While the week started slowly, it turned into a big ransomware mess, with attacks striking a big blow at businesses running VMware ESXi servers.
The attacks started Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant dubbed ESXiArgs.
The attacks were fast and widespread, with admins worldwide soon reporting that they were encrypted in this new campaign.
What makes this attack so devastating is that many companies operate much of their server infrastructure on VMware ESXi, allowing the encryption of one device to encrypt multiple servers simultaneously.
The good news is that some admins have been able to recover their servers by rebuilding disks from flat files, but some have reported being unable to do so as those files were also encrypted.
We also saw new research released this week, with Microsoft warning that over a hundred threat actors deploying ransomware and LockBit deciding to create a new decryptor based on Conti.
Finally, REsecurity released a report on the new Nevada ransomware-as-a-service recruiting and gearing up for future attacks.
Finally, we learned more about ransomware attacks conducted this week and in the past, including:
- Tallahassee Memorial HealthCare (TMH) suffered a suspected ransomware attack.
- Schools in Tucson, Arizona, and Nantucket, Massachusetts suffered cyberattacks, with one confirmed to be a Royal ransomware attack.
- Arnold Clark confirmed data was stolen in a December ransomware attack.
- A ransomware attack on the ION Group disrupted the derivatives trading market.
January 30th 2023
PCrisk found a new Makop variant that appends the .ZFX extension and drops a ransom note named +README-WARNING+.txt.
January 31st 2023
Microsoft revealed today that its security teams are tracking more than 100 ransomware gangs and over 50 unique ransomware families that were actively used until the end of last year.
PCrisk found a new ransomware that appends the .masons extension and drops a ransom note named six62ix.txt.
PCrisk found a new Chaos ransomware variant that appends the .Script extension and drops a ransom note named read_it.txt.
February 1st 2023
The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware.
A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems.
Arnold Clark, self-described as Europe’s largest independent car retailer, is notifying some customers that their personal information was stolen in a December 23 cyberattack claimed by the Play ransomware group.
Through internal monitoring, the ASEC analysis team recently discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.
Schools in Tucson, Arizona, and Nantucket, Massachusetts, are dealing with cyberattacks as U.S. schools continue to face a barrage of threats in the first weeks of 2023.
PCrisk found a new ransomware variant that appends the .honkai and drops a ransom note named #DECRYPT MY FILES#.html.
PCrisk found a new ransomware variant that appends the .sunjn extension and drops a ransom note named Dectryption-guide.txt.
February 2nd 2023
The LockBit ransomware gang has claimed responsibility for the cyberattack on ION Group, a UK-based software company whose products are used by financial institutions, banks, and corporations for trading, investment management, and market analytics.
Recently we came across a tweet shared by petikvx. The tweet was on a ransomware family that had the group name similar to the WARLOCK DARK ARMY. The similarities with Chaos ransomware seem to end with the attacker group’s name. Upon analyzing the ransomware from the tweet we suspect both to be very different groups just based on their malware’s attributes.
February 3rd 2023
Tallahassee Memorial HealthCare (TMH) has taken its IT systems offline and suspended non-emergency procedures following a late Thursday cyberattack.
Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.
PCrisk found a new DoDo ransomware variant that appends the .dodov2 extension and drops a ransom note named dodov2_readit.txt.