The Week in Ransomware – January 21st 2022 – Arrests, Wipers, and More

Ransomware sign

It has been quite a busy week with ransomware, with law enforcement making arrests, data-wiping attacks, and the return of the Qlocker ransomware.

This week’s biggest news is Russia’s arrest of fourteen suspected members of the REvil ransomware operation. In addition, a senior Biden administration official said that one of the fourteen suspects is responsible for the Colonial Pipeline ransomware attack.

Europol also conducted a law enforcement operation against VPNLab, a platform commonly used by ransomware gangs. Law enforcement operatives seized 15 servers used by the service and took down its main site, making the platform no longer available.

While it was a good week for law enforcement, sadly, new attacks were discovered.

Microsoft disclosed attacks on Ukrainian organizations using data-wiping malware disguised as ransomware. This malware is named “WhisperGate,” and has been attributed by Ukrainian officials as being conducted by, or at the behest, of the Russian government.

For consumers and small businesses, we saw the unfortunate return of Qlocker, notorious ransomware that encrypted thousands of QNAP NAS devices last year.

Finally, in research released by security companies we learned that White Rabbit ransomware is linked to FIN8 hackers, new analysis of the BlackCat/ArchV and Avaddon ransomware operations, and the FBI linking Diavol to the TrickBot Group.

Contributors and those who provided new ransomware information and stories this week include: @serghei, @VK_Intel, @billtoulas, @struppigel, @Ionut_Ilascu, @malwareforme, @jorntvdw, @Seifreed, @FourOctets, @PolarToffee, @DanielGallagher, @malwrhunterteam, @fwosar, @LawrenceAbrams, @BleepinComputer, @demonslay335, @fbgwls245, @Amigo_A_,@JakubKroustek, @pcrisk, @TrendMicro, @LabsSentinel, @MsftSecIntel, @Mandiant, and @GrujaRS.

January 15th 2022

Qlocker ransomware returns to target QNAP NAS devices worldwide

Threat actors behind the Qlocker ransomware are once again targeting Internet-exposed QNAP Network Attached Storage (NAS) devices worldwide.

Russia charges 8 suspected REvil ransomware gang members

Eight members of the REvil ransomware operation that have been detained by Russian officers are currently facing criminal charges for their illegal activity.

January 16th 2022

Microsoft: Fake ransomware targets Ukraine in data-wiping attacks

Microsoft is warning of destructive data-wiping malware disguised as ransomware being used in attacks against multiple organizations in Ukraine.

January 17th 2022

New STOP ransomware variants

PCrisk found two new STOP ransomware variants that append the .vfgj and .fhkf extensions.

New Chaos Ransomware variant

dnwls0719 found a new Chaos ransomware variant that appends the .AZ extension.

January 18th 2022

New White Rabbit ransomware linked to FIN8 hacking group

A new ransomware family called ‘White Rabbit’ appeared in the wild recently, and according to recent research findings, could be a side-operation of the FIN8 hacking group.

Fashion giant Moncler confirms data breach after ransomware attack

Italian luxury fashion giant Moncler confirmed that they suffered a data breach after files were stolen by the AlphV/BlackCat ransomware operation in December and published today on the dark web.

Europol shuts down VPN service used by ransomware groups

Law enforcement authorities from 10 countries took down, a VPN service provider used by ransomware operators and malware actors.

BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims

BlackCat (aka AlphaVM, AlphaV) is a newly established RaaS (Ransomware as a Service) with payloads written in Rust. While BlackCat is not the first ransomware written in the Rust language, it joins a small (yet growing) sliver of the malware landscape making use of this popular cross-platform language.

New Dharma Ransomware variant

dnwls0719 found a new Dharma ransomware variant that appends the .MTX extension.

January 19th 2022

Marketing giant RRD confirms data theft in Conti ransomware attack

RR Donnelly has confirmed that threat actors stole data in a December cyberattack, confirmed by BleepingComputer to be a Conti ransomware attack.

One Source to Rule Them All: Chasing AVADDON Ransomware

This blog post explores activity, similarities and overlaps between multiple ransomware families related to AVADDON ransomware, serving as a case study to understand how ransomware operators think and continue to turn a profit in a constantly evolving cybercrime ecosystem.

New Dharma ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .cip extension.

January 20th 2022

FBI links Diavol ransomware to the TrickBot cybercrime group

The FBI has formally linked the Diavol ransomware operation to the TrickBot Group, the malware developers behind the notorious TrickBot banking trojan.

New STOP Ransomware variant

Jakub Kroustek found a new STOP ransomware variant that appends the .maak extension.

New Trap ransomware discovered

Amigo-A spotted the new Trap ransomware that appends the .trap extension and drops a ransom note named RESTORE.txt.

New Makop ransomware variant

GrujaRS found a new Makop ransomware variant that appends the .factfull extension.

January 21st 2022

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .ELBOW extension.

That’s it for this week! Hope everyone has a nice weekend!