Whereas the week began slowly, it became a giant ransomware mess, with assaults placing a giant blow at companies operating VMware ESXi servers.
The assaults began Friday morning, with risk actors focusing on unpatched VMware ESXi servers with a brand new ransomware variant dubbed ESXiArgs.
What makes this assault so devastating is that many corporations function a lot of their server infrastructure on VMware ESXi, permitting the encryption of 1 system to encrypt a number of servers concurrently.
The excellent news is that some admins have been capable of recuperate their servers by rebuilding disks from flat information, however some have reported being unable to take action as these information have been additionally encrypted.
We additionally noticed new analysis launched this week, with Microsoft warning that over 100 risk actors deploying ransomware and LockBit deciding to create a brand new decryptor primarily based on Conti.
Lastly, REsecurity launched a report on the new Nevada ransomware-as-a-service recruiting and gearing up for future assaults.
Lastly, we realized extra about ransomware assaults carried out this week and prior to now, together with:
Contributors and people who supplied new ransomware info and tales this week embody @PolarToffee, @serghei, @fwosar, @BleepinComputer, @LawrenceAbrams, @Seifreed, @Ionut_Ilascu, @malwrhunterteam, @struppigel, @demonslay335, @billtoulas, @vxunderground, @GeeksCyber, @PRODAFT, @brkalbyrk7, @RESecurity, @MsftSecIntel, @1ZRR4H, @pcrisk, @BrettCallow, @ahnlab, @jgreigj, and @k7computing.
January thirtieth 2023
PCrisk discovered a brand new Makop variant that appends the .ZFX extension and drops a ransom notice named +README-WARNING+.txt.
January thirty first 2023
Microsoft revealed at this time that its safety groups are monitoring greater than 100 ransomware gangs and over 50 distinctive ransomware households that have been actively used till the top of final yr.
PCrisk discovered a brand new ransomware that appends the .masons extension and drops a ransom notice named six62ix.txt.
PCrisk discovered a brand new Chaos ransomware variant that appends the .Script extension and drops a ransom notice named read_it.txt.
February 1st 2023
The LockBit ransomware gang has once more began utilizing encryptors primarily based on different operations, this time switching to 1 primarily based on the leaked supply code for the Conti ransomware.
A comparatively new ransomware operation referred to as Nevada appears to develop its capabilities shortly as safety researchers seen improved performance for the locker focusing on Home windows and VMware ESXi methods.
Arnold Clark, self-described as Europe’s largest impartial automobile retailer, is notifying some prospects that their private info was stolen in a December 23 cyberattack claimed by the Play ransomware group.
By inside monitoring, the ASEC evaluation staff just lately found the distribution of the TZW ransomware, which encrypts information earlier than including the “TZW” file extension to the unique extension.
Faculties in Tucson, Arizona, and Nantucket, Massachusetts, are coping with cyberattacks as U.S. colleges proceed to face a barrage of threats within the first weeks of 2023.
PCrisk discovered a brand new ransomware variant that appends the .honkai and drops a ransom notice named #DECRYPT MY FILES#.html.
PCrisk discovered a brand new ransomware variant that appends the .sunjn extension and drops a ransom notice named Dectryption-guide.txt.
February 2nd 2023
The LockBit ransomware gang has claimed duty for the cyberattack on ION Group, a UK-based software program firm whose merchandise are utilized by monetary establishments, banks, and firms for buying and selling, funding administration, and market analytics.
Just lately we got here throughout a tweet shared by petikvx. The tweet was on a ransomware household that had the group identify much like the WARLOCK DARK ARMY. The similarities with Chaos ransomware appear to finish with the attacker group’s identify. Upon analyzing the ransomware from the tweet we suspect each to be very completely different teams simply primarily based on their malware’s attributes.
February third 2023
Tallahassee Memorial HealthCare (TMH) has taken its IT methods offline and suspended non-emergency procedures following a late Thursday cyberattack.
Admins, internet hosting suppliers, and the French Laptop Emergency Response Group (CERT-FR) warn that attackers actively goal VMware ESXi servers unpatched in opposition to a two-year-old distant code execution vulnerability to deploy ransomware.
PCrisk discovered a brand new DoDo ransomware variant that appends the .dodov2 extension and drops a ransom notice named dodov2_readit.txt.
That is it for this week! Hope everybody has a pleasant weekend!