The Week in Ransomware – September ninth 2022

September 11, 2022

1

Ransomware gangs have been busy this week, launching assaults towards NAS units, one of many largest resort teams, IHG, and LAUSD, the second largest college district within the USA.

On Saturday, the DeadBolt ransomware operation launched a brand new assault on QNAP units utilizing a zero-day vulnerability in Photograph Station. That very same day, QNAP launched safety updates to repair the vulnerability, urging clients to put in the replace and never expose their units on the Web.

On Monday, each InterContinental Lodges Group (IHG) and Los Angeles Unified (LAUSD) college district have been hit by ransomware assaults that disrupted the organizations’ technical operations.

For IHG, the assault disrupted their on-line reservation programs; for LAUSD, it impacted the college district’s IT programs.

Nevertheless, regardless that the cyberattack impacted LAUSD’s know-how infrastructure, the faculties opened as ordinary for Los Angeles college students.

Yesterday, the Vice Society ransomware informed BleepingComputer that they have been behind the assault on LAUSD and claimed to have stolen 500GB of knowledge.

The accountable ransomware gang got here as no shock, because the FBI, CISA, and MS-ISAC launched an advisory on Monday warning of the Vice Society concentrating on college districts.

We additionally noticed some new ransomware analysis launched this week:

Contributors and people who supplied new ransomware info and tales this week embody: @malwareforme, @LawrenceAbrams, @FourOctets, @Ionut_Ilascu, @serghei, @billtoulas, @fwosar, @VK_Intel, @struppigel, @BleepinComputer, @malwrhunterteam, @Seifreed, @DanielGallagher, @demonslay335, @jorntvdw, @PolarToffee, @MsftSecIntel, @CISAgov, @FBI, @pmbureau, @AdvIntel, @pcrisk, @PogoWasRight, @cPeterr, @security_score, and @Intel471Inc.

September third 2022

PLAY Ransomware evaluation

That is my evaluation for PLAY Ransomware. I’ll be solely specializing in its anti-analysis and encryption options. There are a couple of different options reminiscent of DLL injection and networking that won’t be lined on this evaluation.

September fifth 2022

QNAP patches zero-day utilized in new Deadbolt ransomware assaults

QNAP is warning clients of ongoing DeadBolt ransomware assaults that began on Saturday by exploiting a zero-day vulnerability in Photograph Station.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .oopu, .oodt, and .oovb extensions.

September sixth 2022

InterContinental Lodges Group cyberattack disrupts reserving programs

Main hospitality firm InterContinental Lodges Group PLC (also referred to as IHG Lodges & Resorts) says its info know-how (IT) programs have been disrupted since yesterday after its community was breached.

Second largest U.S. college district LAUSD hit by ransomware

Los Angeles Unified (LAUSD), the second largest college district within the U.S., disclosed {that a} ransomware assault hit its Data Expertise (IT) programs over the weekend.

FBI warns of Vice Society ransomware assaults on college districts

FBI, CISA, and MS-ISAC warned at present of U.S. college districts being more and more focused by the Vice Society ransomware group, with extra assaults anticipated after the beginning of the brand new college yr.

TTPs Related With a New Model of the BlackCat Ransomware

Our Digital Forensics and Incident Response (DFIR) staff was engaged in investigating a ransomware an infection. We have been capable of decide that the ransomware concerned is a brand new model of the BlackCat ransomware, primarily based on the truth that the malware added new command line parameters that weren’t documented earlier than.

September seventh 2022

Google says former Conti ransomware members now assault Ukraine

Google says some former Conti cybercrime gang members, now a part of a risk group tracked as UAC-0098, are concentrating on Ukrainian organizations and European non-governmental organizations (NGOs).

Ransomware gang’s Cobalt Strike servers DDoSed with anti-Russia messages

Somebody is flooding Cobalt Strike servers operated by former members of the Conti ransomware gang with anti-Russian messages to disrupt their exercise.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .mmpu, .mmvb, and .mmdt extensions.

Bl00dy ransomware pattern discovered

PCrisk discovered a pattern for the brand new ‘Bl00dy Ransomware’ primarily based on the Babuk ransomware household that appends the .bl00dy and drops the How To Restore Your Recordsdata.txt ransom be aware.

Bl00dy ransomware was first reported on by DataBreaches.web after the risk actors focused New York medical practices.

Conti vs. Monti: A Reinvention or Only a Easy Rebranding?

Although there isn’t a iron-clad proof of Conti rebranding as Monti, Conti supply was leaked publicly in March 2022. Consequently, it’s attainable that anyone may use the publicly accessible supply code to create their very own ransomware primarily based on Conti. This could possibly be the case with Monti from our evaluation of the disassembled code. Monti’s entry level is similar to Conti’s, as seen beneath. As such, Monti could possibly be a rebrand of Conti or just a brand new ransomware variant that has been developed utilizing the leaked supply code talked about above.

September ninth 2022

Vice Society claims LAUSD ransomware assault, theft of 500GB of knowledge

The Vice Society gang has claimed the ransomware assault that hit Los Angeles Unified (LAUSD), the second largest college district in the US, over the weekend.