The Week in Ransomware - May 17th 2024 - Mailbombing is back

Email attack

This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum.

However, that does not mean there was nothing of interest released this week about ransomware.

A report by CISA said that the Black Basta ransomware oepration has breached over 500 organizations worlwide since the group launched in April 2022.

After the Conti suffered a massive data breach, the ransomware operation shut down and its members splintered into different groups or launched their own ransomware operations.

One of those operations is Black Basta, which is believed to be composed of prior Conti members who operate it as a private group rather than as public ransomware-as-a-service.

It is widely believed that CISA released this report after news of massive disruption at Ascension Healthcare was caused by a Black Basta ransomware attack.

In other news, the relatively new Inc Ransomware was attempting to sell its source code for $300,000. However, it is unclear whether the group was selling older, unused code or shutting down the operation.

Ransomware phishing attacks also took front stage this week, with the Phorpiex botnet sending millions of emails that led to LockBit Black ransomware attacks, with the encryptor believed to have been created using LockBit's leaked source code.

BlackBasta was also found mailbombing employees in targeted organizations by subscribing their email addresses to various subscription services. They then contacted the target as IT support from their company to conduct a social engineering attack that let them gain access to the victim's computer.

Finally, Australian electronic prescription provider MediSecure shut down its IT systems and phones after suffering a 'large-scale' ransomware data breach.

Contributors and those who provided new ransomware information and stories this week include: @serghei, @BleepinComputer, @billtoulas, @fwosar, @demonslay335, @Ionut_Ilascu, @Seifreed, @LawrenceAbrams, @malwrhunterteam, @rapid7, @MsftSecIntel, @3xp0rtblog, @Intel_by_KELA, @NJCybersecurity, @proofpoint, @troyhunt, @CISAgov, @FBI, @AhnLab_SecuInfo, @briankrebs, @NCSC, @sekoia_io, @JakubKroustek, and @pcrisk.

May 11th 2024

CISA: Black Basta ransomware breached over 500 orgs worldwide

CISA and the FBI said today that Black Basta ransomware affiliates breached over 500 organizations between April 2022 and May 2024.

May 12th 2024

Largest non-bank lender in Australia warns of a data breach

Firstmac Limited is warning customers that it suffered a data breach a day after the new Embargo cyber-extortion group leaked over 500GB of data allegedly stolen from the firm.

New STOP ransomware variant

Jakub Kroustek found a new STOP ransomware variant that appends the .paaa extension.

May 13th 2024

Botnet sent millions of emails in LockBit Black ransomware campaign

Since April, millions of phishing emails have been sent through the Phorpiex botnet to conduct a large-scale LockBit Black ransomware campaign.

INC ransomware source code selling on hacking forums for $300,000

A cybercriminal using the name "salfetka" claims to be selling the source code of INC Ransom, a ransomware-as-a-service (RaaS) operation launched in August 2023.

Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaigns

Recently, our team observed an incident involving our MS-SQL (Microsoft SQL) honeypot. It was targeted by an intrusion set leveraging brute-force tactics, aiming to deploy the Mallox ransomware via PureCrypter through several MS-SQL exploitation techniques.

How Did Authorities Identify the Alleged Lockbit Boss?

Last week, the United States joined the U.K. and Australia in sanctioning and charging a Russian man named Dmitry Yuryevich Khoroshev as the leader of the infamous LockBit ransomware group. LockBit’s leader “LockBitSupp” claims the feds named the wrong guy, saying the charges don’t explain how they connected him to Khoroshev. This post examines the activities of Khoroshev’s many alter egos on the cybercrime forums, and tracks the career of a gifted malware author who has written and sold malicious code for the past 14 years.

Malware Distributed as Copyright Violation-Related Materials (Beast Ransomware, Vidar Infostealer)

The distribution of a new malware strain has been identified based on a recent copyright infringement warning, and it will be covered here.

New STOP ransomware variant

Jakub Kroustek found a new STOP ransomware variant that appends the .vehu extension.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .vepi extension.

New ransomware variant

PCrisk found a new STOP ransomware variant that appends the .capibara extension and drops a ransom note named READ_ME_USER.txt.

May 14th 2024

Cyber insurance industry unites to bear down on ransom payments

Joint guidance from the NCSC with the Association of British Insurers (ABI), British Insurance Brokers’ Association (BIBA) and International Underwriting Association (IUA) aims to help organisations faced with ransomware demands minimise disruption and the cost of an incident.

Guidance for organisations considering payment in ransomware incidents

This guidance has been jointly developed by the insurance industry bodies ABI, BIBA, IUA and the NCSC. It is for organisations experiencing a ransomware attack and the partner organisations supporting them.

May 15th 2024

Nissan North America data breach impacts over 53,000 employees

Nissan North America (Nissan) suffered a data breach last year when a threat actor targeted the company's external VPN and shut down systems to receive a ransom.

Windows Quick Assist abused in Black Basta ransomware attacks

?Financially motivated cybercriminals abuse the Windows Quick Assist feature in social engineering attacks to deploy Black Basta ransomware payloads on victims' networks.

Tornado Cash cryptomixer dev gets 64 months for laundering $2 billion

Alexey Pertsev, one of the main developers of the Tornado Cash cryptocurrency tumbler has been sentenced to 64 months in prison for his part in helping launder more than $2 billion worth of cryptocurrency.

May 16th 2024

MediSecure e-script firm hit by ‘large-scale’ ransomware data breach

Electronic prescription provider MediSecure in Australia has shut down its website and phone lines following a ransomware attack believed to originate from a third-party vendor.

That's it for this week! Hope everyone has a nice weekend!