There was not a lot of new variants released this week, but we did have some attacks on high profile victims.
This past weekend it came to light that IT service giant Cognizant suffered a Maze Ransomware attack. Strangely, while Cognizant is stating it was Maze, the ransomware operators are denying it.
DoppelPaymer also started to leak data for the City of Torrance in California who was attacked on March 1st.
Other than that, we have seen a few new variants released this week and the unfortunate continued targeting of hospitals by ransomware operators.
Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @malwrhunterteam, @fwosar, @LawrenceAbrams, @jorntvdw, @BleepinComputer, @Seifreed, @PolarToffee, @DanielGallagher, @serghei, @demonslay335, @Ionut_Ilascu, @VK_Intel, @FourOctets, @struppigel, @LibraAnalysis, @TalosSecurity, @emsisoft, @albertzsigovits, @SophosLabs, and @GrujaRS.
April 18th 2020
Hackers have deployed ransomware on the systems of U.S. hospitals and government entities using stolen Active Directory credentials months after exploiting a known remote code execution (RCE) vulnerability in their Pulse Secure VPN servers.
Information technologies services giant Cognizant suffered a cyber attack Friday night allegedly by the operators of the Maze Ransomware, BleepingComputer has learned.
MalwareHunterTeam found a fake SMBGhost exploit that is actually ransomware that appends the .sepsys extension to encrypted files.
April 20th 2020
In 2019, 966 government agencies, educational establishments and healthcare providers in the US were impacted by ransomware. While the early indicators were that the 2020 numbers would be similar to 2019’s or perhaps even worse, that has proved not to be the case. A total of 89 organizations were impacted by ransomware in Q1, however, as the COVID-19 crisis worsened, the number of successful attacks reduced considerably and is now at a level not seen in several years.
Michael Gillespie found a new variant of the STOP Djvu Ransomware that appends the .lezp extension to encrypted files.
April 21st 2020
The City of Torrance of the Los Angeles metropolitan area, California, has allegedly been attacked by the DoppelPaymer Ransomware, having unencrypted data stolen and devices encrypted.
A fake WiFi hacking program is being used to distribute a new Coronavirus-themed malware that tries to lock you out of Windows while making some very annoying sounds.
April 23rd 2020
MedusaLocker is a ransomware family that has been observed being deployed since its discovery in 2019. Since its introduction to the threat landscape, there have been several variants observed. However, most of the functionality remains consistent. The most notable differences are changes to the file extension used for encrypted files and the look and feel of the ransom note that is left on systems following the encryption process.
GrujaRS found a new Phobos Ransomware variant that appends the .iso extension to encrypted files.
April 24th 2020
A leading supplier of video delivery software solutions is reportedly the latest victim of the Sodinokibi Ransomware, who has posted images of data they claim to have stolen from the company during a cyberattack.
Ransomware operators are always on the lookout for a way to take their ransomware to the next level. That’s particularly true of the gang behind LockBit. Following the lead of the Maze and REvil ransomware crime rings, LockBit’s operators are now threatening to leak the data of their victims in order to extort payment. And the ransomware itself also includes a number of technical improvements that show LockBit’s developers are climbing the ransomware learning curve—and have developed an interesting technique to circumvent Windows’ User Account Control (UAC).