We noticed one other ransomware operation shut down this week after first getting breached by regulation enforcement after which focusing on important infrastructure, placing them additional within the highlight of the US authorities.
What makes this unusual is that this appears to be a typical routine for the DarkSide, I imply BlackCat/ALPHV, ransomware operation which tends to hit important infrastructure, after which understand it was a giant mistake.
Because it was, they had been already being focused by a global regulation enforcement operation, permitting the FBI to hack the gang’s servers for months whereas accumulating knowledge, decryptors, and in the end, seizing the area of the info leak web site.
Whereas the Tor onion area seizure was a sport of tug of struggle between the FBI and BlackCat, as a substitute of shutting down, the ransomware gang determined to proceed working and vowed to focus on US important infrastructure in revenge.
Roughly two months later, one in every of their associates attacked UnitedHealth Group’s Change Healthcare, a know-how options firm utilized by many pharmacies, physician’s workplaces, and hospitals for billing claims for healthcare and prescriptions.
This assault led to extreme disruption within the US healthcare system, stopping pharmacies from accepting insurance coverage and low cost playing cards and, in some instances, inflicting sufferers to pay full value for medication.
Just like their assault on Colonial Pipeline as DarkSide, which led to them to shut down, their rebrand as BlackCat/ALPHV has now shut down after the Change Healthcare assault.
In accordance with an affiliate, Optum, Change Healthcare’s mum or dad firm and a subsidiary of UnitedHealth, paid a $22 million ransom to the ransomware operation to stop the leaking of stolen knowledge and to obtain a file decryptor.
Nevertheless, this affiliate says that BlackCat stole the ransom and didn’t switch over a share of the fee, stating it was seized by the “feds.”
In actuality, BlackCat carried out an exit rip-off the place they stole the ransom, blamed regulation enforcement, and shut down, stating that they don’t wish to be in courtroom once more.
Sadly, it is just a matter of time earlier than we see the ransomware operation rebrand below a brand new title to repeat this cycle.
In different information, the Stormous ransomware gang attacked the Duvel Belgian beer maker, which many think about important infrastructure.
Lastly, the Swiss authorities additionally warned that 65,000 of its paperwork had been leaked as a part of a Play ransomware assault on Xplain.
Contributors and people who supplied new ransomware info and tales this week embrace @demonslay335, @Seifreed, @fwosar, @malwrhunterteam, @billtoulas, @BleepinComputer, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @ddd1ms, @uuallan, @AShukuhi, @BrettCallow, @BushidoToken, @JBurnsKoven, @Jon__DiMaggio, @ValeryMarchive, @UK_Daniel_Card, @AlexMartin, @TalosSecurity, @CarlyPage_, and @pcrisk.
March 4th 2024
BlackCat ransomware turns off servers amid declare they stole $22 million ransom
The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate chargeable for the assault on Optum, the operator of the Change Healthcare platform, of $22 million.
Ought to we ban ransom funds?
As cybercriminals proceed to reap the monetary rewards of their assaults, speak of a federal ban on ransom funds is getting louder.
New STOP ransomware variants
PCrisk discovered new STOP ransomware variants that append the .wisz and .wiaw extensions.
New SkyNet ransomware variant
PCrisk discovered a SkyNet variant that appends the .payuranson extension and drops a ransom word named SkynetData.txt.
March fifth 2024
BlackCat ransomware shuts down in exit rip-off, blames the “feds”
The BlackCat ransomware gang is pulling an exit rip-off, making an attempt to close down and run off with associates’ cash by pretending the FBI seized their web site and infrastructure.
GhostSec’s joint ransomware operation and evolution of their arsenal
Talos noticed the GhostSec and Stormous ransomware teams working collectively to conduct a number of double extortion assaults utilizing the GhostLocker and StormousX ransomware applications in opposition to the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia in line with our evaluation of the disclosure messages posted by the group of their Telegram channels and Stormous ransomware knowledge leak web site.
New Makop ransomware variant
PCrisk discovered a Makop variant that appends the .reload extension and drops a ransom word named +README-WARNING+.txt.
March sixth 2024
Duvel says it has “greater than sufficient” beer after ransomware assault
Duvel Moortgat Brewery was hit by a ransomware assault late final night time, bringing to a halt the beer manufacturing within the firm’s bottling services.
Capita, firm offering UK’s nuclear submarine coaching, confirms ‘cyber incident’
Capita, the UK’s largest outsourcing firm, confirmed Monday that an IT outage which left employees locked out of their accounts on Friday was attributable to “a cyber incident.”
New MedusaLocker ransomware variants
PCrisk discovered new MedusaLocker variants that append the .genesis15 and .duralock05 extensions and drop a ransom word named HOW_TO_BACK_FILES.html.
