Article Details

The Week in Ransomware - September 29th 2023 - Dark Angels. This week has been a busy ransomware week, with ransomware attacks having a massive impact on organizations and the fallout of the MOVEit breaches to be disclosed. BleepingComputer also exclusively broke the story that building and automation giant Johnson Controls International suffered a Dark Angels ransomware attack, with the threat actors claiming to have stolen 27 TB of data from 25 file servers. The cyberattack was reportedly launched in Asia offices, from which the threat actors spread to the rest of the corporate network. During this time, the attackers claim to have stolen DWG files, engineering documents, databases, confidential documents, and client contracts. Soon after BleepingComputer broke the news, Johnson Controls submitted a FORM 8-K filing with the SEC, confirming they suffered a cyberattack. We also continue to see the effects of Clop's massive MOVEit data-theft attacks, with the National Student Clearinghouse warning of a data breach that impacted 890 schools and the BORN Ontario child registry breach impacting 3.4 million people, including patients at the Hospital for Sick Children (SickKids). Cybersecurity firms, journalists, and law enforcement also released interesting reports this week: Contributors and those who provided new ransomware information and stories this week include @serghei, @Ionut_Ilascu, @BleepinComputer, @fwosar, @Seifreed, @demonslay335, @billtoulas, @LawrenceAbrams, @malwrhunterteam, @MalGamy12, @billseagull, @coveware, @GroupIB_TI, @briankrebs, @pcrisk, @FBI, @jgreigj, and @DrWeb_antivirus. September 23rd 2023 National Student Clearinghouse data breach impacts 890 schools U.S. educational nonprofit National Student Clearinghouse (NSC) has disclosed a data breach affecting 890 schools using its services across the United States. September 25th 2023 BORN Ontario child registry data breach affects 3.4 million people The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, has announced that it is among the victims of Clop ransomware's MOVEit hacking spree. Megazord: a ransomware written in RUST Technical writeup on Akira's new PowerRanges variant, internally called Megazord. Megazord ransomware is a new variant of Akira ransomware. Akira ransomware appeared in March 2023, and a Linux version appeared in June. The encryption method is a combination of RSA + AES to encrypt files. Megazord ransomware is different from the previous one in that it is written in Rust language and uses a combination of curve25519 elliptic curve asymmetric encryption algorithm and sosemanuk symmetric encryption algorithm to encrypt. The suffix of the encrypted file is .powerranges, and it is also included in each folder. Drop a ransomware document. New STOP ransomware variants PCrisk found new STOP ransomware variants that append the .azhi, .azqt, and .azop extensions. New Phobos ransomware variant PCrisk found a new Phobos ransomware variant that appends the .deep extension. September 26th 2023 SickKids impacted by BORN Ontario data breach that hit 3.4 million The Hospital for Sick Children, more commonly known as SickKids, is among healthcare providers that were impacted by the recent breach at BORN Ontario. ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers Security researchers have identified infrastructure belonging to a threat actor now tracked as ShadowSyndicate, who likely deployed seven different ransomware families in attacks over the past year. Hackers actively exploiting Openfire flaw to encrypt servers Hackers are actively exploiting a high-severity vulnerability in Openfire messaging servers to encrypt servers with ransomware and deploy cryptominers. New Night Crow ransomware PCrisk found a new ransomware named Night Crow that appends the .NIGHT_CROW and drops a ransom note named NIGHT_CROW_RECOVERY.txt. Kettering logistics firm enters administration with 730 jobs lost A logistics and training firm targeted by a "significant" cyber attack has entered administration. September 27th 2023 Building automation giant Johnson Controls hit by ransomware attack Johnson Controls International has suffered what is described as a massive ransomware attack that encrypted many of the company devices, including VMware ESXi servers, impacting the company’s and its subsidiaries’ operations. ‘Snatch’ Ransom Group Exposes Visitor IP Addresses The victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, KrebsOnSecurity has found. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord. New Dharma variant PCrisk found a new Dharma variant that appends the .DOOK extension. New Xorist variant PCrisk found a new Xorist variant that appends the .Got extension. New STOP ransomware variants PCrisk found new STOP ransomware variants that append the .mzhi, .mzop, and .mzqt extensions. September 28th 2023 FBI: Dual ransomware attack victims now get hit within 48 hours The FBI has warned about a new trend in ransomware attacks where multiple strains are deployed on victims' networks to encrypt systems in under two days. New Medusa variant PCrisk found a new Medusa variant that appends the .meduza24 extension. September 29th 2023 Large Michigan healthcare provider confirms ransomware attack One of the largest healthcare systems in Michigan confirmed that it is dealing with a ransomware attack after a notorious hacker gang boasted about the incident. New Electronic Ransomware PCrisk found a new ransomware variant that appends the .ELCTRONIC and drops a ransom note named README ELECTRONIC.txt. That's it for this week! Hope everyone has a nice weekend!