Threat actor

With the US providing military aid to Ukraine and its sanctions damaging the Russian economy, the US government disclosed this week that there is intelligence that Russia is preparing for potential cyberattacks against US interests.

As part of this disclosure, the White House released a cybersecurity checklist that all organizations should read and apply to the networks to help defend against attacks.

This warning come as the FBI discloses that Avoslocker ransomware has been targeting US critical infrastructure, and that ransomware in general has targeted 649 critical infrastructure organizations in 2021.

Law enforcement has not been standing still, with an Estonian ransomware operator sentenced to 66 months in prison and two indictments against four Russian government employees for attacks on critical infrastructure in the past.

The Conti Leaks Twitter account continues to leak data from the Conti ransomware operation, this week leaking new source code from January 2021 for the ransomware’s encryptors and decryptors.

This week’s other big cyber news is about the Lapsus$ extortion gang attacks. While they are not ransomware, they are an extortion gang that was widely covered by the media this week, so they deserve some mention in today’s article.

Lapsus$ is a data extortion gang responsible for recent cyberattacks on many well-known companies, including Microsoft, Samsung, NVIDIA, Okta, Mercado Libre, Ubisoft, and Vodafone.

After their most recent disclosure of the attack on Okta, the UK police have stated that they arrested seven people for suspected ties to the extortion gang.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @serghei, @PolarToffee, @jorntvdw, @Seifreed, @VK_Intel, @fwosar, @DanielGallagher, @malwrhunterteam, @demonslay335, @malwareforme, @FourOctets, @billtoulas, @struppigel, @Ionut_Ilascu, @BleepinComputer, @splunk, @ContiLeaks, @Tesorion_NL, @coveware, @pcrisk, @vxunderground, @cPeterr, @Secureworks, and @_CERT_UA.

March 19th 2022

FBI: Avoslocker ransomware targets US critical infrastructure

The Federal Bureau of Investigation (FBI) warns of AvosLocker ransomware being used in attacks targeting multiple US critical infrastructure sectors.

LockBit Ransomware v2.0 analysis

Check out my analysis of LockBit ransomware v2.0 where I analyze all of its functionalities in IDA!

March 20th 2022

More Conti ransomware source code leaked on Twitter out of revenge

A Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation in revenge for the cybercriminals siding with Russia on the invasion of Ukraine.

March 21st 2022

Lorenz ransomware rebound: corruption and irrecoverable files

In early March 2022 we came across a new variant of the Lorenz ransomware. The sample we analyzed dates back to March 2, 2022. Files encrypted by this variant are different from the previous one. This blog contains our findings on the new variant. Furthermore, we explain a serious bug in the ransomware that makes the attacker unable to recover any encrypted files. Finally, we announce that decryption is still possible without paying the ransom, or to be more specific, only possible without paying the ransom.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .mmuz, .hfgd, and .rguy extensions.

March 22nd 2022

Top Russian meat producer hit with Windows BitLocker encryption attack

Moscow-based meat producer and distributor Miratorg Agribusiness Holding has suffered a major cyberattack that encrypted its IT systems, according to a report from Rosselkhoznadzor – the Russian federal veterinary and phytosanitary supervision service.

Greece’s public postal service offline due to ransomware attack

ELTA, the state-owned provider of postal services in Greece, has disclosed a ransomware incident detected on Sunday that is still keeping most of the organizations services offline.

White House shares checklist to counter Russian cyberattacks

The White House is urging U.S. organizations to shore up their cybersecurity defenses after new intelligence suggests that Russia is preparing to conduct cyberattacks in the near future.

FBI Releases the Internet Crime Complaint Center 2021 Internet Crime Report

The 2021 Internet Crime Report (pdf) includes information from 847,376 complaints of suspected internet crime—a 7% increase from 2020—and reported losses exceeding $6.9 billion. State-specific statistics have also been released and can be found within the 2021 Internet Crime Report and in the accompanying 2021 State Reports.

Cyberattack on Ukrainian enterprises using the DoubleZero destructor program

On March 17, 2022, the government team responding to computer emergencies in Ukraine CERT-UA discovered several ZIP archives, one of which was called “Virus … extremely dangerous !!!. Zip”. Each of the archives contains an obfuscated .NET program. As a result of the analysis, the identified programs are classified as DoubleZero – a malicious destructor program developed using the C # programming language.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .kkia and .ssoi extensions.

March 23rd 2022

Ten notorious ransomware strains put to the encryption speed test

Researchers have conducted a technical experiment, testing ten ransomware variants to determine how fast they encrypt files and evaluate how feasible it would be to timely respond to their attacks.

FBI: Ransomware hit 649 critical infrastructure orgs in 2021

The Federal Bureau of Investigation (FBI) says ransomware gangs have breached the networks of at least 649 organizations from multiple US critical infrastructure sectors last year, according to the Internet Crime Complaint Center (IC3) 2021 Internet Crime Report.

New STOP Ransomware variant

PCrisk found a new STOP ransomware variant that appends the .pphg extension.

GOLD ULRICK Leaks Reveal Organizational Structure and Relationships

Since February 27, 2022, the Twitter @ContiLeaks account and other online personas have been leaking communications containing details about threat actors and their operations. The leaks include more than 160,000 messages exchanged among nearly 500 threat actors between January 2020 and March 2022. The messages reveal close relationships among multiple threat groups and details about the GOLD ULRICK and GOLD BLACKBURN threat groups’ operations. Leaked source code and tool repositories offer unprecedented insights into previously unknown threat actors.

March 24th 2022

March 25th 2022

Estonian ransomware operator sentenced to 66 months in prison

Maksim Berezan, an Estonian man linked to multimillion-dollar ransomware attacks, was sentenced on Friday to 66 months in prison for his involvement in online fraud schemes.

How the Russian/Ukraine war may lead to an explosion in Ransomware attacks

While these risks are very real, the socio-economic shock to the Russian economy as a result of sanctions, presents a far larger long term risk, and has us at Coveware much more worried. The severity of the sanctions that continue to pile up have created an environment that could lead to an explosion in the volume of people that turn to ransomware as a means to support themselves

New STOP Ransomware variant

PCrisk found a new STOP ransomware variant that appends the .wdlo extension.

LockBit operation puts a bounty on his own head

The LockBit operator known as ‘LockBitSupp’ has put a bounty of $1 million on his own head to anyone who can locate them.

That’s it for this week! Hope everyone has a nice weekend!

Source: www.bleepingcomputer.com