Ransomware

Ransomware gangs continue to attack schools, companies, and even hospitals worldwide with little sign of letting up. Below we have tracked some of the ransomware stories that we are following this week.

Stories of particular interest revolve around new features and tactics used by some of the ransomware operations.

After analyzing the Conti training material leaked earlier this month, we learned that they use a legitimate remote access software to retain persistence on a compromised network. We also learned that they prioritize searching for cyber insurance policies and financial documents after taking control of a network.

Another report illustrates how threat actors are tracking researchers on Twitter as a new ransomware gang known as LockFile uses the PetitPotam attack to take over Windows domains.

Some of the attacks we saw this week were against the Brazilian National TreasuryMemorial Health System, and Japanese insurer Tokio Marine.

Finally, there is some good news, as Emsisoft has released a SynAck ransomware decryptor after the master decryption keys were released by the threat actors earlier this month.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @DanielGallagher, @jorntvdw, @Seifreed, @Ionut_Ilascu, @struppigel, @PolarToffee, @demonslay335, @VK_Intel, @BleepinComputer, @serghei, @malwrhunterteam, @FourOctets, @fwosar, @LawrenceAbrams, @symantec, @emsisoft, @AdvIntel, @IBMSecurity, and @fbgwls245.

August 14th 2021

New Karma ransomware

dnwls0719 found a a new Karma ransomware that appends the .KARMA extension and has a dedicated leak site.

Karma ransomware

August 16th 2021

Hive ransomware attacks Memorial Health System, steals patient data

In what appears to be an attack from the Hive ransomware gang, computers of the non-profit Memorial Health System have been encrypted, forcing staff to work with paper charts.

Colonial Pipeline reports data breach after May ransomware attack

Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to individuals affected by the data breach resulting from the DarkSide ransomware attack that hit its network in May.

August 17th 2021

Conti ransomware prioritizes revenue and cyberinsurance data theft

Training material used by Conti ransomware affiliates was leaked online this month, allowing an inside look at how attackers abuse legitimate software and seek out cyber insurance policies.

Brazilian government discloses National Treasury ransomware attack

The Brazilian Ministry of Economy has disclosed a ransomware attack that hit some of National Treasury's computing systems on Friday night, right before the start of the weekend.

New Dharma ransomware variant

Jakub Kroustek found a new Dharma variant that appends the .c0v extension.

August 18th 2021

Diavol ransomware sample shows stronger connection to TrickBot gang

A new analysis of a Diavol ransomware sample shows a more clear connection with the gang behind the TrickBot botnet and the evolution of the malware.

Japanese insurer Tokio Marine discloses ransomware attack

Tokio Marine Holdings, a multinational insurance holding company in Japan, announced this week that its Singapore branch, Tokio Marine Insurance Singapore (TMiS), suffered a ransomware attack.

August 19th 2021

CISA shares guidance on how to prevent ransomware data breaches

The US Cybersecurity and Infrastructure Security Agency (CISA) has released guidance to help government and private sector organizations prevent data breaches resulting from ransomware double extortion schemes.

New Malki Ransomware

dnwls0719 found a new ransomware that appends the .MALKI extension.

Malki

August 20th 2021

SynAck ransomware decryptor lets victims recover files for free

Emsisoft has released a decryptor for the SynAck Ransomware, allowing victims to decrypt their encrypted files for free.

LockFile ransomware uses PetitPotam attack to hijack Windows domains

At least one ransomware threat actor has started to leverage the recently discovered PetitPotam NTLM relay attack method to take over the Windows domain on various networks worldwide.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - April 19th 2024 - Attacks Ramp Up

FBI: Akira ransomware raked in $42 million from 250+ victims

The Week in Ransomware - April 5th 2024 - Virtual Machines under Attack

The Week in Ransomware - March 8th 2024 - Waiting for the BlackCat rebrand

CISA urges software devs to weed out path traversal vulnerabilities