For the most part, it has been a quiet week on the ransomware front, with a few new reports, product developments, and attacks revealed.
Mandiant revealed this week that an Iranian threat actor is behind ransomware attacks on the Albanian government, likely in retaliation for an upcoming Iranian opposition groups’ conference.
Microsoft also announced this week that new Windows 11 builds in the Beta Channel had improved Microsoft Defender for Endpoint ransomware attack blocking capabilities.
This week we also saw an interesting research paper and Twitter thread on cyber insurance policies that are worthwhile reads.
Finally, we learned about ransomware attacks this week, including ones on Spanish National Research Council (CSIC), Semikron getting hit by LV ransomware, the German Chambers of Industry and Commerce, and Creos Luxembourg.
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @malwrhunterteam, @DanielGallagher, @FourOctets, @struppigel, @VK_Intel, @Ionut_Ilascu, @demonslay335, @BleepinComputer, @Seifreed, @PolarToffee, @malwareforme, @jorntvdw, @fwosar, @LawrenceAbrams, @serghei, @secuninja, @pcrisk, @siri_urz, @Dschwarcz, @Balgan, and @Mandiant.
August 1st 2022
BlackCat ransomware claims attack on European gas pipeline
The ALPHV ransomware gang, aka BlackCat, claimed responsibility for a cyberattack against Creos Luxembourg S.A. last week, a natural gas pipeline and electricity network operator in the central European country.
New Phobos ransomware variant
PCrisk found a new Phobos ransomware variant that appends the .FILE extension and drops a ransom note named info.hta and info.txt.
New Hydrox ransomware
PCrisk found a new Phobos ransomware variant that appends the .hydrox extension and drops a ransom note named Hydrox Ransomware.txt.
New Chaos ransomware variant
PCrisk found a new Chaos-based ‘Root’ ransomware that appends the .Root extension and drops a ransom note named read_it.txt.
New Payt Ransomware
PCrisk found the new Payt ransomware that appends the .Payt extension and drops a ransom note named ReadthisforDecode.txt.
August 2nd 2022
Semiconductor manufacturer Semikron hit by LV ransomware attack
German power electronics manufacturer Semikron has disclosed that it was hit by a ransomware attack that partially encrypted the company’s network.
Microsoft Defender now better at blocking ransomware on Windows 11
Microsoft has released new Windows 11 builds to the Beta Channel with improved Microsoft Defender for Endpoint ransomware attack blocking capabilities.
How Privilege Undermines Cybersecurity
In recent years, cyberattacks have cost firms countless billions of dollars, undermined consumer privacy, distorted world geopolitics, and even resulted in death and bodily harm. Rapidly accelerating cyberattacks have not, however, been bad news for many lawyers. To the contrary, lawyers that specialize in coordinating all elements of victims’ incident response efforts are increasingly in demand. Lawyers’ dominant role in cyber-incident response is driven predominantly by their purported capacity to ensure that information produced during the breach-response process remains confidential, particularly in any subsequent lawsuit.
August 3rd 2022
Spanish research agency still recovering after ransomware attack
The Spanish National Research Council (CSIC) last month was hit by a ransomware attack that is now attributed to Russian hackers.
A must read Twitter thread on cyber insurance
A about cyber insurance, and some myth-busting on some topics that I read this week. Full disclosure: I work for a cyberinsurance provider and will only talk about how WE are doing things,we too agree the it could be done better and decided to do it.1/N
— Tiago Henriques (@Balgan) August 4, 2022
New MedusaLocker ransomware variant
PCrisk found a new STOP ransomware variant that appends the .Readnet7 extension and drops a ransom note named HOW_TO_RECOVER_DATA.html.
New HiCrypt ransomware
S!Ri found a new ransomware that appends the .hicrypt extension to encrypted files.
August 4th 2022
German Chambers of Industry and Commerce hit by ‘massive’ cyberattack
The Association of German Chambers of Industry and Commerce (DIHK) was forced to shut down all of its IT systems and switch off digital services, telephones, and email servers, in response to a cyberattack.
Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations
Mandiant identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government in a politically motivated disruptive operation ahead of an Iranian opposition organization’s conference in late July 2022.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .vvyu extension.