1/6 Lawrence Abrams The Week in Ransomware - November 13th 2020 - Extortion gone wild bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/ By Lawrence Abrams November 14, 2020 12:42 AM 0 There were not many known large ransomware attacks this week, but we have seen ransomware operations evolving their tactics to extort their victims further. https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/ https://www.bleepingcomputer.com/author/lawrence-abrams/ 2/6 The largest attack this week was against Tawainese laptop maker Compal, who was hit by DoppelPaymer. The threat actors are demanding $17 million to receive a decryptor and not to leak stolen files. Ransomware operations have also begun new tactics this week to pressure their victims into paying a ransom. After their attack on Campari, Ragnar Locker hacked a Facebook advertiser's account to run Facebook ads promoting their attack and threatening to release more data. Their strategy is to apply as much pressure as they can on the victim through public awareness in the hopes it will force them to pay the ransom. Another new tactic announced by DarkSide is their plans to create a fault-tolerant distributed storage service based out of Iran or other "unrecognized republics." Their goal is to use this storage as a platform to leak victim's data for six months, and due to its distributed nature, if one server is shut down by law enforcement, the other servers will still be able to leak the data. Otherwise, this week has been mostly new variants of existing ransomware families. Contributors and those who provided new ransomware information and stories this week include: @serghei, @malwrhunterteam, @jorntvdw, @PolarToffee, @VK_Intel, @Ionut_Ilascu, @demonslay335, @LawrenceAbrams, @struppigel, @FourOctets, @malwareforme, @Seifreed, @DanielGallagher, @fwosar, @BleepinComputer, @LukasZobal, @siri_urz, @JAMESWT_MHT, @Unit42_Intel, @briankrebs, @Kangxiaopao, @MsftSecIntel, @campuscodi, @Intel_by_KELA, @briankrebs, and @IntelAdvanced. November 7th 2020 How Ryuk Ransomware operators made $34 million from one victim One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers. When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777 While researching these malware families, we found that there were several consistencies between Vatet, PyXie and Defray777 that strongly suggest that all three malware families were created, and are currently maintained by, the same financially motivated threat group. November 8th 2020 https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/ https://www.bleepingcomputer.com/news/security/ransomware-gang-hacks-facebook-account-to-run-extortion-ads/ https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/ https://twitter.com/serghei https://twitter.com/malwrhunterteam https://twitter.com/jorntvdw https://twitter.com/PolarToffee https://twitter.com/VK_Intel https://twitter.com/Ionut_Ilascu https://twitter.com/demonslay335 https://twitter.com/LawrenceAbrams https://twitter.com/struppigel https://twitter.com/FourOctets https://twitter.com/malwareforme https://twitter.com/Seifreed https://twitter.com/DanielGallagher https://twitter.com/fwosar https://twitter.com/BleepinComputer https://twitter.com/LukasZobal http://twitter.com/siri_urz https://twitter.com/JAMESWT_MHT https://twitter.com/Unit42_Intel https://twitter.com/briankrebs https://twitter.com/Kangxiaopao https://twitter.com/MsftSecIntel https://twitter.com/campuscodi https://twitter.com/Intel_by_KELA https://twitter.com/briankrebs https://twitter.com/IntelAdvanced https://www.bleepingcomputer.com/news/security/how-ryuk-ransomware-operators-made-34-million-from-one-victim/ https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4/ 3/6 November 9th 2020 Fake Microsoft Teams updates lead to Cobalt Strike deployment Ransomware operators are using malicious fake ads for Microsoft Teams updates to infect systems with backdoors that deployed Cobalt Strike to compromise the rest of the network. New STOP ransomware variant Michael Gillespie found a new STOP ransomware variant that appends the .agho extension to encrypted files. New Dusk 2 ransomware variant Lukáš Zobal found the new Dusk 2 ransomware variant that appends the .DUSK extension to encrypted files and drops a ransom note named README.txt. Laptop maker Compal hit by ransomware, $17 million demanded Taiwanese laptop maker Compal Electronics suffered a DoppelPaymer ransomware attack over the weekend, with the attackers demanding an almost $17 million ransom. https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/ https://twitter.com/demonslay335/status/1325917312382345218 https://twitter.com/demonslay335 