For the most part, this week has been relatively quiet regarding ransomware attacks and researcher — that is, until the FBI announced the disruption of the Hive ransomware operation.
Hive ransomware launched in June 2021 and quickly became one of the most active and prominent ransomware operations.
Launched as a Ransomware-as-a-Service, the Hive operators were responsible for developing the ransom and maintaining data leak/negotiation sites. At the same time, affiliates were recruited to conduct attacks and deploy the encryptors.
As part of this arrangement, the operators kept 20% of all ransom payments, and the affiliates earned the rest.
Yesterday, an international law enforcement operation seized the Tor websites for the Hive ransomware operation and disclosed that they had secretly hacked the organization’s servers in July 2022.
For the past six months, the police have monitored their communications, intercepted decryption keys, and helped victims with free decryptors.
While no arrests were made, this was a massive blow to a prominent player in this cybercrime space while preventing $100 million in ransom payments.
BleepingComputer also reported this week on Google advertisements being abused by ransomware access brokers for initial access to corporate networks.
This same access broker previously partnered with the Royal Ransomware gang for attacks.
Be careful out there, and always click on legitimate links in search results for software developers rather than using Google ads.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @demonslay335, @LawrenceAbrams, @malwrhunterteam, @BleepinComputer, @Ionut_Ilascu, @Seifreed, @serghei, @struppigel, @billtoulas, @fwosar, @TrendMicro, @pcrisk, @1ZRR4H, @wdormann, and @ffforward.
January 23rd 2023
New Dharma ransomware variants
PCrisk found new Dharma ransomware variants that append the .nlb and .r0n extensions to encrypted files.
New Stop ransomware variant
PCrisk found a new STOP ransomware variant that appends the .mztu extension.
New VoidCrypt ransomware variant
PCrisk found a new VoidCrypt ransomware variant that appends the .MrWhite extension and drops a ransom note named Dectryption-guide.txt.
January 24th 2023
Ransomware access brokers use Google ads to breach your network
A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims’ passwords, and ultimately breach networks for ransomware attacks.
Vice Society Ransomware Group Targets Manufacturing Companies
Most reports have the threat actor focusing its efforts on the education and the healthcare industries. However, through Trend Micro’s telemetry data, we have evidence that the group is also targeting the manufacturing sector, which means that they have capability and desire to penetrate different industries — most likely accomplished via the purchasing of compromised credentials from underground channels.
New MedusaLocker ransomware variant
PCrisk found a new MedusaLocker ransomware variant that appends the .filesencrypted extension.
January 26th 2023
Hive ransomware disrupted after FBI hacks gang’s systems
The Hive ransomware operation’s Tor payment and data leak sites were seized as part of an international law enforcement operation after the FBI infiltrated the gang’s infrastructure last July.
New Mimic ransomware abuses ‘Everything’ Windows search tool
Security researchers discovered a new ransomware strain they named Mimic that leverages the APIs of the ‘Everything’ file search tool for Windows to look for files targeted for encryption.
US offers $10M bounty for Hive ransomware links to foreign governments
The U.S. Department of State today offered up to $10 million for information that could help link the Hive ransomware group (or other threat actors) with foreign governments.
New Phobos ransomware variant
PCrisk found a new Phobos variant that appends the .unknown extension.
January 27th 2023
New SickFile ransomware
PCrisk found a new ransomware variant that appends the .sickfile extension and drops a ransom note named how_to_back_files.html.
New Mallox ransomware variant
PCrisk found a new Mallox variant that appends the .bitenc extension.