This week’s news primarily revolves around LockBit, BlackMatter, and the rising enterprise-targeting Royal ransomware operation.
As expected, threat actors now use the leaked LockBit 3.0 ransomware builder for their ransomware operations. For example, the Bl00Dy Ransomware Gang, who previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor in an attack on a Ukrainian business.
Researchers also reported that TargetCompany ransomware affiliates are now targeting publicly exposed Microsoft SQL servers.
Another interesting research is the prediction that ransomware gangs may move away from encrypting altogether and switch to pure data exfiltration and file deletion to cut out the ransomware developer. This idea stems from a new file deletion/corruption feature in a data theft tool used by a BlackMatter affiliate.
Finally, this week we learned about Royal Ransomware, which has been quietly working from the shadows since February but has, more recently, ramped up attacks.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @serghei, @VK_Intel, @billtoulas, @DanielGallagher, @jorntvdw, @PolarToffee, @BleepinComputer, @fwosar, @struppigel, @demonslay335, @LawrenceAbrams, @Ionut_Ilascu, @FourOctets, @malwrhunterteam, @malwareforme, @swascan, @y_advintel, @AdvIntel, @angel11VR, @InsideStairwell, @aejleslie, @Cyderes, @ahnlab, and @pcrisk.
September 24th 2022
Microsoft SQL servers hacked in TargetCompany ransomware attacks
Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning.
September 25th 2022
Ransomware data theft tool may show a shift in extortion tactics
Data exfiltration malware known as Exmatter and previously linked with the BlackMatter ransomware group is now being upgraded with data corruption functionality that may indicate a new tactic that ransomware affiliates might switch to in the future.
Analyzing Bloody Ransomware
Today (09/25/22) very limited information was received for analysis from one of the Ukrainian victims of the Bl00dy Ransomware Gang . Unfortunately, from the files provided, it is not possible to establish the vector of interference, the time frame of the attack, and which operations were automated and which were conducted interactively, however, the information turned out to be quite sufficient to reconstruct the attack scheme .
September 26th 2022
LockBit 3.0: Decryptor Analysis
In this analysis, conducted by Soc Team Swascan, the decryptors of “LockBit 3.0” (Windows version) and “LockBit” (Linux variant) were analyzed.
PCrisk found a ransomware appending the .Wanqu extension and dropping ransom notes named RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt.
PCrisk found a new Chaos variant called TeamDarkAnon Ransomware that appends the .anon extension and drops a ransom note named read_it.txt.
September 27th 2022
PCrisk found a new Chaos variant called OkHacked Ransomware that appends the .okhacked extension and drops a ransom note named read_it.txt.
PCrisk found a new Phobos variant that appends the .MMXXII extension and drops ransom notes named info.txt and info.hta.
September 28th 2022
Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks
The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies.
PCrisk found a ransomware that appends the .wizard and drops a ransom note named decrypt_instructions.txt.
September 29th 2022
New Royal Ransomware emerges in multi-million dollar attacks
A ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million.
PCrisk found a new Dharma ransomware variant that appends the .iq20 extension and drops a ransom note named info.txt.