The Week in Ransomware – April 24th 2020

There was not a lot of new variants released this week, but we did have some attacks on high profile victims.

This past weekend it came to light that IT service giant Cognizant suffered a Maze Ransomware attack. Strangely, while Cognizant is stating it was Maze, the ransomware operators are denying it.

DoppelPaymer also started to leak data for the City of Torrance in California who was attacked on March 1st.

Other than that, we have seen a few new variants released this week and the unfortunate continued targeting of hospitals by ransomware operators.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @malwrhunterteam, @fwosar, @LawrenceAbrams, @jorntvdw, @BleepinComputer, @Seifreed, @PolarToffee, @DanielGallagher, @serghei, @demonslay335, @Ionut_Ilascu, @VK_Intel, @FourOctets, @struppigel, @LibraAnalysis, @TalosSecurity, @emsisoft, @albertzsigovits, @SophosLabs, and @GrujaRS.

April 18th 2020

US govt: Hacker used stolen AD credentials to ransom hospitals

Hackers have deployed ransomware on the systems of U.S. hospitals and government entities using stolen Active Directory credentials months after exploiting a known remote code execution (RCE) vulnerability in their Pulse Secure VPN servers.

IT services giant Cognizant suffers Maze Ransomware cyber attack

Information technologies services giant Cognizant suffered a cyber attack Friday night allegedly by the operators of the Maze Ransomware, BleepingComputer has learned.

Fake SMBGhost exploit installs ransomware

MalwareHunterTeam found a fake SMBGhost exploit that is actually ransomware that appends the .sepsys extension to encrypted files.

April 20th 2020

The State of Ransomware in the US: Report and Statistics for Q1 2020

In 2019, 966 government agencies, educational establishments and healthcare providers in the US were impacted by ransomware. While the early indicators were that the 2020 numbers would be similar to 2019’s or perhaps even worse, that has proved not to be the case. A total of 89 organizations were impacted by ransomware in Q1, however, as the COVID-19 crisis worsened, the number of successful attacks reduced considerably and is now at a level not seen in several years.

New Lezp STOP Ransomware variant

Michael Gillespie found a new variant of the STOP Djvu Ransomware that appends the .lezp extension to encrypted files.

April 21st 2020

DoppelPaymer Ransomware hits Los Angeles County city, leaks files

The City of Torrance of the Los Angeles metropolitan area, California, has allegedly been attacked by the DoppelPaymer Ransomware, having unencrypted data stolen and devices encrypted.

New Coronavirus screenlocker malware is extremely annoying

A fake WiFi hacking program is being used to distribute a new Coronavirus-themed malware that tries to lock you out of Windows while making some very annoying sounds.

April 23rd 2020

Threat Spotlight: MedusaLocker

MedusaLocker is a ransomware family that has been observed being deployed since its discovery in 2019. Since its introduction to the threat landscape, there have been several variants observed. However, most of the functionality remains consistent. The most notable differences are changes to the file extension used for encrypted files and the look and feel of the ransom note that is left on systems following the encryption process.

New ISO Phobos ransomware variant

GrujaRS found a new Phobos Ransomware variant that appends the .iso extension to encrypted files.

April 24th 2020

SeaChange video platform allegedly hit by Sodinokibi ransomware

A leading supplier of video delivery software solutions is reportedly the latest victim of the Sodinokibi Ransomware, who has posted images of data they claim to have stolen from the company during a cyberattack.

LockBit ransomware borrows tricks to keep up with REvil and Maze

Ransomware operators are always on the lookout for a way to take their ransomware to the next level. That’s particularly true of the gang behind LockBit. Following the lead of the Maze and REvil ransomware crime rings, LockBit’s operators are now threatening to leak the data of their victims in order to extort payment. And the ransomware itself also includes a number of technical improvements that show LockBit’s developers are climbing the ransomware learning curve—and have developed an interesting technique to circumvent Windows’ User Account Control (UAC).

That's it for this week! Hope everyone has a nice weekend!

Comments are closed.