This week comes with reports on a hospital ransomware attack that led to the death of a baby and new efforts by governments worldwide to combat ransomware.
This week, the biggest news is President Biden announcing a partnership between the USA and thirty other countries to disrupt global ransomware attacks.
A heartbreaking report by the Wall Street Journal about a ransomware attack leading to the death of a baby also illustrates how dangerous these attacks can be for health care.
There was also some interesting news about how Conti targets Veeam backups, how the RansomExx ransomware can incorrectly encrypt Linux files, and the reemergence of the ransomware group known as Apostle.
Ransomware attacks this week include JVCKenwood, Hawaii Payroll Services, and Lufkin ISD.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @DanielGallagher, @malwrhunterteam, @struppigel, @BleepinComputer, @LawrenceAbrams, @demonslay335, @PolarToffee, @Seifreed, @VK_Intel, @Ionut_Ilascu, @malwareforme, @fwosar, @jorntvdw, @FourOctets, @pancak3lullz, @ProferoSec, @GelosSnake, @barnhartguy, @kpoulsen, @bobmcmillan, @_melaevans, @y_advintel, @AdvIntel, @LabsSentinel, @pcrisk, and @fbgwls245.
September 27th 2021
Michael Gillespie found a new ransomware that is targeting CIS countries that appends the .bugs and drops ransom notes named “1ВАЖЛИВА ІНФОРМАЦІЯ!!!.txt” and “2ВАЖЛИВА ІНФОРМАЦІЯ!!!.txt.”
PCRisk found a new STOP ransomware variant that appends the .rigd extension to encrypted files.
PCRisk found a new STOP ransomware variant that appends the .nomad extension to encrypted files.
September 28th 2021
Thousands Affected by Ransomware Attack on Hawaii Company
In February, company Hawaii Payroll Services suffered a ransomware attack. The company believes the attack was carried out by a criminal who somehow compromised a client’s account.
September 28, 2021 •
Lufkin ISD hit by ransomware attack
The hack was discovered Saturday but according to Sheila Adams at Lufkin ISD the program they had in place to stop the attack worked because it shut down the system, that’s how they knew of the attack.
September 29th 2021
Trucking giant Forward Air reports ransomware data breach
Trucking giant Forward Air has disclosed a data breach after a ransomware attack that allowed threat actors to access employees’ personal information.
Backup “Removal” Solutions – From Conti Ransomware With Love
Conti’s “backup removal solutions” begin on the team development level. While selecting network intruders for their divisions also known as “teams”, Conti is particularly clear that experience related to backup identification, localization, and deactivation is among their top priorities for a successful pentester. This backup focus implemented within the partnership-building process enables Conti to assemble teams, equipped with knowledge and skills aimed at backup removal.
dnwls0719 found a new ransomware that appends the .soli extension to encrypted files and drops a ransom note named _READ_ME_PLEASE.txt.
PCRisk found a new STOP ransomware variant that appends the .chld extension to encrypted files.
PCRisk found a new STOP ransomware variant that appends the .MOON extension to encrypted files.
September 30th 2021
RansomEXX ransomware Linux encryptor may damage victims’ files
Cybersecurity firm Profero has discovered that the RansomExx gang does not correctly lock Linux files during encryption, leading to potentially corrupted files.
JVCKenwood hit by Conti ransomware claiming theft of 1.5TB data
JVCKenwood has suffered a Conti ransomware attack where the threat actors claim to have stolen 1.7 TB of data and are demanding a $7 million ransom.
New Version Of Apostle Ransomware Reemerges In Targeted Attack On Higher Education
SentinelLabs has been tracking the activity of Agrius, a suspected Iranian threat actor operating in the Middle East, throughout 2020 and 2021 following a set of destructive attacks starting December 2020. Since we last reported on this threat actor in May 2020, Agrius lowered its profile and was not observed conducting destructive activity. This changed recently as the threat actor likely initiated a ransomware attack on the Israeli university Bar-Ilan utilizing the group’s custom Apostle ransomware.
US Congress asks FBI to explain delay in helping Kaseya atack victims
The House Committee on Oversight and Reform has requested a briefing to understand the rationale behind the FBI’s decision to delay providing the victims of the Kaseya REvil ransomware with a universal decryption key for three weeks.
A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death
When Teiranni Kidd walked into Springhill Medical Center on July 16, 2019, to have her baby, she had no idea the Alabama hospital was deep in the midst of a ransomware attack.