The LockBit ransomware operation has again taken center stage in the ransomware news, as we learned yesterday they were behind the attack on Royal Mail.
Royal Mail is the UK’s largest mail delivery service and is considered a critical infrastructure in the country, with the disruption of its services having a significant impact on the country’s economy and supply chain.
On Wednesday, Royal Mail suffered a cyberattack that led to the halting of international shipping services.
Yesterday, we learned that this disruption was caused by a LockBit ransomware attack that encrypted the computers used to print customs dockets required for international shipping.
With LockBit having grown to be the largest ransomware operation, it also appears to have become very unwieldy, with affiliates targeting critical infrastructure and children’s hospitals, even though it’s against the gang’s policies.
LockBit ultimately released a free decryptor for the SickKids children’s hospital but it is unclear if they will do so for Royal Mail as well.
We also learned this week that the Vice Society Ransomware operation attacked and leaked the data for Fire Rescue Victoria, a large fire and rescue service in Australia.
New research on ransomware was also disclosed, or discovered, with various reports listed below:
CISA now requires federal agencies to patch the OWASSRF flaw by the end of January due to its active exploitation by both the Cuba and Play ransomware operations.
Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @PolarToffee, @Seifreed, @billtoulas, @malwareforme,ย @struppigel, @demonslay335, @Ionut_Ilascu, @FourOctets, @malwrhunterteam, @BleepinComputer, @LawrenceAbrams, @fwosar, @serghei, @pcrisk, @MsftSecIntel, @BrettCallow, @UK_Daniel_Card, @SRMInform, @TGesches, @rapid7, @uuallan, @AShukuhi, and @BushidoToken.
January 9th 2023
New Dharma Ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .mao extension.
New STOP Ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .zoqw and drops a ransom note named _readme.txt.
New VoidCrypt Ransomware variant
PCrisk found a new VoidCrypt ransomware variant that appends the .RYKCRYPT and drops a ransom note named unlock-info.txt.
New Xorist ransomware variant
PCrisk found a new Xorist ransomware variant that appends the .KoRyA and drops a ransom note named HOW TO DECRYPT FILES.txt.
January 10th 2023
Lorenz ransomware gang plants backdoors to use months later
Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks.
CISA orders agencies to patch Exchange bug abused by ransomware gang
The Cybersecurity and Infrastructure Security Agency (CISA) has added two more security vulnerabilities to its catalog of exploited bugs today.
New STOP Ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .zouu and drops a ransom note named _readme.txt.
January 11th 2023
Royal Mail halts international services after cyberattack
The Royal Mail, UK’s leading mail delivery service, has stopped its international shipping services due to “severe service disruption” caused by what it described as a “cyber incident.”
Increasing The Sting of HIVE Ransomware
How malicious actors evade detection and disable defenses for more destructive HIVE Ransomware attacks.
January 12th 2023
Vice Society ransomware claims attack on Australian firefighting service
Australia’s Fire Rescue Victoria has disclosed a data breach caused by a December cyberattack that is now claimed by the Vice Society ransomware gang.
Microsoft: Cuba ransomware hacking Exchange servers via OWASSRF flaw
Microsoft says Cuba ransomware threat actors are hacking Microsoft Exchange servers unpatched against a critical server-side request forgery (SSRF) vulnerability also exploited in Play ransomware attacks.
Royal Mail cyberattack linked to LockBit ransomware operation
A cyberattack on Royal Mail, UK’s largest mail delivery service, has been linked to the LockBit ransomware operation.
