The Week in Ransomware – March 10th 2023

The Week in Ransomware – March 10th 2023

The Week in Ransomware – March 10th 2023

The biggest news this week was the coordinated international law enforcement operation between Europol, the FBI, the Netherlands, Germany, and Ukraine that targeted the DoppelPaymer operation.

As part of this operation, the police arrested two key members of the DoppelPaymer gang and raided several locations where they seized electronics.

DoppelPaymer is believed to be one of the ransomware brands run by the Evil Corp cybercrime operation, which is also known for managing and distributing the Dridex malware botnet.

After The US banned Evil Corp in 2019 for causing more than $100 million in financial damages, many ransomware recovery and negotiation firms refused to cooperate with the ransomware operation, causing a significant decrease in ransom payments.

These sanctions have led to EvilCorp continuing to rebrand their ransomware operations under new names, including DoppelPaymer rebranding as Sadness (aka Pay or Grief) in the summer of 2021.

Another significant piece of news this week came today, with the SEC announcing a agreement with BlackBaud for failure to disclose the full effect of a 2020 ransomware attack which affected more than 13,000 customers.

New research was also released this week in the is the ESXi encryptor of the Royal Ransomware and a new one IceFire Linux encryptor.

Finally, we learned more about different ransomware attacks this week, including attacks on City of Oakland, Hospital Clinic of Barcelona, Technion, Fonasaand the Minneapolis Public Schools district.

This week’s contributors and providers of new ransomware information and stories include: @BleepinComputer, @serghei, @Seifreed, @malwrhunterteam, @demonslay335, @LawrenceAbrams, @billtoulas, @fwosar, @PolarToffee, @LabsSentinel, @BrettCallow, @security_score, @AhnLab_SecuInfo, @AJVicens, @AlvieriD, @pcrisk, @chum1ng0and @TrendMicro.

4th March 2023

Ransomware gang releases data stolen from City of Oakland

The Play ransomware gang has begun leaking data from the City of Oakland, California, which was stolen in a recent cyberattack.

6th March 2023

Members of the Core DoppelPaymer ransomware gang targeted in the Europol operation

Europol has announced that law enforcement in Germany and Ukraine have targeted two individuals believed to be key members of the DoppelPaymer ransomware group.

7th March 2023

The Hospital Clínic de Barcelona was severely affected by the ransomware attack

The Hospital Clínic de Barcelona suffered a ransomware attack on Sunday morning, severely disrupting its healthcare services after the institution’s virtual machines were targeted by the attacks.

ESXi Ransomware – A case study of Royal Ransomware

“Royal ransomware joins other ransomware groups targeting ESXi servers. The files are encrypted using the AES algorithm, with the key and IV encrypted using the RSA public key which is hard -coded in the executable The process may partially encrypt a file depending on its size and the value of the “-ep” parameter. The extension of the encrypted filesis now “.royal_u”.”

Israel blames prolific Iranian-linked hacking group for February university hack

Iran was behind a cyberattack on a major research university in Israel last month, Israel’s National Cyber ​​Directorate announced Tuesday.

Ransomware Targets Albanian Government – RoadSweep 2.0

News outlets in Albania have reported two large-scale targeted cyber-attacks of the same type and likely by the same attackers as another previous ransomware attack in Albania.

New variant of MedusaLocker

PCrisk found a new MedusaLocker variant that adds to .acessd extension and dropped a ransom note named How_to_back_files.html.

8th March 2023

Ransomware gang posts video of data stolen from Minneapolis schools

The Medusa ransomware gang is demanding a $1,000,000 ransom from the Minneapolis Public Schools (MPS) district to delete data allegedly stolen in a ransomware attack.

9th March 2023

IceFire ransomware now encrypts both Linux and Windows systems

Threat actors linked to the IceFire ransomware operation are actively targeting Linux systems worldwide with a new dedicated encryptor.

Decryptable iswr Ransomware Distributed in Korea

ASEC (AhnLab Security Emergency response Center) recently discovered the distribution of iswr ransomware during team monitoring.

Analyzing Ransomware Payouts From a Data-Science Lens

In this entry, we discuss case studies that demonstrated how data-science techniques were applied in our investigation of ransomware groups’ ransom transactions, as detailed in our joint research with Waratah Analytics, “What Decision Makers Need to Know About Ransomware Risk.”

New STOP ransomware variant

PCrisk found a STOP variant that adds a .coba extension.

10th March 2023

Blackbaud to pay $3M for fraudulent disclosure of ransomware attack

Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging it failed to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers.

BlackCat confirmed the attack on Fonasa

In a chat on Tox, BlackCat confirmed to DataBreaches that they were responsible for the attack and said they would announce it soon on their release page. A spokesperson for the group told DataBreaches that they are not giving Fonasa time to respond because they have not even heard from them.

That’s it for this week! Hope everyone has a great weekend!