This week has been filled with research reports and news of significant attacks having a wide impact on many organizations.
Last week, Rackspace suffered a massive outage on their hosted Microsoft Exchange environment, preventing customers from accessing their email. On Tuesday, Rackspace finally confirmed everyone’s fears that a ransomware attack caused the outage.
Rackspace has not provided any details on the attack, including the ransomware operation behind it and if the threat actors stole data.
However, today they began warning customers to be on the lookout for targeted phishing emails and to monitor their credit reports and banking account statements for suspicious activity. This warning could indicate that the ransomware operation likely stole data in the attack.
Another attack against a New Zealand MSP Mercury IT has also led to a series of outages for its customers, many of which are local governments in the country.
A ransomware attack on the André-Mignot teaching hospital in Paris has also led to significant disruption, causing some patients to be rerouted to other hospitals.
We also saw some interesting research by cybersecurity firms and the U.S. government this week:
Finally, Brian Krebs had a very interesting report on new tactics used by the Venus and Clop ransomware gangs to breach networks and convince victims to pay.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @PolarToffee, @Seifreed, @fwosar, @DanielGallagher, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @jorntvdw, @demonslay335, @billtoulas, @FourOctets, @VK_Intel, @serghei, @malwrhunterteam, @malwareforme, @pcrisk, @Unit42_Intel, @Fortinet, @briankrebs, @morphisec, @smgoreli, and @Phylum_IO.
December 5th 2022
The André-Mignot teaching hospital in the suburbs of Paris had to shut down its phone and computer systems because of a ransomware attack that occurred on Saturday evening.
In the last issue of our Ransomware Roundup series, we discussed a publicly available open-source ransomware toolkit called Cryptonite. As part of that investigation, we also discovered a Cryptonite sample in the wild that never offers the decryption window, instead acting as a wiper. We recently saw an increase in ransomware intentionally turned into wiper malware, primarily as part of a political campaign. So in this post, we take a closer look at the Cryptonite wiper sample.
There has been a cyber security incident involving a ransomware attack on Mercury IT. Mercury IT provides a wide range of IT services to customers across New Zealand.
PCrisk found a HiddenTear variant valled Puspa2 that appends the .puspa2#mejukeni7sala029 extension and drops a ransom note named XXX_HELLO’S_READ_ME._txt.
PCrisk found new STOP ransomware variants that append the .mppn or .mbtf extensions to encrypted files.
December 6th 2022
Texas-based cloud computing provider Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage described as an “isolated disruption.”
Vice Society is a ransomware gang that has been involved in high-profile activity against schools this year. Unlike many other ransomware groups such as LockBit that follow a typical ransomware-as-a-service (RaaS) model, Vice Society’s operations are different in that they’ve been known for using forks of pre-existing ransomware families in their attack chain that are sold on DarkWeb marketplaces. These include the HelloKitty (aka FiveHands) and Zeppelin strains of ransomware as opposed to Vice Society developing their own custom payload.
During November, Morphisec identified a brand-new variant of Babuk ransomware while investigating a customer’s prevention event. Babuk was first discovered at the beginning of 2021, when it began targeting businesses to steal and encrypt data in double-extortion attacks. Later in the year, a threat actor leaked the complete source code for Babuk on a Russian-speaking hacking forum.
PCrisk found a new ransomware variant that appends the .OBZ extension and drops a ransom note named ReadMe.txt.
December 8th 2022
CommonSpirit Health has confirmed that threat actors accessed the personal data for 623,774 patients during an October ransomware attack.
The U.S. Department of Health and Human Services (HHS) issued a new warning today for the country’s healthcare organizations regarding ongoing attacks from a relatively new operation, the Royal ransomware gang.
Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.
December 9th 2022
Cloud computing provider Rackspace warned customers on Thursday of increased risks of phishing attacks following a ransomware attack affecting its hosted Microsoft Exchange environment.
Overnight we saw a flurry of activity around typosquat of the popular requests package. In the malicious packages themselves the attacker has embedded the following:
To provide some context, Phylum found a NPM/PyPi campaign where python packages were distributing Linux and Windows malware that pretended to be ransomware. After testing the ransomware, BleepingComputer has confirmed it does not actually encrypt anything and just drops a ransom note and changes the desktop wallpaper.
The actor behind this told BleepingComputer that they are just “playing” around and will not be adding encryption.
PCrisk found a new MedusaLocker variant that appends the .allock[number] extension and drops a ransom note named how_to_back_files.html.
PCrisk found a new VoidCrypt variant that appends the .Juli extension and drops a ransom note named unlock-info.txt.