Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action.
The FBI revealed this week that they hacked the BlackCat/ALPHV ransomware operation, which raked in $300 million from over 1,000 victims. While quietly surveilling the ransomware gang, law enforcement retrieved decryption and Tor private keys.
Law enforcement says that they were able to help decrypt 400 victims for free using the retrieved decryptors and used the Tor private keys to seize the URLs for the gang’s data leak site and negotiation sites.
However, as the threat actors and the FBI have the same keys, there has been a constant tug of war as they both “reseize” the URL.
Some have seen this constant change in ownership of the URL as a failed operation by law enforcement. However, retrieving 400 decryption keys and likely more data from the hacked servers has significantly tarnished the ransomware operation’s reputation.
BleepingComputer has learned that this has caused some affiliates to contact victims directly via email, as they have lost trust in the ransomware gang’s ability to secure the servers. Others are said to have moved to competing ransomware operations, such as LockBit.
Now, LockBitSupp (the operator of LockBit) and the BlackCat operator have discussed creating a “cartel,” to join forces against law enforcement.
We also learned this week about new ransomware attacks or information about old ones, including:
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @BleepinComputer, @demonslay335, @Seifreed, @billtoulas, @Ionut_Ilascu, @fwosar, @serghei, @LawrenceAbrams, @BrettCallow, @PRODAFT, @AShukuhi, @uuallan, @SophosXOps, @pcrisk, @3xp0rtblog, @oct0xor, @MorganDemboski, and @juanbrodersen.
December 18th 2023
Mr. Cooper is sending data breach notifications warning that a recent cyberattack has exposed the data of 14.7 million customers who have, or previously had, mortgages with the company.
The Federal Bureau of Investigation (FBI) says the Play ransomware gang has breached roughly 300 organizations worldwide between June 2022 and October 2023, some of them critical infrastructure entities.
American global apparel and footwear giant VF Corporation, the owner of brands like Supreme, Vans, Timberland, and The North Face, has disclosed a security incident that caused operational disruptions
The University of Buenos Aires (UBA) suffered a ransomware cyberattack , a type of malicious program that encrypts the victim’s files, makes them inaccessible and demands a ransom money in exchange. Since Thursday, servers in part of the educational institution have been compromised and this prevents teachers and students from managing grades, enrolling in summer courses and more.
December 19th 2023
The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation’s servers to monitor their activities and obtain decryption keys.
An unsealed FBI search warrant revealed how law enforcement hijacked the ALPHV/BlackCat ransomware operations websites and seized the associated URLs.
The ALPHV/BlackCat ransomware gang has made over $300 million in ransom payments from more than 1,000 victims worldwide as of September 2023, according to the Federal Bureau of Investigation (FBI).
This research provides a comprehensive analysis of Wazawaka’s background, affiliations, and tactics in the threat landscape associated with his activities. It includes information about Wazawaka’s team and his close relations with other threat actors.
December 20th 2023
ESO Solutions, a provider of software products for healthcare organizations and fire departments, disclosed that data belonging to 2.7 million patients has been compromised as a result of a ransomware attack.
The Israel National Cyber Directorate warns of phishing emails pretending to be F5 BIG-IP zero-day security updates that deploy Windows and Linux data wipers.
PCrisk found a new ransomware that appends the .bot extension and drops a ransom note named How To Restore Your Files.txt.
December 21st 2023
Following our initial report on Akira ransomware, Sophos has responded to over a dozen incidents involving Akira impacting various sectors and regions. According to our dataset, Akira has primarily targeted organizations located in Europe, North America, and Australia, and operating in the government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunication sectors.
Seeing a Win32k driver zero-day being used in attacks isn’t really surprising these days, as the design issues with that component are well known and have been exploited time and time again. But we had never seen so many CLFS driver exploits being used in active attacks before, and then suddenly there are so many of them captured in just one year.
PCrisk found a new ransomware that appends a unique extension and drops ransom notes named info.txt and info.hta.
PCrisk found a new ransomware that appends the .tprc extension and drops a ransom note named !RESTORE!.txt.
December 22nd 2023
Japanese car maker Nissan is investigating a cyberattack that targeted its systems in Australia and New Zealand, which may have let hackers access personal information.
That’s it for this week! Hope everyone has a nice weekend!