The Week in Ransomware – July 30th 2021 – €1 billion saved

Ransomware continues to be active this week, with new threat actors releasing new features, No More Ransom turning five, and a veteran group rebrands.

This week marked the fifth anniversary of No More Ransomware, where they announced that they had saved €1 billion in ransom payments through the decryptors on their platform.

We also saw ransomware groups continue to innovate with LockBit 2.0 now using group policies to automate the deployment of their ransomware over a Windows domain.

I shared what I know about the inner conflict of the Babuk ransomware gang that led to the Admin starting a new RAMP cybercrime forum and the rest of the team launching Babuk version 2.0.

Finally, DoppelPaymber has rebranded as a new ransomware operation known as Grief, which began operating in May.

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @LawrenceAbrams, @struppigel, @BleepinComputer, @malwrhunterteam, @VK_Intel, @serghei, @jorntvdw, @PolarToffee, @fwosar, @Seifreed, @Ionut_Ilascu, @demonslay335, @malwareforme, @FourOctets, @ddd1ms, @zscaler, @pcrisk, @pushecx, @fbgwls245, @campuscodi, @Glacius_, and @HuntressLabs.

July 25th 2021

New JCrypt ransomware variant

dnwls0719 found a new JCrypt variant called ‘FancyLocker’ that appends the .FancyLeaks extension to encrypted files.

July 26th 2021

No More Ransom saves almost €1 billion in ransomware payments in 5 years

The No More Ransom project celebrates its fifth anniversary today after helping over six million ransomware victims recover their files and saving them almost €1 billion in ransomware payments.

July 27th 2021

LockBit ransomware now encrypts Windows domains using group policies

A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies.

Some backstory about Babuk ransomware

I shared some of the backstory behind the split of Babuk ransomware after the attack on the Metropolitan Police Department.

Threat actors patch REvil ransomware

Revil ransomware continues to be active but this time in the form of patched executables.

July 28th 2021

New US security memorandum bolsters critical infrastructure cybersecurity

US President Joe Biden today issued a national security memorandum designed to help strengthen the security of critical infrastructure by setting baseline performance goals for critical infrastructure owners and operators.

Biden: Severe cyberattacks could escalate to ‘real shooting war’

President Joe Biden warned that cyberattacks leading to severe security breaches could lead to a “real shooting war” with another major world power.

Synack rebrands as El_Cometa

Catalin Cimpanu was told that the Synack ransomware has rebranded under the name El_Cometa.

New Russian-Speaking Forum – A New Place for RaaS?

A new Russian-speaking forum called RAMP was launched in July 2021 and received much attention from researchers and cybercrime actors. The forum emerged at the domain that previously hosted the Babuk ransomware data leak site and later the Payload.bin leak site. KELA researched the contents of the new site and assessed its chances to succeed.

Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems?

Our worst fears were confirmed when Babuk announced on an underground forum that it was developing a cross-platform binary aimed at Linux/UNIX and ESXi or VMware systems. Many core backend systems in companies are running on these *nix operating systems or, in the case of virtualization, think about the ESXi hosting several servers or the virtual desktop environment.

Coalition’s cyberinsurance claims report is out

The cyber attack landscape evolved significantly in 2021 with the emergence of new ransomware variants, the increasing dangers of supply chain attacks, and the continued risks of staying secure while working remotely.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .aeur and .guer extensions.

A Recap Of Events And Lessons Learned During The Kaseya Vsa Supply Chain Attack

Now that a decryption key is available and we seem to be on the downward slope of the rollercoaster, we have an opportunity to look back and capture some important lessons and learnings that can help this industry try to combat these threats more effectively.

July 29th 2021

DoppelPaymer ransomware gang rebrands as the Grief group

After a period of little to no activity, the DoppelPaymer ransomware operation has made a rebranding move, now going by the name Grief (a.k.a. Pay or Grief).

That’s it for this week! Hope everyone has a nice weekend!