Ransomware gangs continue to evolve their operations as victims refuse to pay ransoms due to sanctions or other reasons.
This is illustrated by Evil Corp no longer rebranding their Hades ransomware for attacks and instead using LockBit to evade sanctions by the US government.
The newer Industrial Spy group also began applying greater pressure on victims by hacking their websites to display ransom notes.
New intelligence continues to come from the Conti Leaks, with researchers revealing that the ransomware gang was working on exploits for the Intel Management Engine to plant bootkits and malicious firmware.
Finally, we saw increased attacks this month, with the Clop gang revealing new victims, Foxconn confirming our report of a LockBit ransomware attack in May 2021, and Costa Rica now being targeted by the Hive ransomware.
The Hive affiliate behind the Costa Rica attack is believed to be the same person currently posting on the Conti data leak site.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @Seifreed, @malwareforme, @LawrenceAbrams, @billtoulas, @DanielGallagher, @malwrhunterteam, @BleepinComputer, @Ionut_Ilascu, @jorntvdw, @demonslay335, @PolarToffee, @fwosar, @VK_Intel, @struppigel, @FourOctets, @NCCGroupInfosec, @BrettCallow, @IBMSecurity, @eclypsium, @Mandiant, and @pcrisk.
May 28th 2022
Clop ransomware gang is back, hits 21 victims in a single month
After effectively shutting down their entire operation for several months, between November and February, the Clop ransomware is now back, according to NCC Group researchers.
May 30th 2022
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .ewdf, .uihj, or .zfdv extensions to encrypted files.
May 31st 2022
Costa Rica’s public health agency hit by Hive ransomware
All computer systems on the network of Costa Rica’s public health service (known as Costa Rican Social Security Fund or CCCS) are now offline following a Hive ransomware attack that hit them this morning.
New Phobos variant
PCrisk found a new Phobos variant that appends the .decrypt extension and drops ransom notes named info.txt and info.hta.
New VoidCrypt MoonShadow variant
PCrisk found a new VoidCrypt variant named MoonShadow that appends the .moonshadow extension and drops ransom notes named Decryption-Guide.HTA and Decryption-Guide.txt.
New Dharma ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .r3tr0 extension.
June 1st 2022
Ransomware attacks need less than four days to encrypt systems
The duration of ransomware attacks in 2021 averaged 92.5 hours, measured from initial network access to payload deployment. In 2020, ransomware actors spent an average of 230 hours to complete their attacks and 1637.6 hours in 2019.
US govt: Paying Karakurt extortion ransoms won’t stop data leaks
Several U.S. federal agencies warned organizations today against paying ransom demands made by the Karakurt gang since that will not prevent their stolen data from being sold to others.
June 2nd 2022
Foxconn confirms ransomware attack disrupted production in Mexico
Foxconn electronics manufacturer has confirmed that one of its Mexico-based production plants has been impacted by a ransomware attack in late May.
Conti ransomware targeted Intel firmware for stealthy attacks
Researchers analyzing the leaked chats of the notorious Conti ransomware operation have discovered that teams inside the Russian cybercrime group were actively developing firmware hacks.
Ransomware gang now hacks corporate websites to show ransom notes
A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes.
Evil Corp switches to LockBit ransomware to evade sanctions
The Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets’ networks to evade sanctions imposed by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).