The Week in Ransomware – September 9th 2022 – Schools under fire

Ransomware gangs have been busy this week, launching attacks against NAS devices, one of the largest hotel groups, IHG, and LAUSD, the second largest school district in the USA.

On Saturday, the DeadBolt ransomware operation launched a new attack on QNAP devices using a zero-day vulnerability in Photo Station. That same day, QNAP released security updates to fix the vulnerability, urging customers to install the update and not expose their devices on the Internet.

On Monday, both InterContinental Hotels Group (IHG) and Los Angeles Unified (LAUSD) school districtwere hit by ransomware attacks that disrupted the organizations’ technical operations.

For IHG, the attack disrupted their online reservation systems; for LAUSD, it impacted the school district’s IT systems.

However, even though the cyberattack impacted LAUSD’s technology infrastructure, the schools opened as usual for Los Angeles students.

Yesterday, the Vice Society ransomware told that they were behind the attack on LAUSD and claimed to have stolen 500GB of data.

The responsible ransomware gang came as no surprise, as the FBI, CISA, and MS-ISAC released an advisory on Monday warning of the Vice Society targeting school districts.

We also saw some new ransomware research released this week:

  • Ransomware gangs DDoS Cobalt Strike servers with Anti-Putin/Anti-Russia messages.
  • A Play ransomware analysis.
  • Analysis of a new version of BlackCat.
  • A Google report on how ex-Conti members are targeting Ukraine.
  • Info on a new Monti ransomware operation.

Contributors and those who provided new ransomware information and stories this week:

September 3rd 2022

PLAY Ransomware analysis

This is my analysis for PLAY Ransomware. I’ll be solely focusing on its anti-analysis and encryption features. There are a few other features such as DLL injection and networking that will not be covered in this analysis.

September 5th 2022

QNAP patches zero-day used in new Deadbolt ransomware attacks

QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station.

New STOP Ransomware variants

PCrisk discovered new STOP ransomware variants that append the .oopu.oodt, and .oovb extensions.

September 6th 2022

InterContinental Hotels Group cyberattack disrupts booking systems

Leading hospitality company InterContinental Hotels Group PLC (also known as IHG Hotels & Resorts) says its information technology (IT) systems have been disrupted since yesterday after its network was breached.

Second largest U.S. school district LAUSD hit by ransomware

Los Angeles Unified (LAUSD), the second largest school district in the U.S., disclosed that a ransomware attack hit its Information Technology (IT) systems over the weekend.

FBI warns of Vice Society ransomware attacks on school districts

FBI, CISA, and MS-ISAC warned today of U.S. school districts being increasingly targeted by the Vice Society ransomware group, with more attacks expected after the start of the new school year.

TTPs Associated With a New Version of the BlackCat Ransomware

Our Digital Forensics and Incident Response (DFIR) team was engaged in investigating a ransomware infection. We were able to determine that the ransomware involved is a new version of the BlackCat ransomware, based on the fact that the malware added new command line parameters that were not documented before.

September 7th 2022

Google says former Conti ransomware members now attack Ukraine

Google says some former Conti cybercrime gang members, now part of a threat group tracked as UAC-0098, are targeting Ukrainian organizations and European non-governmental organizations (NGOs).

Ransomware gang’s Cobalt Strike servers DDoSed with anti-Russia messages

Someone is flooding Cobalt Strike servers operated by former members of the Conti ransomware gang with anti-Russian messages to disrupt their activity.

New STOP Ransomware variants

PCrisk discovered new STOP ransomware variants that append the .mmpu.mmvb, and .mmdtextensions.

Bl00dy ransomware sample found

PCrisk found a sample for the new ‘Bl00dy Ransomware’ based on the Babuk ransomware family that appends the .bl00dy and drops the How To Restore Your Files.txt ransom note.

Bl00dy ransomware was first reported on by DataBreaches.net after the threat actors targeted New York medical practices.

Conti vs. Monti: A Reinvention or Just a Simple Rebranding?

Though there is no iron-clad evidence of Conti rebranding as Monti, Conti source was leaked publicly in March 2022. Consequently, it is possible that anybody could use the publicly available source code to create their own ransomware based on Conti. This could be the case with Monti from our analysis of the disassembled code. Monti’s entry point is very similar to Conti’s, as seen below. As such, Monti could be a rebrand of Conti or simply a new ransomware variant that has been developed using the leaked source code mentioned above.

September 8th 2022

Microsoft: Iranian hackers encrypt Windows systems using BitLocker

Microsoft says an Iranian state-sponsored threat group it tracks as DEV-0270 (aka Nemesis Kitten) has been abusing the BitLocker Windows feature in attacks to encrypt victims’ systems.

New Ballacks Ransomware

PCrisk found a new VoidCrypt variant calling itself ‘Ballacks Ransomware’ that appends the .ballacksextension and drops a ransom note named ReadthisforDecode.txt.

New DoyUk ransomware

PCrisk found the DoyUk Ransomware that appends the .doyuk extension and drops a ransom note named Restore Your Files.txt.

September 9th 2022

Vice Society claims LAUSD ransomware attack, theft of 500GB of data

The Vice Society gang has claimed the ransomware attack that hit Los Angeles Unified (LAUSD), the second largest school district in the United States, over the weekend.

New MLF ransomware

PCrisk found the new MLF ransomware that appends the .MLF extension.

That’s it for this week! Hope everyone has a nice weekend!

NOTE:: This article  is copyright by  bleepingcomputer.com and we are using it  for educational or Information purpose only

The Best Ransomware Protection