Review of incidents involving ransomware for the period from June 14 to June 20, 2022


Extortion software operators are constantly improving their methods of exerting pressure on victims to make them more compliant. For example, last week, the BlackCat (ALPHV) cyber–extortion group armed itself with a new tactic – instead of publishing stolen data on its darknet leaks site in the old-fashioned way, it began creating separate sites for victims, allowing employees and clients of affected organizations to check whether their personal information (social security numbers, phone numbers, etc.).

Last week, BlackCat also claimed responsibility for a cyberattack on the University of Pisa. According to the attackers’ demands, the university had to pay $4.5 million by June 16. The extortionists threatened to release confidential university data if the ransom was not paid on time.

Over the past week, PCrisk has discovered several new variants of ransomware, including STOP (adds an extension to encrypted files .bbii), Chaos (self-named Ritzer Ransomware; adds the .ritzer extension), Phobos (adds the extension .LIZARD) and Sheeva (adds the .sheeva extension).

Specialists of Amigo-A company identified
a new version of the Venus ransomware that adds the .anigma extension to encrypted files.

The Unit 42 division of the information security company Palo Alto Networks reported
about the increase in the activity of extortionate software Hello XD. Ransomware has armed itself with a new version of the ransomware with more reliable encryption.

Africa’s largest supermarket chain Holdings, with almost three thousand stores in 12 countries, has become
a victim of extortionate software. The RansomHouse group claimed responsibility for the attack last week, stating that it managed to steal 600 GB of files from Holdings.

The Glenn County Board of Education of the State of California paid
to the operators of the Quantum ransomware program, $400 thousand for a key to restore encrypted files and a promise not to publish the files stolen from him.

Judging by user reports and samples of files uploaded to the ID Ransomware platform, this week the extortionate software ech0raix started attacking vulnerable NAS QNAP network drives again. Although ech0raix can also attack Synology network drives, so far only QNAP users complain about attacks. The manufacturer has not yet reported any details about the attacks, and the vector of infection remains unknown. In previous campaigns, the ransomware compromised devices by bruteforce and exploiting known vulnerabilities in network storage (CVE-2018-19943, CVE-2018-19949 and CVE-2018-19953).

Start a discussion …