The Week in Ransomware – December 1st 2023 – Police hits affiliates

The Week in Ransomware - December 1st 2023 - Police hits affiliates

December 1, 2023 at 05:13PM

An international crackdown in Ukraine led to the arrest of a ransomware group responsible for attacks across 71 countries and linked to significant financial losses. Coordinated raids and arrests targeted affiliates of various ransomware strains. The operation saw contributions from multiple nations, including Norway, which suggests connections to prior high-profile cyberattacks. Meanwhile, ransomware continues to surge globally, with recent incidents affecting multiple sectors, as researchers uncover the lucrative earnings of infamous ransomware gangs.

Key Takeaways from Meeting Notes:

1. International Operation Against Ransomware:
– A law enforcement operation in Ukraine has dismantled an affiliate group linked to ransomware attacks in 71 countries.
– Police arrested five individuals, including the alleged leader, on November 21st, during coordinated raids.
– Affiliates were associated with ransomware strains such as LockerGoga, MegaCortex, HIVE, and Dharma.
– Norway’s involvement suggests the group may be linked to the Norsk Hydro attack involving LockerGoga.
– A threat actor on the XSS forum denied the group’s involvement in the Norsk Hydro attack.

2. Recent Ransomware Attacks:
– Ethyrial: Echoes of Yore game developer suffered attacks resulting in 17,000 player account losses.
– Ardent Health Services was hit by a ransomware attack affecting 30 hospitals in the U.S.
– Slovenian power company HSE experienced a ransomware attack, with claims of no disruption to power production.
– DP World confirmed data theft in a cyberattack but stated no ransomware or encryption was involved.

3. Ransomware Statistics and Details:
– The Black Basta group has collected at least $100 million in ransoms from over 90 victims since April 2022.
– The Cactus ransomware has been exploiting Qlik Sense vulnerabilities for network breaches.
– Reports of new ransomware variant activities, including chaos, STOP, Phobos, MedusaLocker, and Dharma, with different file extensions and ransom notes.

4. Contributors:
– Acknowledgment of various cybersecurity experts and entities providing insights and information on ransomware activities: @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @billtoulas, @serghei, @Seifreed, @BleepinComputer, @demonslay335, @fwosar, @pcrisk, @CorvusInsurance, @elliptic, @AWNetworks, @ShadowStackRE, @ddd1ms, @3xp0rtblog, and @BrettCallow.

5. Additional Notes:
– Henry Schein, an American healthcare company, was re-encrypted by BlackCat/ALPHV following a failure to pay a ransom.
– The LostTrust ransomware bears similarities to MetaEncryptor, suggesting it might be a derivative.
– Arrests were made by international law enforcement in cooperation with Europol and Eurojust.
– Qilin ransomware claimed responsibility for an attack on Yanfeng Automotive Interiors.

Remember to continue monitoring these trends and threats as the situation evolves and new information emerges. Have a good weekend.

Full Article