https://twitter.com/LukasZobal/status/1325829412735115264 https://twitter.com/LukasZobal https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/ 4/6 November 10th 2020 New HowAreYou Ransomware S!ri found a new ransomware that appends the .howareyou extension to encrypted files. New AgeLocker ransomware variant JAMESWT found a new AgeLocker ELF ransomware (targets QNAP devices) that adds the .kmd suffix to encrypted files. November 11th 2020 Recent ransomware wave targeting Israel linked to Iranian threat actors Two recent ransomware waves that targeted Israeli companies have been traced back to Iranian threat actors. New Devos Ransomware xiaopao found a new ransomware that appends the .devos extension. This is different than Phobos, which also utilized this extension. Ransomware gang hacks Facebook account to run extortion ads https://twitter.com/siri_urz/status/1326069410851905536?s=20 https://twitter.com/siri_urz https://twitter.com/JAMESWT_MHT/status/1326143452720062473 https://twitter.com/JAMESWT_MHT https://www.zdnet.com/article/recent-ransomware-wave-targeting-israel-linked-to-iranian-threat-actors/ https://twitter.com/Kangxiaopao/status/1326465915714613248 https://twitter.com/Kangxiaopao https://www.bleepingcomputer.com/news/security/ransomware-gang-hacks-facebook-account-to-run-extortion-ads/ 5/6 A ransomware group has now started to run Facebook advertisements to pressure victims to pay a ransom. November 12th 2020 Steelcase furniture giant down for 2 weeks after ransomware attack Office furniture giant Steelcase says that no information was stolen during a Ryuk ransomware attack that forced them to shut down global operations for roughly two weeks. November 13th 2020 DarkSide ransomware is creating a secure data leak service in Iran The DarkSide Ransomware operation claims they are creating a distributed storage system in Iran to store and leak data stolen from victims. To show they mean business, the ransomware gang has deposited $320 thousand on a hacker forum. CRAT wants to plunder your endpoints Cisco Talos has recently discovered a new version of the CRAT malware family. This version consists of multiple RAT capabilities, additional plugins and a variety of detection- evasion techniques. In the past, CRAT has been attributed to the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks against the entertainment sector. New STOP ransomware variant Michael Gillespie found a new STOP ransomware variant that appends the .vvoa extension to encrypted files. LV Ransomware group appears to be using Revil software Michael Gillespie found a ransomware group known as "LV" utilizing REvil software. That's it for this week! Hope everyone has a nice weekend! Related Articles: The Week in Ransomware - May 20th 2022 - Another one bites the dust The Week in Ransomware - May 13th 2022 - A National Emergency The Week in Ransomware - May 6th 2022 - An evolving landscape https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-down-for-2-weeks-after-ransomware-attack/ https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/ https://blog.talosintelligence.com/2020/11/crat-and-plugins.html https://twitter.com/demonslay335/status/1327310592869359617?s=20 https://twitter.com/demonslay335/status/1327276362395250690?s=20 https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-20th-2022-another-one-bites-the-dust/ https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-13th-2022-a-national-emergency/ https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-6th-2022-an-evolving-landscape/ 6/6 The Week in Ransomware - March 18th 2022 - Targeting the auto industry The Week in Ransomware - April 29th 2022 - New operations emerge Compal DarkSide Facebook Ragnar Locker Ransomware Week in Ransomware Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. Previous Article Next Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-18th-2022-targeting-the-auto-industry/ https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-29th-2022-new-operations-emerge/ https://www.bleepingcomputer.com/tag/compal/ https://www.bleepingcomputer.com/tag/darkside/ https://www.bleepingcomputer.com/tag/facebook/ https://www.bleepingcomputer.com/tag/ragnar-locker/ https://www.bleepingcomputer.com/tag/ransomware/ https://www.bleepingcomputer.com/tag/week-in-ransomware/ https://www.bleepingcomputer.com/author/lawrence-abrams/ https://www.bleepingcomputer.com/news/security/irs-announces-move-to-protect-businesses-from-identity-theft/ https://www.bleepingcomputer.com/news/security/apple-ios-safari-feature-can-be-used-to-share-fake-news-headlines/ https://www.bleepingcomputer.com/posting-guidelines/ https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register