The Week in Ransomware – May 12th 2023 – New Gangs Emerge

This week we have multiple reports of new ransomware families targeting the enterprise, named Cactus and Akira, both increasingly active as they target the enterprise.

The Cactus operation launched in March and has been found to exploit VPN vulnerabilities to gain access to corporate networks.

The encryptor requires an encryption key to be passed on the command line to decrypt the configuration file used by the malware. If the proper configuration key is not passed, the encryptor will terminate, and nothing will be encrypted.

This method is to evade detection by security researchers and antivirus software.

BleepingComputer also reported on the Akira ransomware, a new operation launched in March that quickly amassed sixteen victims on its data leak site.

The Akira operation uses a retro-looking data leak site that requires you to enter commands as if you’re using a Linux shell.

Akira data leak site
Source: BleepingComputer

We also learned about new attacks and significant developers in previous ones.

On May 7th, multinational automation firm ABB suffered a Black Basta ransomware attack, disrupting their network and factories.

ABB is the developer of numerous SCADA and industrial control systems (ICS) for energy suppliers and manufacturing, raising concerns about whether data was stolen and what it contained.

News also came out last week that the Money Message ransomware operation published source code belonging to MSI, which contained private keys for Intel Boot Guard.

Binarly warned that these leaked keys could be used to digitally sign UEFI malware that can bypass Intel Boot Guard on MSI devices.

Finally, researchers and law enforcement released new reports:

A new White Phoenix decryptor can be used to partially recover data encrypted by ransomware using intermittent encryption.
SentinelOne found that nine different ransomware operations used the leaked Babuk source code to create VMware ESXi encryptors.
A joint advisory between the FBI and CISA disclosed that the Bl00dy Ransomware gang is exploiting PaperCut servers in the education sector.

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwrhunterteam, @Ionut_Ilascu, @demonslay335, @struppigel, @malwareforme, @BleepinComputer, @billtoulas, @FourOctets, @serghei, @VK_Intel, @fwosar, @LawrenceAbrams, @Seifreed, @jorntvdw, @DanielGallagher, @LabsSentinel, @BrettCallow, @matrosov, @binarly_io, @Checkmarx, @KrollWire, @yinzlovecyber, and @pcrisk.

May 7th 2023

Meet Akira — A new ransomware operation targeting the enterprise

The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms.

New Cactus ransomware encrypts itself to evade antivirus

A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of “large commercial entities.”

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .qore extension.

May 8th 2023

Intel investigating leak of Intel Boot Guard private keys after MSI breach

Intel is investigating the leak of alleged private keys used by the Intel Boot Guard security feature, potentially impacting its ability to block the installation of malicious UEFI firmware on MSI devices.

May 9th 2023

New GlobeImposter ransomware variant

PCrisk found a new GlobeImposter ransomware variant that appends the .Suffering extension and drops a ransom note named how_to_back_files.html.

New Solix ransomware

PCrisk found a new ransomware variant that appends the .Solix extension.

New MedusaLocker ransomware

PCrisk found a new ransomware variant that appends the .newlocker extension and drops a ransom note named HOW_TO_RECOVER_DATA.html.

New BrightNite ransomware

PCrisk found a new ransomware variant that appends the .BrightNight extension and drops a ransom note named README.txt.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .gash extension.

May 10th 2023

New ransomware decryptor recovers data from partially encrypted files

A new ‘White Phoenix’ ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption.

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .SIGSCH extension and drops a ransom note named README_SIGSCH.txt.

New Army Signal ransomware

PCrisk found a new Xorist ransomware variant that appends the .zipp3rs extension.

May 11th 2023

Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers

An increasing number of ransomware operations are adopting the leaked Babuk ransomware source code to create Linux encryptors targeting VMware ESXi servers.

Multinational tech firm ABB hit by Black Basta ransomware attack

Swiss multinational company ABB, a leading electrification and automation technology provider, has suffered a Black Basta ransomware attack, reportedly impacting business operations.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .gatz extension.

May 12th 2023

FBI: Bl00dy Ransomware targets education orgs in PaperCut attacks

The FBI and CISA issued a joint advisory to warn that the Bl00dy Ransomware gang is now also actively exploiting a PaperCut remote-code execution vulnerability to gain initial access to networks.

That’s it for this week! Hope everyone has a nice weekend!

Comments

Hmm888 – 4 days ago
Ransomware attacks should dramatically increase since it’s common practise to pay the ransom amounts.
Mike_Walsh – 4 days ago
It’s all very depressing, isn’t it? I know they say that money makes the world go round, but HONESTLY…..

(*shakes head in amazement*)
EndangeredPootisBird – 3 days ago
Cyberattacks are the biggest threat to any nation, which should be evident by the thousands of companies being breached and millions of devices infected every year, and yet politicians keep turning a blind eye towards it with stop-gap solution’s that barely helps at all, they just never get aggressive enough and implement actual requirements for both home’s and businesses to get any real results.
LIstrong – 3 days ago
Too many bad actors and unqualified in cyber. Even big business and government has malevolent vendors and staff, so how can they expect anyone else to get it right? If the government wanted to stop ransomware they could. Problem is they like the back doors and crypto too much. Surveillance is more important than a functioning economy or national security. This is also why big business and government hire tech illiterate into cyber roles. They need a certain level of ignorance in order for them to get away with controlled leakage funny business. When a bank or utility gets hit with ransomware and cannot recover quickly, all this fun and games will end super quick and they’ll stop ransomware just like that. Dysfunction is like an elevator ride. You can get off at any floor, except if you are the USA where we like to ride it to the sub-basement.