Cybercriminals, Pushing Them Beyond Ransomware.

Kevin Collier at NBC News for their reporting onNorth Korea is targeting hospitals with ransomware, U.S. agencies warn.

Lawrence Abrams at Bleeping Computer for their reporting on Ransomware, hacking groups move from Cobalt Strike to Brute Ratel.

Mike Harbison at Unit 42 for their research on Brute Ratel C4 Red Teaming Tool Being Abused by Malicious Actors.

Peter Renals at Unit 42 for their research on Brute Ratel C4 Red Teaming Tool Being Abused by Malicious Actors.

Microsoft Threat Intelligence Center at Microsoft Threat Intelligence for their research on Hive ransomware gets upgrades in Rust.

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.