The Week in Ransomware – March 18th 2022 – Targeting the auto industry

This week, the automotive industry has been under attack, with numerous companies exhibiting signs of breaches or ransomware activity.

It started with a ransomware attack on Denso, the world’s largest automotive components manufacturer, who was hit by the new Pandora ransomware operation. Pandora is believed to be a rebrand of the Root ransomware operation.

Dragos Inc. later reported increased Emotet activity targeting the automotive industry, which usually leads to Conti ransomware attacks.

BleepingComputer has also been tracking a ransomware attack this week against Snap-On, a manufacturer of tools for the transportation industry.

We first learned of the attack after one of their subsidiaries, Mitchell 1, suffered an outage of their automotive repair software that a source told us was caused by a ransomware attack.

Yesterday, Conti claimed responsibility for the attack on Snap-on.

Good news this week is the release of a decryptor for the Diavol ransomware, an operation run by the TrickBot Group.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @Ionut_Ilascu, @DanielGallagher, @BleepinComputer, @Seifreed, @VK_Intel, @serghei, @demonslay335, @malwrhunterteam, @fwosar, @jorntvdw, @malwareforme, @FourOctets, @struppigel, @PolarToffee, @billtoulas, @S0ufi4n3, @Intel471Inc, @3xp0rtblog, @pancak3lullz, @Arkbird_SOLG, @LabsSentinel, @radvadva, @ESETresearch, @BrettCallow, @benoitsevens, @vladhiewsha, @pcrisk, @Arete_Advisors, @vxunderground, @f0wlsec, @herrcore, @DragosInc, @petrovic082, @sysopfb, and @emsisoft.

March 14th 2022

Automotive giant DENSO hit by new Pandora ransomware gang

Automotive parts manufacturer DENSO has confirmed that it suffered a cyberattack on March 10th after a new Pandora ransomware operation began leaking data allegedly stolen during the attack.

New CaddyWiper data wiping malware hits Ukrainian networks

Newly discovered data-destroying malware was observed earlier today in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks.

New IceFire ransomware

MalwareHunterTeam found a new ransomware named IceFire that appends the .iFire extension and drops a ransom note named iFire-readme.txt.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .kqgs, .uigd, .xcbg, or .bpqd extensions.

New Acepy ransomware

Petrovic found the new Acepy ransomware that appends the .acepy extension to encrypted files.

March 15th 2022

Dozens of ransomware variants used in 722 attacks over 3 months

The ransomware space was very active in the last quarter of 2021, with threat analysts observing 722 distinct attacks deploying 34 different variants.

March 16th 2022

New Babuk ransomware variant

PCRisk found a new Babuk ransomware variant that appends the .chernobyl extension.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .vlff extension.

BlackCat ransomware releases new version

The BlackCat ransomware gang (aka ALPHV) has updated their ransomware executable to require the passcode used during encrypted to extract its config.

East Tennessee Children’s Hospital cybersecurity issue delays patient’s CT scan

Some lowlife conducted a cyberattack on a children’s hospital. While it has not been confirmed if this is a ransomware attack, it would not be surprising if it was.

Analysis of new BlackCat ransomware with encrypted config

There is a new BlackCat ransomware sample out and it the config is now protected using a command line supplied ACCCESS_TOKEN. The token is used to generate an AES key which is then used to decrypt the encrypted config.

Pandora Ransomware – The Box has been open for a while…

Today we are going to be looking at “Pandora Ransomware”, a novel Ransomware strain that has been monitored for a couple of days, e.g. by MalwareHunterTeam, but at first no sample was available.

March 17th 2022

Google exposes tactics of a Conti ransomware access broker

Google’s Threat Analysis Group has exposed the operations of a threat actor group dubbed “EXOTIC LILY,” an initial access broker linked to the Conti and Diavol ransomware operations.

More Conti leaks on hacking forums

As discovered by 3xp0rt, someone leaked more information about the Conti ransomware gang on the XSS forum. This leak contained URLs to the ransomware gang’s rocket chat servers and information about members.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .eyrv extension.

March 18th 2022

Free decryptor released for TrickBot gang’s Diavol ransomware

Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom.

Surtr Ransomware Pays Tribute to REvil

In February 2022, Arete investigated a Surtr ransomware incident where the ransomware author(s) paid tribute to the now defunct REvil (aka Sodinokibi) group by making a registry key change to the infected host.

Snap-on hit by Conti ransomware

The Snap-on company suffered a Conti ransomware attack that caused business disruption, including an over 4-day outage for the Mitchell1 automotive repair software, which is commonly used in repair shops.

That’s it for this week! Hope everyone has a nice weekend!