The Week in Ransomware – October 14th 2022 – Bitcoin Trickery – BleepingComputer

This week's news is action-packed, with police tricking ransomware into releasing keys to victims calling ransomware operations liars.

The most interesting news this week is about the Dutch Police and Responders.NU working some trickery on the DeadBolt Ransomware operation that caused them to fork over 155 decryption keys for victims.

Other interesting research includes fake adult sites pushing data wipers, TTPs on Black Basta, info on a new Prestige Ransomware targeting Ukraine and Poland, and Magniber ransomware being installed via JavaScript files.

We also learned some information about some attacks that were made public recently.

Healthcare org CommonSpirit admitted this week that they suffered a ransomware attack. However, ADATA denies they suffered a recent attack by RansomHouse and says the data is being recirculated from a 2021 breach by RagnarLocker.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @VK_Intel, @serghei, @BleepinComputer, @billtoulas, @LawrenceAbrams, @malwareforme, @demonslay335, @FourOctets, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @malwrhunterteam, @DanielGallagher, @AuCyble, @UID_, @linuxct,@MsftSecIntel, @ahnlab, @Amermelsad, @TrendMicro, and @pcrisk.

Taiwanese chip maker ADATA denies claims of a RansomHouse cyberattack after the threat actors began posting stolen files on their data leak site.

Malicious adult websites push fake ransomware which, in reality, acts as a wiper that quietly tries to delete almost all of the data on your device.

PCrisk found a VoidCrypt variant that appends the .solo extension and drops a ransom note named unlock-info.txt.

PCrisk found a new Dharma variant that appends the .dkey extension to encrypted files.

Microsoft is investigating reports of a new zero-day bug abused to hack Exchange servers which were later used to launch Lockbit ransomware attacks.

For years, Bittrexs AML program and SAR reporting failures unnecessarily exposed the U.S. financial system to threat actors, said FinCEN Acting Director Himamauli Das. Bittrexs failures created exposure to high-risk counterparties including sanctioned jurisdictions, darknet markets, and ransomware attackers. Virtual asset service providers are on notice that they must implement robust risk-based compliance programs and meet their BSA reporting requirements. FinCEN will not hesitate to act when it identifies willful violations of the BSA.

As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation, and ensure continuity of care. Our facilities are following existing protocols for system outages, which includes taking certain systems offline, such as electronic health records. In addition, we are taking steps to mitigate the disruption and maintain continuity of care. To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement.

We analyzed a QAKBOT-related case leading to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind the Black Basta ransomware.

PCrisk found new STOP ransomware variants that append the .powz and .pohj extensions.

A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates.

PCrisk found a new Dharma variant that appends the .CYBER extension to encrypted files and drops a ransom note named CYBER.txt.

Microsoft says new Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks.

The Dutch National Police, in collaboration with cybersecurity firm Responders.NU, obtained 155 decryption keys from the DeadBolt ransomware gang by faking ransom payments.

In this report, we will provide our analysis of Ransom Cartel ransomware, as well as our assessment of the possible connections between REvil and Ransom Cartel ransomware.

For example, after the RCMP seized cryptocurency held by Canadian Sebastien Vachon-Desjardins, an affiliate of the Netwalker ransomware gang, it tried returning the funds to Canadian victims. Some organizations refused to acknowledge being hit, she said.

See the rest here:
The Week in Ransomware - October 14th 2022 - Bitcoin Trickery - BleepingComputer