Article Details

The Week in Ransomware - December 22nd 2023 - BlackCat hacked. Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action. The FBI revealed this week that they hacked the BlackCat/ALPHV ransomware operation, which raked in $300 million from over 1,000 victims. While quietly surveilling the ransomware gang, law enforcement retrieved decryption and Tor private keys. Law enforcement says that they were able to help decrypt 400 victims for free using the retrieved decryptors and used the Tor private keys to seize the URLs for the gang's data leak site and negotiation sites. However, as the threat actors and the FBI have the same keys, there has been a constant tug of war as they both "reseize" the URL. Some have seen this constant change in ownership of the URL as a failed operation by law enforcement. However, retrieving 400 decryption keys and likely more data from the hacked servers has significantly tarnished the ransomware operation's reputation. BleepingComputer has learned that this has caused some affiliates to contact victims directly via email, as they have lost trust in the ransomware gang's ability to secure the servers. Others are said to have moved to competing ransomware operations, such as LockBit. Now, LockBitSupp (the operator of LockBit) and the BlackCat operator have discussed creating a "cartel," to join forces against law enforcement. Previous "ransomware cartels" allegedly created by Maze didn't succeed in helping the ransomware operation, as Ukrainian police arrested gang members after they rebranded as Egregor. We also learned this week about new ransomware attacks or information about old ones, including: Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @BleepinComputer, @demonslay335, @Seifreed, @billtoulas, @Ionut_Ilascu, @fwosar, @serghei, @LawrenceAbrams, @BrettCallow, @PRODAFT, @AShukuhi, @uuallan, @SophosXOps, @pcrisk, @3xp0rtblog, @oct0xor, @MorganDemboski, and @juanbrodersen. December 18th 2023 Mortgage giant Mr. Cooper data breach affects 14.7 million people Mr. Cooper is sending data breach notifications warning that a recent cyberattack has exposed the data of 14.7 million customers who have, or previously had, mortgages with the company. FBI: Play ransomware breached 300 victims, including critical orgs The Federal Bureau of Investigation (FBI) says the Play ransomware gang has breached roughly 300 organizations worldwide between June 2022 and October 2023, some of them critical infrastructure entities. Vans and North Face owner VF Corp hit by ransomware attack American global apparel and footwear giant VF Corporation, the owner of brands like Supreme, Vans, Timberland, and The North Face, has disclosed a security incident that caused operational disruptions The UBA suffered a ransomware cyber attack: teachers and students cannot access the systems The University of Buenos Aires (UBA) suffered a ransomware cyberattack , a type of malicious program that encrypts the victim's files, makes them inaccessible and demands a ransom money in exchange. Since Thursday, servers in part of the educational institution have been compromised and this prevents teachers and students from managing grades, enrolling in summer courses and more. December 19th 2023 FBI disrupts Blackcat ransomware operation, creates decryption tool The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys. How the FBI seized BlackCat (ALPHV) ransomware’s servers An unsealed FBI search warrant revealed how law enforcement hijacked the ALPHV/BlackCat ransomware operations websites and seized the associated URLs. FBI: ALPHV ransomware raked in $300 million from over 1,000 victims The ALPHV/BlackCat ransomware gang has made over $300 million in ransom payments from more than 1,000 victims worldwide as of September 2023, according to the Federal Bureau of Investigation (FBI). Smoke and Mirrors: Understanding The Workings of Wazawaka This research provides a comprehensive analysis of Wazawaka’s background, affiliations, and tactics in the threat landscape associated with his activities. It includes information about Wazawaka’s team and his close relations with other threat actors. December 20th 2023 Healthcare software provider data breach impacts 2.7 million ESO Solutions, a provider of software products for healthcare organizations and fire departments, disclosed that data belonging to 2.7 million patients has been compromised as a result of a ransomware attack. Fake F5 BIG-IP zero-day warning emails push data wipers The Israel National Cyber Directorate warns of phishing emails pretending to be F5 BIG-IP zero-day security updates that deploy Windows and Linux data wipers. New BO Team ransomware PCrisk found a new ransomware that appends the .bot extension and drops a ransom note named How To Restore Your Files.txt. December 21st 2023 Akira, again: The ransomware that keeps on taking Following our initial report on Akira ransomware, Sophos has responded to over a dozen incidents involving Akira impacting various sectors and regions. According to our dataset, Akira has primarily targeted organizations located in Europe, North America, and Australia, and operating in the government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunication sectors. Windows CLFS and five exploits used by ransomware operators Seeing a Win32k driver zero-day being used in attacks isn’t really surprising these days, as the design issues with that component are well known and have been exploited time and time again. But we had never seen so many CLFS driver exploits being used in active attacks before, and then suddenly there are so many of them captured in just one year. New Phobos ransomware variant PCrisk found a new ransomware that appends a unique extension and drops ransom notes named info.txt and info.hta. New Tprc ransomware PCrisk found a new ransomware that appends the .tprc extension and drops a ransom note named !RESTORE!.txt. December 22nd 2023 Nissan Australia cyberattack claimed by Akira ransomware gang Japanese car maker Nissan is investigating a cyberattack that targeted its systems in Australia and New Zealand, which may have let hackers access personal information. That's it for this week! Hope everyone has a nice weekend!