The Week in Ransomware - December 2nd 2022 - Disrupting Health Care

Hands holding a medical symbol


This week's big news was the Colombia health system being severely disrupted by a ransomware attack on Keralty, one of the country's largest healthcare providers.


Patients have had to wait upwards of twelve hours to receive care, with reports of people fainting due to the lack of medical attention.


The Keralty attack was conducted by the RansomHouse ransomware operation, which claims to have stolen 3TB of data during the attack.


This week's other news includes an uptick in attacks by the rebranded Trigona Ransomware operation and reports of a new data wiper named CryWiper targeting local government agencies in Russia.


Zscaler also put out an excellent technical analysis of Black Basta, and the FBI disclosed that the Cuba ransomware earned $60 million from over 100 victims.


Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @LawrenceAbrams, @FourOctets, @demonslay335, @struppigel, @PolarToffee, @serghei, @fwosar, @DanielGallagher, @jorntvdw, @billtoulas, @Seifreed, @VK_Intel, @malwareforme, @malwrhunterteam, @Ionut_Ilascu, @kaspersky, @xfalexx,@hyperconectado, @kennethdee, @pcrisk, @pushecx, and @BrettCallow.


November 26th 2022


Ransomware gang targets Belgian municipality, hits police instead


The Ragnar Locker ransomware gang has published stolen data from what they thought was the municipality of Zwijndrecht, but turned out to be stolen from Zwijndrecht police, a local police unit in Antwerp, Belgium.


November 28th 2022


New Dharma ransomware variants


PCrisk found new Dharma ransomware variants that append the .just or .CRASH extension to encrypted files.


New Xorist ransomware variants


PCrisk found new Xorist ransomware variants that append the .ety or .lUUUUUUUUU extensions to encrypted files.


New Chaos ransomware variant


PCrisk found a new Chaos ransomware variant that appends the .NULL extension and drops a ransom note named read_it.txt.


November 29th 2022


Trigona ransomware spotted in increasing attacks worldwide


A previously unnamed ransomware has rebranded under the name 'Trigona,' launching a new Tor negotiation site where they accept Monero as ransom payments.


November 30th 2022


Keralty ransomware attack impacts Colombia's health care system


The Keralty multinational healthcare organization suffered a RansomHouse ransomware attack on Sunday, disrupting the websites and operations of the company and its subsidiaries.


New STOP ransomware variants


PCrisk found new STOP ransomware variants that append the .uyro and .uyit extensions.


New MedusaLocker ransomware variant


PCrisk found a new MedusaLocker variant that appends the .cipher extension and drops a ransom note named !-Recovery_Instructions-!.html.


New DATAF Locker ransomware


PCrisk found a new DATAF Locker ransomware that appends the .dataf extension and drops a ransom note named How To Restore Your Files.txt.


December 1st 2022


FBI: Cuba ransomware raked in $60 million from over 100 victims


The FBI and CISA revealed in a new joint security advisory that the Cuba ransomware gang raked in over $60 million in ransoms as of August 2022 after breaching more than 100 victims worldwide.


Back in Black... Basta


Zscaler ThreatLabz has been tracking prominent ransomware families and their tactics, techniques and procedures (TTPs) including the BlackBasta ransomware family. On November 16, 2022, ThreatLabz identified new samples of the BlackBasta ransomware that had significantly lower antivirus detection rates. The latest BlackBasta code has numerous differences compared to the original BlackBasta ransomware.


December 2nd 2022


New CryWiper malware wipes data in attack against Russian org


A previously undocumented data wiper named CryWiper is masquerading as ransomware, extorting victims to pay for a decrypter, but in reality, it just destroys data beyond recovery.


Seattle-area debt collector allegedly compromised data of 3.7 million people


A Lynnwood, Washington-based debt-collection company has been sued for compromising the names and Social Security information of more than 3.7 million individuals in a data breach in April 2021.


That's it for this week! Hope everyone has a nice weekend!