March seventh 2024
FBI: U.S. misplaced document $12.5 billion to on-line crime in 2023
FBI’s Web Crime Criticism Heart (IC3) has launched its 2023 Web Crime Report, which recorded a 22% improve in reported losses in comparison with 2022, amounting to a document of $12.5 billion.
Switzerland: Play ransomware leaked 65,000 authorities paperwork
The Nationwide Cyber Safety Centre (NCSC) of Switzerland has launched a report on its evaluation of a knowledge breach following a ransomware assault on Xplain, disclosing that the incident impacted 1000’s of delicate Federal authorities recordsdata.
LockBit: How the franchise is making an attempt to stage a comeback
Because the Cronos authorized operation, the LockBit 3.0 mafia franchise has endeavored to persuade that enterprise continues as if nothing had occurred. Examination of his claims reveals a really completely different actuality.
March eighth 2024
UnitedHealth brings some Change Healthcare pharmacy companies again on-line
Optum’s Change Healthcare has began to carry techniques again on-line after struggling a crippling BlackCat ransomware assault final month that led to widespread disruption to the US healthcare system.
That is it for this week! Hope everybody has a pleasant weekend!
Contributors and people who supplied new ransomware info and tales this week embrace: @demonslay335, @Seifreed, @fwosar, @malwrhunterteam, @billtoulas, @BleepinComputer, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @ddd1ms, @uuallan, @AShukuhi, @BrettCallow, @BushidoToken, @JBurnsKoven, @Jon__DiMaggio, @ValeryMarchive, @UK_Daniel_Card, @AlexMartin, @TalosSecurity, @CarlyPage_, and @pcrisk
March 4th 2024
BlackCat ransomware turns off servers amid declare they stole $22 million ransom
The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate chargeable for the assault on Optum, the operator of the Change Healthcare platform, of $22 million.
Ought to we ban ransom funds?
As cybercriminals proceed to reap the monetary rewards of their assaults, speak of a federal ban on ransom funds is getting louder.
New STOP ransomware variants
PCrisk discovered new STOP ransomware variants that append the .wisz and .wiaw extensions.
New SkyNet ransomware variant
PCrisk discovered a SkyNet variant that appends the .payuranson extension and drops a ransom word named SkynetData.txt.
March fifth 2024
BlackCat ransomware shuts down in exit rip-off, blames the “feds”
The BlackCat ransomware gang is pulling an exit rip-off, making an attempt to close down and run off with associates’ cash by pretending the FBI seized their web site and infrastructure.
GhostSec’s joint ransomware operation and evolution of their arsenal
Talos noticed the GhostSec and Stormous ransomware teams working collectively to conduct a number of double extortion assaults utilizing the GhostLocker and StormousX ransomware applications in opposition to the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia in line with our evaluation of the disclosure messages posted by the group of their Telegram channels and Stormous ransomware knowledge leak web site.
New Makop ransomware variant
PCrisk discovered a Makop variant that appends the .reload extension and drops a ransom word named +README-WARNING+.txt.
March sixth 2024
Duvel says it has “greater than sufficient” beer after ransomware assault
Duvel Moortgat Brewery was hit by a ransomware assault late final night time, bringing to a halt the beer manufacturing within the firm’s bottling services.
Capita, firm offering UK’s nuclear submarine coaching, confirms ‘cyber incident’
Capita, the UK’s largest outsourcing firm, confirmed Monday that an IT outage which left employees locked out of their accounts on Friday was attributable to “a cyber incident.”
New MedusaLocker ransomware variants
PCrisk discovered new MedusaLocker variants that append the .genesis15 and .duralock05 extensions and drop a ransom word named HOW_TO_BACK_FILES.html.
March seventh 2024
FBI: U.S. misplaced document $12.5 billion to on-line crime in 2023
FBI’s Web Crime Criticism Heart (IC3) has launched its 2023 Web Crime Report, which recorded a 22% improve in reported losses in comparison with 2022, amounting to a document of $12.5 billion.
Switzerland: Play ransomware leaked 65,000 authorities paperwork
The Nationwide Cyber Safety Centre (NCSC) of Switzerland has launched a report on its evaluation of a knowledge breach following a ransomware assault on Xplain, disclosing that the incident impacted 1000’s of delicate Federal authorities recordsdata.
LockBit: How the franchise is making an attempt to stage a comeback
Because the Cronos authorized operation, the LockBit 3.0 mafia franchise has endeavored to persuade that enterprise continues as if nothing had occurred. Examination of his claims reveals a really completely different actuality.
March eighth 2024
UnitedHealth brings some Change Healthcare pharmacy companies again on-line
Optum’s Change Healthcare has began to carry techniques again on-line after struggling a crippling BlackCat ransomware assault final month that led to widespread disruption to the US healthcare system.
That is it for this week! Hope everybody has a pleasant weekend!