The Week in Ransomware – February 10th 2023 – Clop’s Back

From ongoing attacks targeting ESXi servers to sanctions on Conti/TrickBot members, it has been quite a busy week regarding ransomware.

The worldwide ESXiArgs ransomware attacks continued to plague VMware ESXi servers over the weekend and into the week. To aid admins in recovering their servers, CISA released a script that would recover virtual machines from flat files on encrypted servers.

However, a day later, a new version of the ESXiArgs ransomware was released that encrypts more data, preventing previously known recovery methods.

With ESXi, such a juicy target for ransomware gangs, the Linux encryptor for the Royal Ransomware group has also developed its own Linux encrypt to encrypt virtual machines.

We also had news from the U.S. government, which sanctioned seven TrickBot/Conti cybercrime organization members and released a report detailing how North Korean ransomware attacks are used to fund the DRPK’s operations.

After a long period of few victims and activity on their data leak site, the Clop ransomware gang (TA505) is back, claiming to be behind attacks using a zero-day vulnerability in GoAnywhere MFT.

The ransomware gang says they exploited the vulnerability to steal data from 130 companies, but we have been unable to verify this independently.

We also learned some news about various (likely) ransomware attacks, including LockBit finally claiming the attack on Royal Mail, an attack on Canada’s Indigo book stores, and A10 Networks confirming they suffered a data breach after a Play ransomware attack.

However, a report by Huntress Labs also indicates that Clop was likely involved in these attacks.

Contributors and those who provided new ransomware information and stories this week include @LawrenceAbrams, @malwrhunterteam, @billtoulas, @demonslay335, @struppigel, @PolarToffee, @fwosar, @BleepinComputer, @Ionut_Ilascu, @serghei, @Seifreed, @jfslowik, @CISAgov, @LabsSentinel, @BushidoToken, @ASEC_Analysis, @pcrisk, @ValeryMarchive, and @BrettCallow.

February 5th 2023

Linux version of Royal Ransomware targets VMware ESXi servers

Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines.

February 6th 2023

VMware warns admins to patch ESXi servers, disable OpenSLP service

VMware warned customers today to install the latest security updates and disable the OpenSLP service targeted in a large-scale campaign of ransomware attacks against Internet-exposed and vulnerable ESXi servers.

DarkSide Ransomware With Self-Propagating Feature in AD Environments

In order to evade analysis and sandbox detection, DarkSide ransomware only operates when the loader and data file are both present. The loader with the name “msupdate64.exe” reads the “config.ini” data file within the same path that contains the encoded ransomware and runs the ransomware on the memory area of a normal process. The ransomware is structured to only operate when a specific argument matches. It will then register itself to the task scheduler and run itself periodically.

February 7th 2023

LockBit ransomware gang claims Royal Mail cyberattack

The LockBit ransomware operation has claimed the cyberattack on UK’s leading mail delivery service Royal Mail that forced the company to halt its international shipping services due to “severe service disruption.”

Clop ransomware flaw allowed Linux victims to recover files for months

The Clop ransomware gang is now also using a malware variant that explicitly targets Linux servers, but a flaw in the encryption scheme has allowed victims to quietly recover their files for free for months.

Russian man pleads guilty to laundering Ryuk ransomware money

Russian citizen Denis Mihaqlovic Dubnikov pleaded guilty on Tuesday to laundering money for the notorious Ryuk ransomware group for over three years.

CISA releases recovery script for ESXiArgs ransomware victims

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a script to recover VMware ESXi servers encrypted by the recent widespread ESXiArgs ransomware attacks.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends what appears to be random extensions (.1iyT6bav7VyWM5) and drops a ransom note named adrianov.txt.

February 8th 2023

New ESXiArgs ransomware version prevents VMware ESXi recovery

New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines.

Investigating Intrusions From Intriguing Exploits

By investigating the event in question and pursuing root cause analysis (RCA), Huntress was able to link this intrusion to a recently-announced vulnerability as well as to a long-running post-exploitation framework linked to prominent ransomware groups.

February 9th 2023

Largest Canadian bookstore Indigo shuts down site after cyberattack

Indigo Books & Music, the largest bookstore chain in Canada, has been struck by a cyberattack yesterday, causing the company to make the website unavailable to customers and to only accept cash payments.

U.S. and U.K. sanction TrickBot and Conti ransomware operation members

The United States and the United Kingdom have sanctioned seven Russian individuals for their involvement in the TrickBot cybercrime group, whose malware was used to support attacks by the Conti and Ryuk ransomware operation.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .vvmm extension.

February 10th 2023

A10 Networks confirms data breach after Play ransomware attack

The California-based networking hardware manufacturer ‘A10 Networks’ has confirmed to BleepingComputer that the Play ransomware gang briefly gained access to its IT infrastructure and compromised data.

Clop ransomware claims to be behind GoAnywhere zero-day attacks

The Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, saying they stole data from over 130 organizations.

North Korean ransomware attacks on healthcare fund govt operations

A new cybersecurity advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) describes recently observed tactics, techniques, and procedures (TTPs) observed with North Korean ransomware operations against public health and other critical infrastructure sectors.