The fallout from the Clop ransomware assaults on GoAnywhere platforms has turn into obvious this week, with the menace actors beginning to extort victims on their information leak website and corporations confirming breaches.

These assaults had been claimed by the Clop menace actors, a ransomware gang that traditionally encrypted units and stole information to extort victims into paying a ransom. Nevertheless, extra not too long ago, they’ve been specializing in information extortion as an alternative of encrypting.

Clop had beforehand claimed to have breached and stolen information from 130 organizations over ten days utilizing the GoAnywhere vulnerabilities.

This week, BleepingComputer was advised that Clop had begun extorting victims, emailing ransom calls for, and creating profiles for a lot of victims on their information leak website. At the moment, it isn’t recognized how a lot the menace actors are demanding to not publish information.

This has led to quite a few information breach disclosures from firms, together with Group Well being Methods (CHS), Hatch Financial institution, Rubrik, and Hitachi Vitality, with probably many extra to return.

Along with the Clop assaults, we realized extra about varied ransomware assaults, together with these on Essendant and the LA housing authority.

The opposite important information this week that can have an effect on ransomware and different cybercrime is the seizure of the ChipMixer platform, utilized by cybercriminals to launder ransom funds, stolen cryptocurrency, and income generated on darkish internet markets.

Lastly, some attention-grabbing stories had been launched on Trigona, LockBit 3.0, CatB, BianLian’s shift to pure information extortion, and extra!

Contributors and people who offered new ransomware info and tales this week embody @LawrenceAbrams, @Seifreed, @Ionut_Ilascu, @Ax_Sharma, @malwrhunterteam, @struppigel, @BleepinComputer, @serghei, @fwosar, @billtoulas, @demonslay335, @kaspersky, @pcrisk, @ReliaQuest, @BrettCallow, and @Unit42_Intel.

March eleventh 2023

Clop ransomware gang begins extorting GoAnywhere zero-day victims

The Clop ransomware gang has begun extorting firms whose information was stolen utilizing a zero-day vulnerability within the Fortra GoAnywhere MFT safe file-sharing resolution.

New STOP ransomware variants

Quietman7 noticed new STOP ransomware variants appending the .craa, .qazx, and .qapo extensions

March twelfth 2023

Medusa ransomware gang picks up steam because it targets firms worldwide

A ransomware operation often called Medusa has begun to select up steam in 2023, focusing on company victims worldwide with million-dollar ransom calls for.

Staples-owned Essendant dealing with multi-day “outage,” orders frozen

Essendant, a wholesale distributor of stationery and workplace provides, is experiencing a multi-day techniques “outage” stopping prospects and suppliers from putting and fulfilling on-line orders.

New STOP ransomware variant

Quietman7 noticed a brand new STOP ransomware variant that appends the .qarj extension.

March thirteenth 2023

LA housing authority discloses information breach after ransomware assault

The Housing Authority of the Metropolis of Los Angeles (HACLA) is warning of a “information safety occasion” after the LockBit ransomware gang focused the group and leaked information stolen within the assault.

New Dharma ransomware variants

PCrisk discovered new Dharma ransomware variants appending the .like and .j3rd extensions.

New Chaos ransomware variants

PCrisk discovered new Chaos ransomware variants appending the .nochi and .Cyber extensions.

CatB Ransomware | File Locker Sharpens Its Claws to Steal Knowledge with MSDTC Service DLL Hijacking

The CatB ransomware household, generally known as CatB99 or Baxtoy, was first noticed in late 2022, with campaigns being noticed steadily since November. The group’s actions have gained consideration because of their ongoing use of DLL hijacking through Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads.

March 14th 2023

Rubrik confirms information theft in GoAnywhere zero-day assault

Cybersecurity firm Rubrik has confirmed that its information was stolen utilizing a zero-day vulnerability within the Fortra GoAnywhere safe file switch platform.

New Phobos ransomware variant

PCrick noticed a brand new Phobos ransomware variant that appends the .BACKJOHN extension.

New VoidCrypt ransomware variant

PCrick noticed a brand new VoidCrypt ransomware variant that appends the .youhau extension and dropping a ransom identify named Dectryption-guide.txt.

Microsoft fixes Home windows zero-day exploited in ransomware assaults

Microsoft has patched one other zero-day bug utilized by attackers to avoid the Home windows SmartScreen cloud-based anti-malware service and deploy Magniber ransomware payloads with out elevating any purple flags.

March fifteenth 2023

ChipMixer platform seized for laundering ransomware funds, drug gross sales

A world legislation enforcement operation has seized the cryptocurrency mixing service ‘ChipMixer’ which is alleged for use by hackers, ransomware gangs, and scammers to launder their proceeds.

FBI: Ransomware hit 860 vital infrastructure orgs in 2022

The Federal Bureau of Investigation (FBI) revealed in its 2022 Web Crime Report that ransomware gangs breached the networks of no less than 860 vital infrastructure organizations final yr.

LockBit ransomware claims Essendant assault, firm says “community outage”

LockBit ransomware has claimed a cyber assault on Essendant, a wholesale distributer of workplace merchandise after a “important” and ongoing outage knocked the corporate’s operations offline.

New Xorist ransomware variant

PCrick noticed a brand new Xorist ransomware variant appending the .DrWeb and dropping ransomnotes named ??? ???????????? ?????.txt.

QBot: Laying the Foundations for Black Basta Ransomware Exercise

Towards the latter half of This autumn 2022, ReliaQuest found a safety incident unfolding in a buyer’s setting. A menace actor gained preliminary community entry, quickly escalated their privileges, and moved laterally, shortly establishing a foothold in 77 minutes.

March sixteenth 2023

Conti-based ransomware ‘MeowCorp’ will get free decryptor

A decryption device for a modified model of the Conti ransomware might assist lots of of victims get better their recordsdata without spending a dime.

BianLian ransomware gang shifts focus to pure information extortion

The BianLian ransomware group has shifted its focus from encrypting its victims’ recordsdata to solely exfiltrating information discovered on compromised networks and utilizing them for extortion.

New STOP ransomware variants

Quietman7 noticed new STOP ransomware variants appending the .darz and .dapo extensions

New Merlin ransomware

PCrisk discovered a brand new ransomware variant that appends the .Merlin extension and drops a ransom be aware named Merlin_Recover.txt.

New Phobos ransomware variant

PCrick noticed a brand new Phobos ransomware variant that appends the .usr extension.

#StopRansomware: LockBit 3.0

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Safety Company (CISA), and the Multi-State Data Sharing & Evaluation Heart (MS-ISAC) are releasing this joint CSA to disseminate recognized LockBit 3.0 ransomware IOCs and TTPs recognized by means of FBI investigations as not too long ago as March 2023.

Bee-Ware of Trigona, An Rising Ransomware Pressure

Trigona ransomware is a comparatively new pressure that safety researchers first found in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, in addition to info from Unit 42 incident response, we decided that Trigona was very lively throughout December 2022, with no less than 15 potential victims being compromised. Affected organizations are within the manufacturing, finance, building, agriculture, advertising and excessive expertise industries.

March seventeenth 2023

New STOP ransomware variant

PCrick noticed a brand new STOP ransomware variant that appends the .dazx extension.

Hitachi Vitality confirms information breach after Clop GoAnywhere assaults

Hitachi Vitality confirmed it suffered an information breach after the Clop ransomware gang stole information utilizing a zero-day GoAnyway zero-day vulnerability.

That is it for this week! Hope everybody has a pleasant weekend!