The Week in Ransomware – September 10th 2021 – REvil returns

This week marked the return of the notorious REvil ransomware group, who disappeared in July after conducting a massive attack using a Kaseya zero-day vulnerability.

Their July attack affected over 1,500 businesses and drew the full attention of international law enforcement and the White House, who demanded that Russia do something about these attacks.

Soon after, REvil shut down all of its servers and mysteriously disappeared.

That is until this week when REvil’s servers started back up, and a new sample of their ransomware was spotted on VirusTotal.

It is still too soon to tell if the ransomware gang is fully operational, but we will likely see new attacks shortly.

In other news, a report was released this week outlining what a ransomware gang’s ideal target is for attacks, and the Ragnar Locker gang threatened to automatically release stolen data if victims contact negotiators or law enforcement.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @malwareforme, @malwrhunterteam, @VK_Intel, @fwosar, @serghei, @struppigel, @LawrenceAbrams, @PolarToffee, @FourOctets, @Seifreed, @jorntvdw, @DanielGallagher, @demonslay335, @Ionut_Ilascu, @AdvIntel, @y_advintel, @McAfee_Business, @Glacius_, @Intel471Inc, @PogoWasRight, @ddd1ms, @JakubKroustek, @Libranalysis, @John_Fokker, @cPeterr, @fbgwls245, and @pcrisk.

September 5th 2021

BlackMatter Ransomware v2.0

This is my analysis for the BlackMatter Ransomware version 2.0.

September 6th 2021

Ransomware gangs target companies using these criteria

Ransomware gangs increasingly purchase access to a victim’s network on dark web marketplaces and from other threat actors. Analyzing their want ads makes it possible to get an inside look at the types of companies ransomware operations are targeting for attacks.

September 7th 2021

REvil ransomware’s servers mysteriously come back online

The dark web servers for the REvil ransomware operation have suddenly turned back on after an almost two-month absence. It is unclear if this marks their ransomware gang’s return or the servers being turned on by law enforcement.

Ransomware gang threatens to leak data if victim contacts FBI, police

The Ragnar Locker ransomware group is warning that they will leak stolen data from victims that contact law enforcement authorities, like the FBI.

September 8th 2021

Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings

On September 7, 2021, a representative of the newly-formed Groove ransomware syndicate decided to share their insights and their perspective on the inner aspects of the ransomware business.

Howard University shuts down network after ransomware attack

The private Howard University in Washington disclosed that it suffered a ransomware attack late last week and is currently working to restore affected systems.

How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates

McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself.

September 9th 2021

First new REvil sample spotted on VirusTotal

Jakub Kroustek found the first new REvil sample uploaded to VirusTotal since they disappeared and now have come back alive.

September 10th 2021

All of Desert Wells Family Medicine patients’ electronic health records were corrupted and unrecoverable from ransomware attack

On August 30, HHS added Queen Creek Medical Center d/b/a Desert Wells Family Medicine in Arizona to its public breach tool. The entity had reported that 35,000 patients were impacted by a breach involving a hack of the network.

New Chaos Ransomware variant

dnwls0719 found a new Chaos ransomware variant that appends the .CRYPTEDPAY extension.

New Dharma Ransomware variant

PCrisk found a new Dharma ransowmare variant that appends the .RME extension.

That’s it for this week! Hope everyone has a nice weekend!