Security News
This edition of the Week in Ransomware covers the last two weeks of news, as we could not cover it last week, and includes quite a bit of new information, including the return of the Avaddon ransomware gang. Last month, a new ransomware operation named NoEscape was launched that quickly began amassing a stream of new corporate victims.
As most local governments maintain a small IT staff, there is potential for shared passwords, reused credentials, and a lack of multi-factor authentication security, exposing vulnerabilities for a breach. The Play ransomware group claimed responsibility for breaching city services and posted about the hack on their group website.
Mallox ransomware activities in 2023 have witnessed a 174% increase when compared to the previous year, new findings from Palo Alto Networks Unit 42 reveal. "Mallox ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data before encrypting an organization's files, and then threatening to publish the stolen data on a leak site as leverage to convince victims to pay the ransom fee," security researchers Lior Rochberger and Shimi Cohen said in a new report shared with The Hacker News.
Two ransomware actors, ALPHV/BlackCat and Clop, have listed beauty company Estée Lauder on their data leak sites as a victim of separate attacks. In a Security Exchange Commission filing on Tuesday, The Estée Lauder Companies confirmed one of the attacks saying that the threat actor gained access to some of its systems and may have stolen data.
Two ransomware actors, ALPHV/BlackCat and Clop, have listed beauty company Estée Lauder on their data leak sites as a victim of separate attacks. In a Security Exchange Commission filing on Tuesday, The Estée Lauder Companies confirmed one of the attacks saying that the threat actor gained access to some of its systems and may have stolen data.
Hive is widely believed to be affiliated with the Conti ransomware group, joining a list of other groups associated with former Conti operators, including Royal, Black Basta, and Quantum. Hive, like other RaaS providers, wrote a ransomware encryptor, created a dark web domain, advertised their services to affiliates and forums, and then allowed users to purchase a license to configure a ransomware payload and receive extortion funds.
Cybersecurity vendor Sophos is being impersonated by a new ransomware-as-a-service called SophosEncrypt, with the threat actors using the company name for their operation. Discovered yesterday by MalwareHunterTeam, the ransomware was initially thought to be part of a red team exercise by Sophos.
A financially motivated cybercrime gang has been observed deploying BlackCat ransomware payloads on networks backdoored using a revamped Sardonic malware version. While their attacks' end goal revolves around stealing payment card data from Point-of-Sale systems, FIN8 has expanded from point-of-sale to ransomware attacks to maximize profits.
The financially motivated threat actor known as FIN8 has been observed using a "Revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware. Known to be active since at least 2016, the adversary was originally attributed to attacks targeting point-of-sale systems using malware such as PUNCHTRACK and BADHATCH. The group resurfaced after more than a year in March 2021 with an updated version of BADHATCH, following it up with a completely new bespoke implant called Sardonic, which was disclosed by Bitdefender in August 2021.
28-year-old Ashley Liles, a former IT employee, has been sentenced to over three years in prison for attempting to blackmail his employer during a ransomware attack. Liles, an IT security analyst at an Oxford-based company, exploited his position to intercept a ransomware payment following an attack suffered by his employer.