The Week in Ransomware – August 6th 2021 – Insider threat edition

If there is one thing we learned this week, it’s that not only are corporations vulnerable to insider threats but so are ransomware operations.

The LockBit 2.0 ransomware is now trying to recruit corporate insiders to help them breach networks. In return, the insider is promised millions of dollars.

On the flip side, ransomware operations are vulnerable too.

Yesterday, after being banned from the Conti ransomware operation, a Conti affiliate leaked the training material for the ransomware operation on the XSS hacking forum, giving security researchers and defenders an inside look at the tools being used by the group.

This week’s other hot topic is the rise of a new ransomware operation called BlackMatter, which is believed to be a rebrand of the DarkSide ransomware operation.

Finally, this week, we have had large ransomware attacks against Italy’s Lazio region, energy group ERG, and leading motherboard maker Gigabyte.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @FourOctets, @PolarToffee, @fwosar, @VK_Intel, @malwareforme, @Ionut_Ilascu, @BleepinComputer, @demonslay335, @Seifreed, @serghei, @DanielGallagher, @struppigel, @jorntvdw, @malwrhunterteam, @ddd1ms, @RecordedFuture, @GroupIB_GIB, @pancak3lullz, @JakubKroustek, @PogoWasRight, @chum1ng0, @pcrisk, and @Amigo_A_.

July 31st 2021

BlackMatter ransomware gang rises from the ashes of DarkSide, REvil

?A new ransomware gang named BlackMatter is purchasing access to corporate networks while claiming to include the best features from the notorious and now-defunct REvil and DarkSide operations.

DarkSide ransomware gang returns as new BlackMatter operation

Encryption algorithms found in a decryptor show that the notorious DarkSide ransomware gang has rebranded as a new BlackMatter ransomware operation and is actively performing attacks on corporate entities.

August 2nd 2021

New STOP ransomware variants

PCrisk iscovered new STOP ransomware variants that append the .nooa and .muuq extension.

August 3rd 2021

Ransomware attack hits Italy’s Lazio region, affects COVID-19 site

The Lazio region in Italy has suffered a reported ransomware attack that has disabled the region’s IT systems, including the COVID-19 vaccination registration portal.

U.S. medical entities fall prey to Pysa threat actors, but many haven’t disclosed it – at least, not yet.

Since 2018, threat actors known as “Pysa” (for “Protect Your System Amigo”) have used mespinoza ransomware to lock up victims’ files after exfiltrating a copy of them. In early 2020, alerts about these “big-game hunters” were published by both the FBI and CNIL . Since then, Pysa has continued to pose a threat to the medical and education sectors. Like a number of other ransomware-as-a-service (RaaS) groups, Pysa maintains a dedicated leak site on the dark web where they list victims who do not pay their ransom demands and then dump their data. They call them “partners.”

New Dharma ransomware variant

PCrisk discovered a new Dharma ransomware variant that appends the .GanP extension.

August 4th 2021

Protect Against BlackMatter Ransomware Before It’s Offered

Insikt Group analyzed Windows and Linux variants of BlackMatter ransomware, a new ransomware-as-a-service (RaaS) affiliate program founded in July 2021. During our technical analysis, we found that both variants accomplish similar goals of encrypting a victim’s files and appear to have been developed by a relatively sophisticated group

Energy group ERG reports minor disruptions after ransomware attack

Italian energy company ERG reports “only a few minor disruptions” affecting its information and communications technology (ICT) infrastructure following a ransomware attack on its systems.

LockBit ransomware recruiting insiders to breach corporate networks

The LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks. In return, the insider is promised million-dollar payouts.

New Phobos ransomware variant

PCrisk discovered a new Phobos ransomware variant that appends the .Win extension.

August 5th 2021

Linux version of BlackMatter ransomware targets VMware ESXi servers

?The BlackMatter gang has joined the ranks of ransomware operations to develop a Linux encryptor that targets VMware’s ESXi virtual machine platform.

CISA teams up with Microsoft, Google, Amazon to fight ransomware

CISA has announced the launch of Joint Cyber Defense Collaborative (JCDC), a partnership across public and private sectors focused on defending US critical infrastructure from ransomware and other cyber threats.

Angry Conti ransomware affiliate leaks gang’s attack playbook

A disgruntled Conti affiliate has leaked the gang’s training material when conducting attacks, including information about one of the ransomware’s operators.

New Dharma ransomware variant

Jakub Kroustek found a new Dharma ransomware variant that appends the .CLEAN extension.

New SALMA ransomware

Amigo-A found a new ransomware that appends the .salma extension and drops a ransom note named read_me.txt.

August 6th 2021

Computer hardware giant GIGABYTE hit by RansomEXX ransomware

Taiwanese motherboard maker has been hit by the RansomEXX ransomware gang, who threaten to publish 112GB of stolen data unless a ransom is paid

It’s alive! The story behind the BlackMatter ransomware strain

Summer 2021 brought hot weather, but also hot news from the world of ransomware. In late May, DoppelPaymer used a marketing trick and renamed its new ransomware Grief (Pay OR Grief). Moreover, in June-July the hacker groups DarkSide and REvil disappeared from the radars after the notorious attacks against Colonial Pipeline and Kaseya, respectively. By the end of July, a new player called BlackMatter had entered the ransomware market. Is BlackMatter really new on the scene, however?

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .divinity extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

That’s it for this week! Hope everyone has a nice weekend!