, The Week in Ransomware – October 9th 2020 – Giant ransoms

Ransomware continues to run rampant this week, with well-known organizations getting hit with massive ransomware attacks.

The biggest news this week is the Clop ransomware attack against Software AG, where the attackers are demanding a $23 million ransom.

This week, we also learned that a New Jersey hospital paid a 670K ransom and that the Springfield Public School district got hit with ransomware this week.

Get those RDP servers off the Internet, upgrade edge devices, and be careful of phishing emails. All are prime vectors used in ransomware attack.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @FourOctets, @Seifreed, @serghei, @DanielGallagher, @LawrenceAbrams, @Ionut_Ilascu, @demonslay335, @VK_Intel, @jorntvdw, @struppigel, @malwrhunterteam, @PolarToffee, @fwosar, @BleepinComputer, @LabsSentinel, @JakubKroustek, @siri_urz, @MsftSecIntel, @CheckPointSW, @IBMSecurity, and @cyb3rops.

October 3rd 2020

New Jersey hospital paid ransomware gang $670K to prevent data leak

University Hospital New Jersey in Newark, New Jersey, paid a $670,000 ransomware demand this month to prevent the publishing of 240 GB of stolen data, including patient info.

New Dharma ransomware variant

Jakub Kroustek found a new Dharma ransomware variant that appends the .FLYU extension to encrypted files.

October 4th 2020

New ransomware vaccine kills programs wiping Windows shadow volumes

A new ransomware vaccine program has been created that terminates processes that try to delete volume shadow copies using Microsoft’s vssadmin.exe program,

October 5th 2020

New Babax variant with ransomware module

Karsten Hahn tweeted about a new Babax variant called Osno Stealer that includes a ransomware module that appends the .osnoed.

, The Week in Ransomware – October 9th 2020 – Giant ransoms

New MOSS STOP Djvu ransomware variant

Michael Gillespie found a new STOP Djvu ransomware variant that appends the .moss extension to encrypted files.

Customized version of Petya

Michael Gillespie found a new ransomware called EYECRY that is a customized version of the Petya ransomware/bootlocker.

, The Week in Ransomware – October 9th 2020 – Giant ransoms

New SantaCrypt Ransomware

xXToffeeXx found a new ransomware dubbed SantaCrypt that appends the .$anta and drops a ransom note named HOW_TO_RECOVER_MY_FILES.TXT.

October 6th 2020

Ransomware threat surge, Ryuk attacks about 20 orgs per week

Malware researchers monitoring ransomware threats noticed a sharp increase in these attacks over the past months compared to the first six months of 2020.

The FONIX RaaS | New Low-Key Threat with Unnecessary Complexities

FONIX Raas (Ransomware as a Service) is an offering that first came to attention in July of this year. It did not make much of a splash at the time, and even currently, we are only seeing small numbers of infections due to this ransomware family. However, RaaS that at first fly under the radar can quickly become rampant if defenders and security solutions remain unaware of them. Notably, FONIX varies somewhat from many other current RaaS offerings in that it employs four methods of encryption for each file and has an overly-complex post-infection engagement cycle. In this post, we dig a little deeper into these and other peculiarities of this new RaaS offering.

New Curator ransomware

Michael Gillespie is looking for a new ransomware that appends the extension .CURATOR and drops a ransom note named !=HOW_TO_DECRYPT_FILES=!.txt.

New WoodRat ransomware

S!Ri found a new ransomware that appends .woodrat to encrypted files.

, The Week in Ransomware – October 9th 2020 – Giant ransoms

October 7th 2020

New Cyber_Splitter Android ransomware found

MalwareHunterTeam found a new Android ransomware called CyberSplitter that appends the .Dcry extension to encrypted files.

, The Week in Ransomware – October 9th 2020 – Giant ransoms

October 8th 2020

Massachusetts school district shut down by ransomware attack

The Springfield Public Schools district in Massachusetts has become the victim of a ransomware attack that has caused the closure of schools while they investigate the cyberattack.

October 9th 2020

Ransomware gang now using critical Windows flaw in attacks

Microsoft is warning that cybercriminals have started to incorporate exploit code for the ZeroLogon vulnerability in their attacks. The alert comes after the company noticed ongoing attacks from cyber-espionage group MuddyWater (SeedWorm) in the second half of September.

Software AG IT giant hit with $23 million ransom by Clop ransomware

The Clop ransomware gang hit the network of German enterprise software giant Software AG last Saturday, asking for a ransom of $23 million after stealing employee information and company documents.

Largest cruise line operator Carnival confirms ransomware data theft

Carnival Corporation, the world’s largest cruise line operator, has confirmed that the personal information of customers, employees, and ship crews was stolen during an August ransomware attack.

New Dharma Ransomware variants

Jakub Kroustek found new Dharma ransomware variants that append the .gtsc or .dme extension to encrypted files.

New in-development ransomware

S!Ri found a new in-development ransomware that appends .en extension to encrypted files.

That’s it for this week! Hope everyone has a nice weekend!