While the week started slowly, it turned into a big ransomware mess, with attacks striking a big blow at businesses running VMware ESXi servers.
The attacks started Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant dubbed ESXiArgs.
The attacks were fast and widespread, with admins worldwide soon reporting that they were encrypted in this new campaign.
What makes this attack so devastating is that many companies operate much of their server infrastructure on VMware ESXi, allowing the encryption of one device to encrypt multiple servers simultaneously.
The good news is that some admins have been able to recover their servers by rebuilding disks from flat files, but some have reported being unable to do so as those files were also encrypted.
We also saw new research released this week, with Microsoft warning that over a hundred threat actors deploying ransomware and LockBit deciding to create a new decryptor based on Conti.
Finally, REsecurity released a report on the new Nevada ransomware-as-a-service recruiting and gearing up for future attacks.
Finally, we learned more about ransomware attacks conducted this week and in the past, including:
Contributors and those who provided new ransomware information and stories this week include @PolarToffee, @serghei, @fwosar, @BleepinComputer, @LawrenceAbrams, @Seifreed, @Ionut_Ilascu, @malwrhunterteam, @struppigel, @demonslay335, @billtoulas, @vxunderground, @GeeksCyber, @PRODAFT, @brkalbyrk7, @RESecurity, @MsftSecIntel, @1ZRR4H, @pcrisk, @BrettCallow, @ahnlab, @jgreigj, and @k7computing.
January 30th 2023
New Makop variant
PCrisk found a new Makop variant that appends the .ZFX extension and drops a ransom note named +README-WARNING+.txt.
January 31st 2023
Microsoft: Over 100 threat actors deploy ransomware in attacks
Microsoft revealed today that its security teams are tracking more than 100 ransomware gangs and over 50 unique ransomware families that were actively used until the end of last year.
New Masons ransomware
PCrisk found a new ransomware that appends the .masons extension and drops a ransom note named six62ix.txt.
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that appends the .Script extension and drops a ransom note named read_it.txt.
February 1st 2023
LockBit ransomware goes ‘Green,’ uses new Conti-based encryptor
The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware.
New Nevada Ransomware targets Windows and VMware ESXi systems
A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems.
Arnold Clark customer data stolen in attack claimed by Play ransomware
Arnold Clark, self-described as Europe’s largest independent car retailer, is notifying some customers that their personal information was stolen in a December 23 cyberattack claimed by the Play ransomware group.
TZW Ransomware Being Distributed in Korea
Through internal monitoring, the ASEC analysis team recently discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.
K-12 schools in Tucson, Nantucket respond to cyberattacks
Schools in Tucson, Arizona, and Nantucket, Massachusetts, are dealing with cyberattacks as U.S. schools continue to face a barrage of threats in the first weeks of 2023.
New Honkai ransomware variant
PCrisk found a new ransomware variant that appends the .honkai and drops a ransom note named #DECRYPT MY FILES#.html.
New VoidCrypt ransomware variant
PCrisk found a new ransomware variant that appends the .sunjn extension and drops a ransom note named Dectryption-guide.txt.
February 2nd 2023
Ransomware attack on ION Group impacts derivatives trading market
The LockBit ransomware gang has claimed responsibility for the cyberattack on ION Group, a UK-based software company whose products are used by financial institutions, banks, and corporations for trading, investment management, and market analytics.
Ransomed by Warlock Dark Army “OFFICIALS”
Recently we came across a tweet shared by petikvx. The tweet was on a ransomware family that had the group name similar to the WARLOCK DARK ARMY. The similarities with Chaos ransomware seem to end with the attacker group’s name. Upon analyzing the ransomware from the tweet we suspect both to be very different groups just based on their malware’s attributes.
February 3rd 2023
Florida hospital takes IT systems offline after cyberattack
Tallahassee Memorial HealthCare (TMH) has taken its IT systems offline and suspended non-emergency procedures following a late Thursday cyberattack.
Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide
Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.
New DoDo ransomware
PCrisk found a new DoDo ransomware variant that appends the .dodov2 extension and drops a ransom note named dodov2_readit.txt.