Article Details

The Week in Ransomware - January 12th 2024 - Targeting homeowners' data. Mortgage lenders and related companies are becoming popular targets of ransomware gangs, with four companies in this sector recently attacked. This week, we learned that mortgage lender loanDepot suffered a cyberattack, which the company later confirmed was ransomware. This comes on the heels of similar attacks against Mortgage giant Mr. Cooper, which led to the exposure of data for 14 million people, and attacks on title insurance companies, including First American Financial and Fidelity National Financial. As these companies obtain a large amount of sensitive information from their customers, they become attractive targets for ransomware gangs to conduct double-extortion attacks. Other attacks we learned about this week include the Toronto Zoo, a Black Hunt ransomware attack on Tigo Business, and LockBit claiming to be behind the attack on the Capital Health hospital network. Finland is also warning of Akira ransomware increasingly targeting companies in the country and wiping backups. Cybersecurity researchers are back from the holidays, sharing new research on a BlackBasta affiliate's use of PikaBot, Microsoft SQL servers being targeted by the Mimic ransomware, and threat actors impersonating security researchers to offer victims a chance to hack back at ransomware gangs. For some good news, a Dutch police operation with Cisco Talos led to the arrest of a ransomware operator and the retrieval of decryption keys. This key was added to Avast's decryptor, allowing victims of the Tortilla ransomware (based on Babuk) to recover their files for free. Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @fwosar, @BleepinComputer, @serghei, @demonslay335, @Ionut_Ilascu, @Seifreed, @billtoulas, @AWNetworks, @Securonix, @TalosSecurity, @criptoboi, @pcrisk, @TrendMicro, and @Unit42_Intel. January 7th 2024 Mortgage firm loanDepot cyberattack impacts IT systems, payment portal U.S. mortgage lender loanDepot has suffered a cyberattack that caused the company to take IT systems offline, preventing online payments against loans. January 8th 2024 Capital Health attack claimed by LockBit ransomware, risk of data leak The LockBit ransomware operation has claimed responsibility for a November 2023 cyberattack on the Capital Health hospital network and threatens to leak stolen data and negotiation chats by tomorrow. Toronto Zoo: Ransomware attack had no impact on animal wellbeing Toronto Zoo, the largest zoo in Canada, says that a ransomware attack that hit its systems on early Friday had no impact on the animals, its website, or its day-to-day operations. US mortgage lender loanDepot confirms ransomware attack ?Leading U.S. mortgage lender loanDepot confirmed today that a cyber incident disclosed over the weekend was a ransomware attack that led to data encryption. New Phobos ransomware variant PCrisk found a new Phobos variant that appends the .jopanaxye extension and drops ransom notes named info.txt and info.hta. New STOP Ransomware variants PCrisk found new STOP ransomware variants that append the .cdwe and .cdaz extensions. New Makops variant PCrisk found a new Makops variant that appends the .SOG extension and drops a ransom note named +README-WARNING+.txt. New Abyss ransomware PCrisk found a new ransomware that appends the .abyss extension and drops a ransom note named WhatHappened.txt. January 9th 2024 Paraguay warns of Black Hunt ransomware attacks after Tigo Business breach The Paraguay military is warning of Black Hunt ransomware attacks after Tigo Business suffered a cyberattack last week impacting cloud and hosting services in the company's business division. Decryptor for Babuk ransomware variant released after hacker arrested Researchers from Cisco Talos working with the Dutch police obtained a decryption tool for the Tortilla variant of Babuk ransomware and shared intelligence that led to the arrest of the ransomware's operator. Hackers target Microsoft SQL servers in Mimic ransomware attacks A group of financially motivated Turkish hackers targets Microsoft SQL (MSSQL) servers worldwide to encrypt the victims' files with Mimic (N3ww4v3) ransomware. Ransomware victims targeted by fake hack-back offers Some organizations victimized by the Royal and Akira ransomware gangs have been targeted by a threat actor posing as a security researcher who promised to hack back the original attacker and delete stolen victim data. Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign A threat actor we track under the Intrusion set Water Curupira (known to employ the Black Basta ransomware) has been actively using Pikabot. a loader malware with similarities to Qakbot, in spam campaigns throughout 2023. New Phobos variant PCrisk found a new Phobos variant that appends the .2700 extension and drops a ransom note named +README-WARNING+.txt. New Abyss ransomware PCrisk found a new ransomware that appends the .abyss extension and drops a ransom note named WhatHappened.txt. January 10th 2024 Fidelity National Financial: Hackers stole data of 1.3 million people Fidelity National Financial (FNF) has confirmed that a November cyberattack (claimed by the BlackCat ransomware gang) has exposed the data of 1.3 million customers. January 11th 2024 Finland warns of Akira ransomware wiping NAS and tape backup devices The Finish National Cybersecurity Center (NCSC-FI) is informing of increased Akira ransomware activity in December, targeting companies in the country and wiping backups. Medusa Ransomware Turning Your Files into Stone Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. Medusa threat actors use this site to disclose sensitive data from victims unwilling to comply with their ransom demands. New Phobos variant PCrisk found a new Phobos variant that appends the .mango extension and drops a ransom note named +README-WARNING+.txt. New STOP Ransomware variants PCrisk found new STOP ransomware variants that append the .cdtt and .cdpo extensions. New Ping ransomware PCrisk found a new ransomware that appends the .pings extension and drops a ransom note named FILE RECOVERY.txt. January 12th 2024 New Dharma variant PCrisk found a new Dharma ransomware variant that appends the .AeR extension and drops ransom notes named info.txt and info.hta. New Xorist variant PCrisk found a new Xorist variant that appends the .CoV extension and drops a ransom note named HOW TO DECRYPT FILES.txt. That's it for this week! Hope everyone has a nice weekend!