{ "id": "3220332b-2668-4c83-89ef-0c31a4a3137d", "created_at": "2026-04-06T00:16:56.133452Z", "updated_at": "2026-04-10T13:12:05.879021Z", "deleted_at": null, "sha1_hash": "ee32e2a27f6d43d917cfea58e1907af78fcdf9b5", "title": "The Week in Ransomware - November 13th 2020 - Extortion gone wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3979354, "plain_text": "The Week in Ransomware - November 13th 2020 - Extortion gone wild\r\nBy Lawrence Abrams\r\nPublished: 2020-11-14 · Archived: 2026-04-05 13:20:15 UTC\r\nThere were not many known large ransomware attacks this week, but we have seen ransomware operations evolving their\r\ntactics to extort their victims further.\r\nThe largest attack this week was against Tawainese laptop maker Compal, who was hit by DoppelPaymer. The threat actors\r\nare demanding $17 million to receive a decryptor and not to leak stolen files.\r\nRansomware operations have also begun new tactics this week to pressure their victims into paying a ransom.\r\nhttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nAfter their attack on Campari, Ragnar Locker hacked a Facebook advertiser's account to run Facebook ads promoting their\r\nattack and threatening to release more data. Their strategy is to apply as much pressure as they can on the victim through\r\npublic awareness in the hopes it will force them to pay the ransom.\r\nAnother new tactic announced by DarkSide is their plans to create a fault-tolerant distributed storage service based out of\r\nIran or other \"unrecognized republics.\" Their goal is to use this storage as a platform to leak victim's data for six months,\r\nand due to its distributed nature, if one server is shut down by law enforcement, the other servers will still be able to leak the\r\ndata.\r\nOtherwise, this week has been mostly new variants of existing ransomware families.\r\nContributors and those who provided new ransomware information and stories this week include: @serghei,\r\n@malwrhunterteam, @jorntvdw, @PolarToffee, @VK_Intel, @Ionut_Ilascu, @demonslay335, @LawrenceAbrams,\r\n@struppigel, @FourOctets, @malwareforme, @Seifreed, @DanielGallagher, @fwosar, @BleepinComputer, @LukasZobal,\r\n@siri_urz, @JAMESWT_MHT, @Unit42_Intel, @briankrebs, @Kangxiaopao, @MsftSecIntel, @campuscodi,\r\n@Intel_by_KELA, @briankrebs, and @IntelAdvanced.\r\nNovember 7th 2020\r\nHow Ryuk Ransomware operators made $34 million from one victim\r\nOne hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in\r\nexchange for the decryption key that unlocked their computers.\r\nWhen Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777\r\nWhile researching these malware families, we found that there were several consistencies between Vatet, PyXie and\r\nDefray777 that strongly suggest that all three malware families were created, and are currently maintained by, the same\r\nfinancially motivated threat group.\r\nNovember 8th 2020\r\nNovember 9th 2020\r\nFake Microsoft Teams updates lead to Cobalt Strike deployment\r\nRansomware operators are using malicious fake ads for Microsoft Teams updates to infect systems with backdoors that\r\ndeployed Cobalt Strike to compromise the rest of the network.\r\nNew STOP ransomware variant\r\nMichael Gillespie found a new STOP ransomware variant that appends the .agho extension to encrypted files.\r\nNew Dusk 2 ransomware variant\r\nLukáš Zobal found the new Dusk 2 ransomware variant that appends the .DUSK extension to encrypted files and drops a\r\nransom note named README.txt.\r\nLaptop maker Compal hit by ransomware, $17 million demanded\r\nTaiwanese laptop maker Compal Electronics suffered a DoppelPaymer ransomware attack over the weekend, with the\r\nattackers demanding an almost $17 million ransom.\r\nhttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/\r\nPage 3 of 6\n\nNovember 10th 2020\r\nNew HowAreYou Ransomware\r\nS!ri found a new ransomware that appends the .howareyou extension to encrypted files.\r\nNew AgeLocker ransomware variant\r\nJAMESWT found a new AgeLocker ELF ransomware (targets QNAP devices) that adds the .kmd suffix to encrypted files.\r\nhttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/\r\nPage 4 of 6\n\nNovember 11th 2020\r\nRecent ransomware wave targeting Israel linked to Iranian threat actors\r\nTwo recent ransomware waves that targeted Israeli companies have been traced back to Iranian threat actors.\r\nNew Devos Ransomware\r\nxiaopao found a new ransomware that appends the .devos extension. This is different than Phobos, which also utilized this\r\nextension.\r\nRansomware gang hacks Facebook account to run extortion ads\r\nA ransomware group has now started to run Facebook advertisements to pressure victims to pay a ransom.\r\nNovember 12th 2020\r\nSteelcase furniture giant down for 2 weeks after ransomware attack\r\nOffice furniture giant Steelcase says that no information was stolen during a Ryuk ransomware attack that forced them to\r\nshut down global operations for roughly two weeks.\r\nNovember 13th 2020\r\nDarkSide ransomware is creating a secure data leak service in Iran\r\nThe DarkSide Ransomware operation claims they are creating a distributed storage system in Iran to store and leak data\r\nstolen from victims. To show they mean business, the ransomware gang has deposited $320 thousand on a hacker forum.\r\nCRAT wants to plunder your endpoints\r\nCisco Talos has recently discovered a new version of the CRAT malware family. This version consists of multiple RAT\r\ncapabilities, additional plugins and a variety of detection-evasion techniques. In the past, CRAT has been attributed to the\r\nLazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks against the entertainment\r\nsector.\r\nNew STOP ransomware variant\r\nMichael Gillespie found a new STOP ransomware variant that appends the .vvoa extension to encrypted files.\r\nLV Ransomware group appears to be using Revil software\r\nMichael Gillespie found a ransomware group known as \"LV\" utilizing REvil software. \r\nThat's it for this week! Hope everyone has a nice weekend!\r\nhttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/\r\nhttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/" ], "report_names": [ "the-week-in-ransomware-november-13th-2020-extortion-gone-wild" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434616, "ts_updated_at": 1775826725, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ee32e2a27f6d43d917cfea58e1907af78fcdf9b5.pdf", "text": "https://archive.orkl.eu/ee32e2a27f6d43d917cfea58e1907af78fcdf9b5.txt", "img": "https://archive.orkl.eu/ee32e2a27f6d43d917cfea58e1907af78fcdf9b5.jpg" } }