The Week in Ransomware – July 23rd 2021 – Kaseya decrypted

This week has quite a bit of news ranging from the USA formally accusing China of the recent ProxyLogon vulnerability and Kaseya mysteriously obtaining the universal decryption key.

The US government this week officially attributed the ProxyLogon Microsoft Exchange attacks to China. Threat actors used this vulnerability to install a variety of malware, including the BlackKingdom ransomware.

In a surprise announcement, Kaseya has stated that they received the universal decryption key for their July 2nd REvil ransomware attack. This key will allow all victims of the attack to recover their files for free.

It is unclear how they received this key yesterday as REvil disappeared approximately two weeks ago. It is believed that the key was obtained by the Russian government, who shared it with the USA.

Other news this week includes an attack on Ecaudor’s CNT, CNA’s attack was caused by a fake browser update, and that HelloKitty is using a SonicWall vulnerability to breach networks.

Contributors and those who provided new ransomware information and stories this week include: @Ionut_Ilascu, @DanielGallagher, @demonslay335, @fwosar, @malwareforme, @malwrhunterteam, @BleepinComputer, @PolarToffee, @Seifreed, @VK_Intel, @serghei, @jorntvdw, @struppigel, @LawrenceAbrams, @FourOctets, @LitMoose, @HeinrichsH, @CrowdStrike, @pcrisk, @QVM36O, @campuscodi, @chum1ng0, @JakubKroustek, and @fbgwls245.

July 17th 2021

Ecuador’s state-run CNT telco hit by RansomEXX ransomware

Ecuador’s state-run Corporación Nacional de Telecomunicación (CNT) has suffered a ransomware attack that has disrupted business operations, the payment portal, and customer support.

HelloKitty ransomware is targeting vulnerable SonicWall devices

CISA warns of threat actors targeting “a known, previously patched, vulnerability” found in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products with end-of-life firmware.

July 18th 2021

Comparis customers targeted by scammers after ransomware attack

Leading Swiss price comparison platform Comparis has notified customers of a data breach following a ransomware attack that hit and took down its entire network last week.

Ransomware hits law firm counseling Fortune 500, Global 500 companies

Campbell Conroy & O’Neil, P.C. (Campbell), a US law firm counseling dozens of Fortune 500 and Global 500 companies, has disclosed a data breach following a February 2021 ransomware attack.

July 19th 2021

US and allies officially accuse China of Microsoft Exchange attacks

US and allies, including the European Union, the United Kingdom, and NATO, are officially blaming China for this year’s widespread Microsoft Exchange hacking campaign.

Ransomware incident at major cloud provider disrupts real estate, title industry

A ransomware incident at Cloudstar, a cloud hosting service and managed service provider for several industry sectors, has disrupted the activities of hundreds of companies.

July 20th 2021

New Stop Ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .moqs extension to encrypted files.

New ransomware discovered

QVM360 found a new ransomware that appends the .zip extension.

Ransomware attack on Israeli IT company impacts more than 100 customers, including hospitals

Shahaf reports that Pionet , which is owned by Malam Tim, suffered a ransomware attack that has paralyzed many of the company’s systems and the sites of more than a hundred of the company’s customers, including Assuta, Rambam, Hadassah, Budget Car Rental Company, Sonol Fuel Company, and Apple importer Idigital. Idigital’s customers include the Israel Electric Corporation and Israel Railways.

New Scarab Ransomware variant

dnwls0719 found a new Scarab variant that appends the .Imshifau extension.

July 21st 2021

New Dharma Ransomware variants

PCrisk found new Dharma ransomware variants that append the .myday and .grej extensions to encrypted files.

July 22nd 2021

Ransomware gang breached CNA’s network via fake browser update

Leading US insurance company CNA Financial has provided a glimpse into how Phoenix CryptoLocker operators breached its network, stole data, and deployed ransomware payloads in a ransomware attack that hit its network in March 2021.

Kaseya obtains universal decryptor for REvil ransomware victims

Kaseya received a universal decryptor that allows victims of the July 2nd REvil ransomware attack to recover their files for free.

July 23rd 2021

New Dharma Ransomware variants

Jakub Kroustek found new Dharma ransomware variants that append the .mnc and .ZEUS extensions to encrypted files.

That’s it for this week! Hope everyone has a nice weekend!