The Week in Ransomware – February 3rd 2023 – Ending with a mess

While the week started slowly, it turned into a big ransomware mess, with attacks striking a big blow at businesses running VMware ESXi servers.

The attacks started Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant dubbed ESXiArgs.

The attacks were fast and widespread, with admins worldwide soon reporting that they were encrypted in this new campaign.

What makes this attack so devastating is that many companies operate much of their server infrastructure on VMware ESXi, allowing the encryption of one device to encrypt multiple servers simultaneously.

The good news is that some admins have been able to recover their servers by rebuilding disks from flat files, but some have reported being unable to do so as those files were also encrypted.

We also saw new research released this week, with Microsoft warning that over a hundred threat actors deploying ransomware and LockBit deciding to create a new decryptor based on Conti.

Finally, REsecurity released a report on the new Nevada ransomware-as-a-service recruiting and gearing up for future attacks.

Finally, we learned more about ransomware attacks conducted this week and in the past, including:

  • Tallahassee Memorial HealthCare (TMH)¬†suffered a suspected ransomware attack.
  • Schools in Tucson, Arizona, and Nantucket, Massachusetts¬†suffered cyberattacks, with one confirmed to be a Royal ransomware attack.
  • Arnold Clark¬†confirmed data was stolen¬†in a December ransomware attack.
  • A ransomware¬†attack on the ION Group¬†disrupted the derivatives trading market.

January 30th 2023

New Makop variant

PCrisk found a new Makop variant that appends the .ZFX extension and drops a ransom note named +README-WARNING+.txt.

January 31st 2023

Microsoft: Over 100 threat actors deploy ransomware in attacks

Microsoft revealed today that its security teams are tracking more than 100 ransomware gangs and over 50 unique ransomware families that were actively used until the end of last year.

New Masons ransomware

PCrisk found a new ransomware that appends the .masons extension and drops a ransom note named six62ix.txt.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .Script extension and drops a ransom note named read_it.txt.

February 1st 2023

LockBit ransomware goes ‘Green,’ uses new Conti-based encryptor

The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware.

New Nevada Ransomware targets Windows and VMware ESXi systems

A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems.

Arnold Clark customer data stolen in attack claimed by Play ransomware

Arnold Clark, self-described as Europe’s largest independent car retailer, is notifying some customers that their personal information was stolen in a December 23 cyberattack claimed by the Play ransomware group.

TZW Ransomware Being Distributed in Korea

Through internal monitoring, the ASEC analysis team recently discovered the distribution of the TZW ransomware, which encrypts files before adding the ‚ÄúTZW‚ÄĚ file extension to the original extension.

K-12 schools in Tucson, Nantucket respond to cyberattacks

Schools in Tucson, Arizona, and Nantucket, Massachusetts, are dealing with cyberattacks as U.S. schools continue to face a barrage of threats in the first weeks of 2023.

New Honkai ransomware variant

PCrisk found a new ransomware variant that appends the .honkai and drops a ransom note named #DECRYPT MY FILES#.html.

New VoidCrypt ransomware variant

PCrisk found a new ransomware variant that appends the .sunjn extension and drops a ransom note named Dectryption-guide.txt.

February 2nd 2023

Ransomware attack on ION Group impacts derivatives trading market

The LockBit ransomware gang has claimed responsibility for the cyberattack on ION Group, a UK-based software company whose products are used by financial institutions, banks, and corporations for trading, investment management, and market analytics.

Ransomed by Warlock Dark Army ‚ÄúOFFICIALS‚ÄĚ

Recently we came across a tweet shared by petikvx. The tweet was on a ransomware family that had the group name similar to the WARLOCK DARK ARMY. The similarities with Chaos ransomware seem to end with the attacker group’s name. Upon analyzing the ransomware from the tweet we suspect both to be very different groups just based on their malware’s attributes.

February 3rd 2023

Florida hospital takes IT systems offline after cyberattack

Tallahassee Memorial HealthCare (TMH) has taken its IT systems offline and suspended non-emergency procedures following a late Thursday cyberattack.

Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide

Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.

New DoDo ransomware

PCrisk found a new DoDo ransomware variant that appends the .dodov2 extension and drops a ransom note named dodov2_readit.txt.

That’s it for this week! Hope everyone has a nice weekend!

Leave a Comment

Your email address will not be published. Required fields are marked *