It’s been a great week when it comes to ransomware, with ransom paid, ransom returned, and a ransomware ring shut down.
The biggest news this week was that the FBI announced that they were able to recover most of the $ 4.4 million ransom payment paid by Colonial Pipeline. It is not entirely clear how they obtained the private key for the cryptocurrency wallet, but DarkSide is believed to have stored it on a seized server.
We also learned that JBS paid $ 11 million to the REvil ransomware operation to recover a decryptor and prevent the leak of stolen files.
In some good news, the Avaddon ransomware operation shut down and released the decryption keys of nearly 3,000 victims to Bleeping Computer. With these, the cybersecurity company Emsisoft was able to launch a free decryptor.
Finally, this week it emerged that memory maker ADATA and food service provider Edward Don suffered from ransomware attacks.
Contributors and those who provided new information and stories about ransomware this week include: @Ionut_Ilascu, @ demons335, @FourOctets, @Seifreed, @fwosar, @jorntvdw, @Sleepingcomputer, @struppigel, @malwrhunteeteam, @PolarToffee, @serghei, @DanielGallagher, @LawrenceAbrams, @VK_Intel, @malwareforme, @jonallendc, @kevincollier, @Roberto_escuela, @KimZetter, @ RakeshKrish12, @ fbgwls245, @Jirehlov, @SecurityJoes, @Kangxiaopao, Y @GrujaRS.
June 5, 2021
dnwls0719 found a new ransomware called BigLock that adds the .nermer extension and drop a ransom note called PROTECT_INFO.TXT.
June 6, 2021
New ransomware Evil Corp mimics the PayloadBin gang to evade US sanctions.
The new PayloadBIN ransomware has been attributed to the Evil Corp cybercrime ring, which was rebranded to evade sanctions imposed by the US Department of Treasury’s Office of Foreign Assets Control (OFAC).
Jirehlov Solace found a new variant of Findnotefile ransomware that adds the .Red point extension.
Michael Gillespie you are looking for a ransomware that adds the .ramsome.encrypt (rsw) .nat extension and drop a note called readme-instructions.txt. The ransomware converts the files into password protected RAR files.
June 7, 2021
US Recovers Most of Colonial Pipeline’s $ 4.4 Million Ransomware Payment
The US Department of Justice recovered most of the $ 4.4 million ransom payment paid by Colonial Pipeline to the DarkSide ransomware operation.
Japanese multinational conglomerate Fujifilm said it has refused to pay a ransom demand to the cyber gang that attacked its network in Japan last week and instead relies on backups to restore operations.
June 8, 2021
Computer Memory Maker ADATA Hit By Ragnar Locker Ransomware
Leading Taiwan-based memory and storage manufacturer ADATA says a ransomware attack forced it to shut down systems after attacking its network in late May.
RAKESH KRISHNAN found a new RaaS called HimalayA advertised on the darkweb.
June 9, 2021
Security Joe I found a .NET Ryuk copycat that can be customized with a ransomware generator.
June 10, 2021
JBS paid $ 11 million to REvil ransomware, $ 22.5 million first demanded
JBS, the world’s largest beef producer, has confirmed that it paid a $ 11 million ransom after the REvil ransomware operation initially demanded $ 22.5 million.
CD project: data stolen in ransomware attack now circulates online
CD Projekt is warning today that internal data stolen during its February ransomware attack is circulating on the Internet.
Food Service Provider Edward Don Affected by Ransomware Attack
Food service provider Edward Don has suffered a ransomware attack that has caused the company to shut down parts of the network to prevent the spread of the attack.
Michael Gillespie found a new Vice Society ransomware that adds the .v-society extension when encrypting Linux machines. It seems to be a derivative of HelloKitty.
Xiaopao found a new variant of Anubis ransomware that adds the Chupacabras extension.
June 11, 2021
Avaddon ransomware shuts down and releases decryption keys
The Avaddon ransomware gang has shut down the operation and handed over their victims’ decryption keys to BleepingComputer.com.
One of the most frequently encountered ransomware-as-a-service (RaaS), alternatively known as Sodinokibi or REvil, is as conventional a ransomware as we have seen: its routines, settings and behavior are what we expect. of a mature family that, obviously, is widely used in the criminal underground.
When the Teamsters were attacked by a ransomware attack over Labor Day weekend in 2019, the hackers demanded a seven-figure payment.
An interview with the CEO of Coveware, which negotiates payments on behalf of ransomware victims.
That’s it for this week! Hope everyone has a nice weekend!