Ransomware continues to run rampant this week, with well-known organizations getting hit with massive ransomware attacks.
The biggest news this week is the Clop ransomware attack against Software AG, where the attackers are demanding a $23 million ransom.
This week, we also learned that a New Jersey hospital paid a 670K ransom and that the Springfield Public School district got hit with ransomware this week.
Get those RDP servers off the Internet, upgrade edge devices, and be careful of phishing emails. All are prime vectors used in ransomware attack.
Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @FourOctets, @Seifreed, @serghei, @DanielGallagher, @LawrenceAbrams, @Ionut_Ilascu, @demonslay335, @VK_Intel, @jorntvdw, @struppigel, @malwrhunterteam, @PolarToffee, @fwosar, @BleepinComputer, @LabsSentinel, @JakubKroustek, @siri_urz, @MsftSecIntel, @CheckPointSW, @IBMSecurity, and @cyb3rops.
October 3rd 2020
New Jersey hospital paid ransomware gang $670K to prevent data leak
University Hospital New Jersey in Newark, New Jersey, paid a $670,000 ransomware demand this month to prevent the publishing of 240 GB of stolen data, including patient info.
New Dharma ransomware variant
Jakub Kroustek found a new Dharma ransomware variant that appends the .FLYU extension to encrypted files.
October 4th 2020
New ransomware vaccine kills programs wiping Windows shadow volumes
A new ransomware vaccine program has been created that terminates processes that try to delete volume shadow copies using Microsoft’s vssadmin.exe program,
October 5th 2020
New Babax variant with ransomware module
Karsten Hahn tweeted about a new Babax variant called Osno Stealer that includes a ransomware module that appends the .osnoed.
New MOSS STOP Djvu ransomware variant
Michael Gillespie found a new STOP Djvu ransomware variant that appends the .moss extension to encrypted files.
Customized version of Petya
Michael Gillespie found a new ransomware called EYECRY that is a customized version of the Petya ransomware/bootlocker.
New SantaCrypt Ransomware
xXToffeeXx found a new ransomware dubbed SantaCrypt that appends the .$anta and drops a ransom note named HOW_TO_RECOVER_MY_FILES.TXT.
October 6th 2020
Ransomware threat surge, Ryuk attacks about 20 orgs per week
Malware researchers monitoring ransomware threats noticed a sharp increase in these attacks over the past months compared to the first six months of 2020.
The FONIX RaaS | New Low-Key Threat with Unnecessary Complexities
FONIX Raas (Ransomware as a Service) is an offering that first came to attention in July of this year. It did not make much of a splash at the time, and even currently, we are only seeing small numbers of infections due to this ransomware family. However, RaaS that at first fly under the radar can quickly become rampant if defenders and security solutions remain unaware of them. Notably, FONIX varies somewhat from many other current RaaS offerings in that it employs four methods of encryption for each file and has an overly-complex post-infection engagement cycle. In this post, we dig a little deeper into these and other peculiarities of this new RaaS offering.
New Curator ransomware
Michael Gillespie is looking for a new ransomware that appends the extension .CURATOR and drops a ransom note named !=HOW_TO_DECRYPT_FILES=!.txt.
New WoodRat ransomware
S!Ri found a new ransomware that appends .woodrat to encrypted files.
October 7th 2020
New Cyber_Splitter Android ransomware found
MalwareHunterTeam found a new Android ransomware called CyberSplitter that appends the .Dcry extension to encrypted files.
October 8th 2020
Massachusetts school district shut down by ransomware attack
The Springfield Public Schools district in Massachusetts has become the victim of a ransomware attack that has caused the closure of schools while they investigate the cyberattack.
October 9th 2020
Ransomware gang now using critical Windows flaw in attacks
Microsoft is warning that cybercriminals have started to incorporate exploit code for the ZeroLogon vulnerability in their attacks. The alert comes after the company noticed ongoing attacks from cyber-espionage group MuddyWater (SeedWorm) in the second half of September.
Software AG IT giant hit with $23 million ransom by Clop ransomware
The Clop ransomware gang hit the network of German enterprise software giant Software AG last Saturday, asking for a ransom of $23 million after stealing employee information and company documents.
Largest cruise line operator Carnival confirms ransomware data theft
Carnival Corporation, the world’s largest cruise line operator, has confirmed that the personal information of customers, employees, and ship crews was stolen during an August ransomware attack.
New Dharma Ransomware variants
Jakub Kroustek found new Dharma ransomware variants that append the .gtsc or .dme extension to encrypted files.
New in-development ransomware
S!Ri found a new in-development ransomware that appends .en extension to encrypted files.
