Security News

In recent years, ransomware groups have evolved their tactics to not only encrypt data but also exfiltrate it, making it a double-edged weapon for extortion. The rise of data extortion ransomware has coincided with a dramatic increase in both the number of groups active and the number of attacks against organizations.

The threat actors behind the Monti ransomware have resurfaced after a two-month break with a new Linux version of the encryptor in its attacks targeting government and legal sectors. Monti emerged in June 2022, weeks after the Conti ransomware group shut down its operations, deliberately imitating the tactics and tools associated with the latter, including its leaked source code.

A recent Truman State University ransomware attack caused several days of shutdowns and the engagement of external security teams. In Pennsylvania, the Penncrest school district found itself the target of a ransomware attack leading to multiple days of no internet access and disruption of school routines, impacting local families.

Comprehensive security plans and programs must focus on defense, but also on answering these key question: "How will the organization respond to a ransomware attack?", and "At what point will the option of paying the ransom be on the table?". The more ransoms organizations pay, the more profitable ransomware attacks are to cybercriminals.

In the DOJ's blunt words, "Grabowski remains a fugitive." As you probably know, ransomware criminals typically use anonymous darkweb hosts for contact purposes when they're "Negotiating" their blackmail payoffs.

The Monti ransomware gang has returned, after a two-month break from publishing victims on their data leak site, using a new Linux locker to target VMware ESXi servers, legal, and government organizations. Researchers at Trend Micro analyzing the new encryption tool from Monti found that it has "Significant deviations from its other Linux-based predecessors."

The Knight ransomware is being distributed in an ongoing spam campaign that pretends to be TripAdvisor complaints. Knight ransomware is a recent rebrand of the Cyclop Ransomware-as-a-Service, which switched its name at the end of July 2023.

While some ransomware operations claim not to target hospitals, one relatively new ransomware gang named Rhysida doesn't seem to care. We also saw additional reports on ransomware about TargetCompany, code leaks impacting the RaaS ecosystem, and a new threat actor using a customized version of Yashma ransomware.

A bulletproof hosting provider is a hosting company that turns a blind eye to reports of criminal activity or the hosting of copyrighted material on their servers. Cybercriminals prefer these types of hosting providers over traditional companies, as they can launch cybercrime campaigns without fear that they will be shut down after malicious activity is reported.

The Rhysida ransomware operation is making a name for itself after a wave of attacks on healthcare organizations has forced government agencies and cybersecurity companies to pay closer attention to its operations. While some ransomware operations claim not to intentionally target healthcare organizations and even provide free decryption keys if done by mistake, Rhysida does not appear to follow the same policy.