The Week in Ransomware – May 12th 2023 – New Gangs Emerge
This week we have multiple reports of new ransomware families targeting the enterprise, named Cactus and Akira, both increasingly active as they target the enterprise.
The Cactus operation launched in March and has been found to exploit VPN vulnerabilities to gain access to corporate networks.
The encryptor requires an encryption key to be passed on the command line to decrypt the configuration file used by the malware. If the proper configuration key is not passed, the encryptor will terminate, and nothing will be encrypted.
This method is to evade detection by security researchers and antivirus software.
BleepingComputer also reported on the Akira ransomware, a new operation launched in March that quickly amassed sixteen victims on its data leak site.
The Akira operation uses a retro-looking data leak site that requires you to enter commands as if you’re using a Linux shell.
We also learned about new attacks and significant developers in previous ones.
On May 7th, multinational automation firm ABB suffered a Black Basta ransomware attack, disrupting their network and factories.
ABB is the developer of numerous SCADA and industrial control systems (ICS) for energy suppliers and manufacturing, raising concerns about whether data was stolen and what it contained.
News also came out last week that the Money Message ransomware operation published source code belonging to MSI, which contained private keys for Intel Boot Guard.
Binarly warned that these leaked keys could be used to digitally sign UEFI malware that can bypass Intel Boot Guard on MSI devices.
Finally, researchers and law enforcement released new reports:
- A new White Phoenix decryptor can be used to partially recover data encrypted by ransomware using intermittent encryption.
- SentinelOne found that nine different ransomware operations used the leaked Babuk source code to create VMware ESXi encryptors.
- A joint advisory between the FBI and CISA disclosed that the Bl00dy Ransomware gang is exploiting PaperCut servers in the education sector.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwrhunterteam, @Ionut_Ilascu, @demonslay335, @struppigel, @malwareforme, @BleepinComputer, @billtoulas, @FourOctets, @serghei, @VK_Intel, @fwosar, @LawrenceAbrams, @Seifreed, @jorntvdw, @DanielGallagher, @LabsSentinel, @BrettCallow, @matrosov, @binarly_io, @Checkmarx, @KrollWire, @yinzlovecyber, and @pcrisk.
May 7th 2023
Meet Akira — A new ransomware operation targeting the enterprise
The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms.
New Cactus ransomware encrypts itself to evade antivirus
A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of “large commercial entities.”
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .qore extension.
May 8th 2023
Intel investigating leak of Intel Boot Guard private keys after MSI breach
Intel is investigating the leak of alleged private keys used by the Intel Boot Guard security feature, potentially impacting its ability to block the installation of malicious UEFI firmware on MSI devices.
May 9th 2023
New GlobeImposter ransomware variant
PCrisk found a new GlobeImposter ransomware variant that appends the .Suffering extension and drops a ransom note named how_to_back_files.html.
New Solix ransomware
PCrisk found a new ransomware variant that appends the .Solix extension.
New MedusaLocker ransomware
PCrisk found a new ransomware variant that appends the .newlocker extension and drops a ransom note named HOW_TO_RECOVER_DATA.html.
New BrightNite ransomware
PCrisk found a new ransomware variant that appends the .BrightNight extension and drops a ransom note named README.txt.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .gash extension.
May 10th 2023
New ransomware decryptor recovers data from partially encrypted files
A new ‘White Phoenix’ ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption.
New Xorist ransomware variant
PCrisk found a new Xorist ransomware variant that appends the .SIGSCH extension and drops a ransom note named README_SIGSCH.txt.
New Army Signal ransomware
PCrisk found a new Xorist ransomware variant that appends the .zipp3rs extension.
May 11th 2023
Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers
An increasing number of ransomware operations are adopting the leaked Babuk ransomware source code to create Linux encryptors targeting VMware ESXi servers.
Multinational tech firm ABB hit by Black Basta ransomware attack
Swiss multinational company ABB, a leading electrification and automation technology provider, has suffered a Black Basta ransomware attack, reportedly impacting business operations.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .gatz extension.
May 12th 2023
FBI: Bl00dy Ransomware targets education orgs in PaperCut attacks
The FBI and CISA issued a joint advisory to warn that the Bl00dy Ransomware gang is now also actively exploiting a PaperCut remote-code execution vulnerability to gain initial access to networks.