Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.
Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.
Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.
“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”
logo
☰
The Week in Ransomware - December 9th 2022 - Wide Impact
By Lawrence Abrams
December 9, 2022 07:02 PM
Global pew pew map
This week has been filled with research reports and news of significant attacks having a wide impact on many organizations.
Last week, Rackspace suffered a massive outage on their hosted Microsoft Exchange environment, preventing customers from accessing their email. On Tuesday, Rackspace finally confirmed everyone's fears that a ransomware attack caused the outage.
Rackspace has not provided any details on the attack, including the ransomware operation behind it and if the threat actors stole data.
However, today they began warning customers to be on the lookout for targeted phishing emails and to monitor their credit reports and banking account statements for suspicious activity. This warning could indicate that the ransomware operation likely stole data in the attack.
Another attack against a New Zealand MSP Mercury IT has also led to a series of outages for its customers, many of which are local governments in the country.
A ransomware attack on the André-Mignot teaching hospital in Paris has also led to significant disruption, causing some patients to be rerouted to other hospitals.
We also saw some interesting research by cybersecurity firms and the U.S. government this week:
The Cryptonite ransomware accidentally turned into a wiper.
A profile on the Vice Society ransomware operation and their targeting of schools.
The U.S. Department of Health and Human Services (HHS) began warning of Royal ransomware targeting healthcare.
Finally, Brian Krebs had a very interesting report on new tactics used by the Venus and Clop ransomware gangs to breach networks and convince victims to pay.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @PolarToffee, @Seifreed, @fwosar, @DanielGallagher, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @jorntvdw, @demonslay335, @billtoulas, @FourOctets, @VK_Intel, @serghei, @malwrhunterteam, @malwareforme, @pcrisk, @Unit42_Intel, @Fortinet, @briankrebs, @morphisec, @smgoreli, and @Phylum_IO.
December 5th 2022
Ransomware attack forces French hospital to transfer patients
The André-Mignot teaching hospital in the suburbs of Paris had to shut down its phone and computer systems because of a ransomware attack that occurred on Saturday evening.
The Story of a Ransomware Turning into an Accidental Wiper
In the last issue of our Ransomware Roundup series, we discussed a publicly available open-source ransomware toolkit called Cryptonite. As part of that investigation, we also discovered a Cryptonite sample in the wild that never offers the decryption window, instead acting as a wiper. We recently saw an increase in ransomware intentionally turned into wiper malware, primarily as part of a political campaign. So in this post, we take a closer look at the Cryptonite wiper sample.
Ransomware attack on New Zealand MSP
There has been a cyber security incident involving a ransomware attack on Mercury IT. Mercury IT provides a wide range of IT services to customers across New Zealand.
New Puspa2 ransomware
PCrisk found a HiddenTear variant valled Puspa2 that appends the .puspa2#mejukeni7sala029 extension and drops a ransom note named XXX_HELLO'S_READ_ME._txt.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .mppn or .mbtf extensions to encrypted files.
December 6th 2022
Rackspace confirms outage was caused by ransomware attack
Texas-based cloud computing provider Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage described as an "isolated disruption."
Vice Society: Profiling a Persistent Threat to the Education Sector
Vice Society is a ransomware gang that has been involved in high-profile activity against schools this year. Unlike many other ransomware groups such as LockBit that follow a typical ransomware-as-a-service (RaaS) model, Vice Society’s operations are different in that they’ve been known for using forks of pre-existing ransomware families in their attack chain that are sold on DarkWeb marketplaces. These include the HelloKitty (aka FiveHands) and Zeppelin strains of ransomware as opposed to Vice Society developing their own custom payload.
New Babuk Ransomware Found in Major Attack
During November, Morphisec identified a brand-new variant of Babuk ransomware while investigating a customer's prevention event. Babuk was first discovered at the beginning of 2021, when it began targeting businesses to steal and encrypt data in double-extortion attacks. Later in the year, a threat actor leaked the complete source code for Babuk on a Russian-speaking hacking forum.
New Obz ransomware
PCrisk found a new ransomware variant that appends the .OBZ extension and drops a ransom note named ReadMe.txt.
December 8th 2022
CommonSpirit Health ransomware attack exposed data of 623,000 patients
CommonSpirit Health has confirmed that threat actors accessed the personal data for 623,774 patients during an October ransomware attack.
US Health Dept warns of Royal Ransomware targeting healthcare
The U.S. Department of Health and Human Services (HHS) issued a new warning today for the country's healthcare organizations regarding ongoing attacks from a relatively new operation, the Royal ransomware gang.
New Ransom Payment Schemes Target Executives, Telemedicine
Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider tradition.
Rackspace warns of phishing risks following ransomware attack
Cloud computing provider Rackspace warned customers on Thursday of increased risks of phishing attacks following a ransomware attack affecting its hosted Microsoft Exchange environment.
An Ongoing Attack Against Python and Javascript Developers
Overnight we saw a flurry of activity around typosquat of the popular requests package. In the malicious packages themselves the attacker has embedded the following:
To provide some context, Phylum found a NPM/PyPi campaign where python packages were distributing Linux and Windows malware that pretended to be ransomware. After testing the ransomware, BleepingComputer has confirmed it does not actually encrypt anything and just drops a ransom note and changes the desktop wallpaper.
The actor behind this told BleepingComputer that they are just "playing" around and will not be adding encryption.
New MedusaLocker variant
PCrisk found a new MedusaLocker variant that appends the .allock[number] extension and drops a ransom note named how_to_back_files.html.
New VoidCrypt variant
PCrisk found a new VoidCrypt variant that appends the .Juli extension and drops a ransom note named unlock-info.txt.
That's it for this week! Hope everyone has a nice weekend!