The Week in Ransomware – June 25th 2021 – Back in Business

It has been relatively quiet this week, with few attacks revealed and few new ransomware variants released. However, some interesting information came out that we have summarized below.

Last week, a law enforcement operation arrestest numerous Clop Ransomware gang members, assisted by the Binance cryptocurrency exchange which helped track the threat actors performing money laundering for the Clop ransomware.

However, this did not seem to stop the ransomware gang for long as they continued to release the data of new victims this week.

The City of Tulsa also reported a data breach this week after the Conti ransomware gang began leaking stolen police citations online on their data leak site.

This week’s most significant attack was against Brazilian medical diagnostics giant Grupo Fleury who was hit with an REvil ransomware attack.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @demonslay335, @BleepinComputer, @FourOctets, @jorntvdw, @fwosar, @DanielGallagher, @VK_Intel, @Ionut_Ilascu, @LawrenceAbrams, @Seifreed, @serghei, @malwareforme, @PolarToffee, @struppigel, @GelosSnake, @ProferoSec, @SecurityJoes, @RansomAlert, @JakubKroustek, @GrujaRS, @fbgwls245, @coveware, @pcrisk, @Amigo_A_, @BlackBerry, and @symantec.

June 19th 2021

New APIS Wiper

GrujaRS found a wiper that pretends to be the APIS ransomware.

New ransomware targeting WD NAS devices

Amigo-A found a new ransomware called 0XXX that is encrypted Western Digital NAS devices and appending the .0xxx extension and dropping a ransom note named !0XXX_DECRYPTION_README.TXT.

June 21st 2021

Data leak marketplace pressures victims by emailing competitors

The Marketo data theft marketplace is applying maximum pressure on victims by emailing their competitors and offering sample packs of the stolen data.

ADATA suffers 700 GB data leak in Ragnar Locker ransomware attack

The Ragnar Locker ransomware gang have published download links for more than 700GB of archived data stolen from Taiwanese memory and storage chip maker ADATA.

June 22nd 2021

Mysterious ransomware payment traced to a sensual massage site

​A ransomware targeting an Israeli company has led researchers to track a portion of a ransom payment to a website promoting sensual massages.

Healthcare giant Grupo Fleury hit by REvil ransomware attack

Brazilian medical diagnostic company Grupo Fleury has suffered a ransomware attack that has disrupted business operations after the company took its systems offline.

New Rapid Ransomware variant

dnwls0719 found a new variant of the Rapid ransomware that appends the .snoopdog extension.

June 23rd 2021

Clop ransomware is back in business after recent arrests

The Clop ransomware operation is back in business after recent arrests and has begun listing new victims on their data leak site again.

Tulsa warns of data breach after Conti ransomware leaks police citations

The City of Tulsa, Oklahoma, is warning residents that their personal data may have been exposed after a ransomware gang published police citations online.

PYSA ransomware backdoors education orgs using ChaChi malware

The PYSA ransomware gang has been using a remote access Trojan (RAT) dubbed ChaChi to backdoor the systems of healthcare and education organizations and steal data that later gets leveraged in double extortion ransom schemes.

New Dharma Ransomware variant

Jakub Kroustek found new Dharma Ransomware variants that append the .nmc or .ZEUS extension to encrypted files.

Ransomware: Growing Number of Attackers Using Virtual Machines

Symantec has found evidence that an increasing number of ransomware attackers are using virtual machines (VMs) in order to run their ransomware payloads on compromised computers. The motivation behind the tactic is stealth. In order to avoid raising suspicions or triggering antivirus software, the ransomware payload will “hide” within a VM while encrypting files on the host computer.

June 24th 2021

Binance exchange helped track down Clop ransomware money launderers

Cryptocurrency exchange service Binance played an important part in the recent arrests of Clop ransomware group members, helping law enforcement in their effort to identify, and ultimately detain the suspects.

What We Can Learn From Ransomware Actor “Security Reports”

Luckily, some threat actors are more forthcoming. What follows are several case studies from real ransomware negotiations wherein the threat actor provided granular details on the full attack lifecycle, including usernames and passwords of compromised accounts and specific CVE’s leveraged to gain entry. Please note that these reports have not been edited or spell checked and that we redacted identifying information. Additionally, the tactics described by the threat actors herein were validated following thorough forensic investigation.

New STOP Ransomware variant

PCrisk found a new STOP ransomware variant that appends the .ddsg extension.

June 25th 2021

New Spyro Ransomware

Amigo-A found the new Spyro Ransomware that appends the .Spyro extension and drops the Decrypt-info.txt ransom note.

That’s it for this week! Hope everyone has a nice weekend!