Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

Last Week in Ransomware: Week of July 19th

IT Pros

This past week hasn’t seen quite as much activity as others, likely due to the new ransomware task force created in the US and the mysterious disappearance of REvil and other gangs.

The REvil ransomware gang’s online presence experienced a thorough overnight takedown, this included clearnet as well as darknet websites. It’s currently unclear who’s responsible but with how orderly it was there are two distinct possibilities. First that some nation-state such as a US agency or Russian agency took them out, or the group themselves decided that there was too much attention on their attack and scuttled their own ship. While the group’s “unknown” representative didn’t make an announcement this latter option seems the most likely. Odds are they’ll keep their heads down for a while developing new attacks then rebrand the group in a few months.

But everything’s not sunshine and rainbows for some victims of the REvil ransomware attack. When the sites went down they also took down any chance of decrypting your files. This left at least one victim struggling to decrypt. It’s also an important reminder to make sure to patch vulnerabilities before someone else comes along and tries to emulate what REvil was able to achieve.

Why would REvil scrap their own websites? Well in a slightly surprising move the US government took definitive actions against ransomware groups. First, they launched a task force to combat cybersecurity threats and primarily track down cryptocurrency transactions in the blockchain. The only time I’ll be able to tell how much they’re able to actually achieve playing mostly a reactionary role. Second, the US is offering a $10 Million Ransom for operations conducted by foreign governments. The casual observer might think the $10 million Ransom is aimed squarely at Russia and while that might be the case, it also seems that China wants in on the game as well. And lastly, the US published a ransomware website to inform the public and companies how best to protect themselves.

Not to be left out, Interpol also urged police worldwide to work together against the ransomware pandemic.

In similar but unrelated news Sodinokibi Websites and Infrastructure are Mysteriously Offline.

Additionally, SonicWall warns of ‘critical’ ransomware risk to EOL SMA 100 VPN appliances

And to round out the news for the week, in a surprise to no one, a recent survey found that 25% of ransomware attacks started through Phishing.

Ransomware Research

VMware ESXi isn’t quite as safe as it used to be, a new version of the HelloKitty ransomware has been discovered targeting Linux virtual machines.

There’s also a brand new report out on Mespinoza ransomware. Along with a new group called AvosLocker who may or may not be related to DoppelPaymer.

And in this week’s round of new ransomware variants, we have a few contestants:

Phobos is now using .LOWPRICE

Stop Djvu is using .wwka and .gujd

New Dharma is using .OFF .pause .PcS

Upcoming Security Conferences

Ransomware Live 2021 ( July 29 – 31)

This is the largest conference focused exclusively on the ransomware threat. It offers a great opportunity to grow your security knowledge and find new and innovative ways to protect your company.

BLACK HAT USA 2021 (July 31 – Aug 5)

Black hat is one of the largest annual security conferences. It’s the corporate version of Defcon and as such is a great opportunity to get face time with security professionals such as the Varonis team. Be sure to stop by our booth!

Michael Raymond

Michael Raymond

Michael Raymond is a security researcher and video producer for the Null Byte and SecurityFWD YouTube Channels.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.