The Week in Ransomware – November seventeenth 2023


Citrix

Ransomware gangs goal uncovered Citrix Netscaler units utilizing a publicly obtainable exploit to breach massive organizations, steal information, and encrypt recordsdata.

The menace actors exploit the Citrix Bleed vulnerability (CVE-2023-4966), which was disclosed final month and continues to be abused in assaults.

Safety researcher Kevin Beaumont, who has been monitoring the assaults, has discovered that many current victims additionally utilized weak Citrix Netscaler units on the time of the assault, permitting preliminary entry to the company community.

Some firms that not too long ago suffered a cyberattack and utilized weak Citrix Netscaler units embrace Toyota Monetary Companies, Industrial and Industrial Financial institution of China (ICBC), DP World, Allen & Overy, and Boeing.

DP World running Citrix server vulnerable to Citrix Bleed flaw
DP World operating Citrix server weak to Citrix Bleed flaw
Supply: Kevin Beaumont

Whereas it’s identified that associates for the LockBit and Medusa ransomware gangs are behind a few of these assaults, it’s possible extensively being exploited by different felony operations.

In different information, the BlackCat ransomware gang took the daring step of submitting an SEC criticism on certainly one of its victims for not disclosing they suffered a cyberattack.

The menace actors tried to get the corporate into bother for a brand new SEC rule that requires publicly traded firms to report cyberattacks inside 4 days if they’ve a fabric influence. Nevertheless, this rule doesn’t go into impact till December fifteenth, 2023.

Whereas many ransomware gangs have threatened to report cyberattacks to the SEC if a ransom was not paid, this may very well be the primary publicly disclosed use of the extortion technique.

We additionally realized extra about current assaults and techniques utilized by ransomware menace actors, that are highlighted under:

Contributors and people who supplied new ransomware info and tales this week embrace: @serghei, @demonslay335, @billtoulas, @fwosar, @Seifreed, @malwrhunterteam, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @GossiTheDog, @BrettCallow, @PogoWasRight, @pcrisk, and @NCCGroupInfosec.

November thirteenth 2023

FBI: Royal ransomware requested 350 victims to pay $275 million

The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of not less than 350 organizations worldwide since September 2022.

Don’t throw a hissy match; defend in opposition to Medusa

To not be confused with MedusaLocker, Medusa was first noticed in 2021, is a Ransomware-as-a-Service (RaaS) typically utilizing the double extortion methodology for financial achieve. In 2023 the teams’ exercise elevated with the launch of the ‘Medusa Weblog’. This platform serves as a instrument for leaking information belonging to victims.

Key Ransomware Indicator Up 56% 12 months-on-12 months: October Information

In October assaults fell by 15.12% from the prior month in accordance with the quantity of victims posted on ransomware leak websites, however remained excessive from a year-on-year perspective with a 54.67% improve over October 2022. Final month additionally marked the tenth consecutive with a YoY improve in ransomware victims posted to leak websites, and the eighth consecutive with a depend above 300.

New 1337 Ransomware

PCrisk discovered a brand new 1337 Ransomware that appends the .1337 extension and drops a ransom word named yourhope.txt.

November 14th 2023

LockBit ransomware exploits Citrix Bleed in assaults, 10K servers uncovered

The Lockbit ransomware assaults use publicly obtainable exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the methods of huge organizations, steal information, and encrypt recordsdata.

New GlobeImposter variant

PCrisk discovered a brand new GlobeImposter variant that appends the .Pig865qq extension.

November fifteenth 2023

Ransomware gang recordsdata SEC criticism over sufferer’s undisclosed breach

The ALPHV/BlackCat ransomware operation has taken extortion to a brand new stage by submitting a U.S. Securities and Trade Fee criticism in opposition to certainly one of their alleged victims for not complying with the four-day rule to reveal a cyberattack.

Toronto Public Library confirms information stolen in ransomware assault

The Toronto Public Library (TPL) confirmed that the non-public info of workers, prospects, volunteers, and donors was stolen from a compromised file server throughout an October ransomware assault.

FBI and CISA warn of opportunistic Rhysida ransomware assaults

The FBI and CISA warned at present of Rhysida ransomware gang’s opportunistic assaults concentrating on organizations throughout a number of trade sectors.

New ransomware variant

PCrisk discovered a brand new ransomware variant that appends the .shanova extension and drops a ransom word named read_it.txt.

November sixteenth 2023

FBI shares techniques of infamous Scattered Spider hacker collective

The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Safety Company launched an advisory in regards to the evasive menace actor tracked as Scattered Spider, a loosely knit hacking collective that now collaborates with the ALPHV/BlackCat Russian ransomware operation.

Toyota confirms breach after Medusa ransomware threatens to leak information

Toyota Monetary Companies (TFS) has confirmed that it detected unauthorized entry on a few of its methods in Europe and Africa after Medusa ransomware claimed an assault on the corporate.

New STOP ransomware variants

PCrisk discovered new STOP ransomware variants that append the .eqza and .eqew extensions.

November seventeenth 2023

British Library: Ongoing outage brought on by ransomware assault

The British Library confirmed {that a} ransomware assault is behind a significant outage that’s nonetheless affecting companies throughout a number of areas.

Yamaha Motor confirms ransomware assault on Philippines subsidiary

Yamaha Motor’s Philippines motorbike manufacturing subsidiary was hit by a ransomware assault final month, ensuing within the theft and leak of some workers’ private info.

That is it for this week! Hope everybody has a pleasant weekend!



Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top