The Week in Ransomware – January 28th 2022 – Get NAS devices off the Internet

It’s been a busy week with ransomware attacks tied to political protests, new attacks on NAS devices, amazing research released about tactics, REvil’s history, and more.

This week’s biggest news is about a new ransomware operation called DeadBolt encrypted QNAP devices worldwide, illustrating how threat actors can still earn a lot of money by targeting consumers and small businesses.

The attacks started on January 25th and have since encrypted over 4,300 QNAP NAS devices where they demand 0.03 bitcoins, worth approximately $1,100, for a decryption key.

Unfortunately, many victims have reported paying, leading this attack to be very successful for the threat actors.

Other attacks this week include a Conti attack on Apple and Tesla contractor Delta and an attack on Belarusian Railway in protest of Russia using Belarusian Railway’s rail transport network to move military units and equipment into the country.

Other interesting stories this week are ransomware gangs calling people whose data was stolen, an increase in attempts to recruit insiders, the analysis of LockBit’s ESXI encryptor, and a fantastic report detailing the history of REvil.

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @Ionut_Ilascu, @demonslay335, @BleepinComputer, @VK_Intel, @malwareforme, @struppigel, @fwosar, @FourOctets, @billtoulas, @Seifreed, @malwrhunterteam, @jorntvdw, @DanielGallagher, @LawrenceAbrams, @serghei, @kevincollier, @Jon__DiMaggio, @UseAnalyst1, @fbgwls245, @JakubKroustek, @pcrisk, @TrendMicro, @Hitachi_ID, @emsisoft, @BushidoToken, @SteveD3, @SttyK, @CuratedIntel, and @vinopaljiri.

January 22nd 2022

New Paradise ransomware variant

dnwls0719 found a new Paradise .NET variant that appends the .iskaluz extension to encrypted files.

January 24th 2022

Ransomware gangs increase efforts to enlist insiders for attacks

A recent survey of 100 large (over 5,000 employees) North American IT firms shows that ransomware actors are making greater effort to recruit insiders in targeted firms to aid in attacks.

Hackers say they encrypted Belarusian Railway servers in protest

A group of hackers (known as Belarusian Cyber-Partisans) claim they breached and encrypted servers belonging to the Belarusian Railway, Belarus’s national state-owned railway company.

New STOP Ransomware variant

Jakub Kroustek found a new STOP ransomware variant that appends the .qqqw extension.

January 25th 2022

New DeadBolt ransomware targets QNAP devices, asks 50 BTC for master key

A new DeadBolt ransomware group is encrypting QNAP NAS devices worldwide using what they claim is a zero-day vulnerability in the device’s software.

Ransomware hackers’ new tactic: Calling you directly

Wayne didn’t know his son’s school district had been hacked — its files stolen and computers locked up and held for ransom — until last fall when the hackers started emailing him directly with garbled threats.

Hacktivist group shares details related to Belarusian Railways hack

The Belarusian Cyber Partisans have shared documents related to another hack, and explained that Curated Intel member, SttyK, would “understand some of the methods used.”

New ransomware appends ‘exploit’

dnwls0719 found a new ransomware appending the .exploit extension to encrypted files.

January 26th 2022

QNAP warns of new DeadBolt ransomware encrypting NAS devices

QNAP is warning customers again to secure their Internet-exposed Network Attached Storage (NAS) devices to defend against ongoing and widespread attacks targeting their data with the new DeadBolt ransomware strain.

Linux version of LockBit ransomware targets VMware ESXi servers

LockBit is the latest ransomware gang whose Linux encryptor has been discovered to be focusing on the encryption of VMware ESXi virtual machines.

New Babuk knockoff ransomware variant

dnwls0719 found a new Babuk knockoff appending the .king extension to encrypted files.

January 27th 2022

Taiwanese Apple and Tesla contractor hit by Conti ransomware

Delta Electronics, a Taiwanese electronics company and a provider for Apple, Tesla, HP, and Dell, disclosed that it was the victim of a cyberattack discovered on Friday morning.

A history of REvil

In our previous research we investigated a ransom cartel, and then we conducted a study on ransomware gangs and their links to Russian intelligence organizations. Now, we are conducting a use case into one of the world’s most notorious ransomware gangs, REvil. This particular case is fascinating because the gang has existed for several years, conducted many high-profile attacks, inspired several spin-off gangs, and in the end, caused major turmoil among partnering hackers who supported them.

New MedusaLocker variant

dnwls0719 found a new MeduaLocker ransomware variant that appends the .farattack extension to encrypted files.

January 28th 2022

QNAP force-installs update after DeadBolt ransomware hits 3,600 devices

QNAP force-updated customer’s Network Attached Storage (NAS) devices with firmware containing the latest security updates to protect against the DeadBolt ransomware, which has already encrypted over 3,600 devices.

Emsisoft releases a decryption tool for DeadBolt

Emsisoft has released a decryption tool for DeadBolt, but users will still need to obtain a decryption key by paying the ransom.

New STOP ransomware variants

PCrisk found two new STOP ransomware variants that append the .qqqe or .yoqs extensions.

Thanos builder used to create new ransomware

Jirí Vinopal found a new ransomware that was created by the Thanos builder that appends the .NARUMI extension.

That’s it for this week! Hope everyone has a nice weekend!