Lock with a bitcoin symbol in chains

We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government.

What makes this strange is that this seems to be a common routine for the DarkSide, I mean BlackCat/ALPHV, ransomware operation which tends to hit critical infrastructure, and then realize it was a big mistake.

As it was, they were already being targeted by an international law enforcement operation, allowing the FBI to hack the gang's servers for months while collecting data, decryptors, and ultimately, seizing the domain of the data leak site.

While the Tor onion domain seizure was a game of tug of war between the FBI and BlackCat, instead of shutting down, the ransomware gang decided to continue operating and vowed to target US critical infrastructure in revenge.

Approximately two months later, one of their affiliates attacked UnitedHealth Group's Change Healthcare, a technology solutions company used by many pharmacies, doctor's offices, and hospitals for billing claims for healthcare and prescriptions.

This attack led to severe disruption in the US healthcare system, preventing pharmacies from accepting insurance and discount cards and, in some cases, causing patients to pay full price for medicine.

Similar to their attack on Colonial Pipeline as DarkSide, which led to them to shut down, their rebrand as BlackCat/ALPHV has now shut down after the Change Healthcare attack.

According to an affiliate, Optum, Change Healthcare's parent company and a subsidiary of UnitedHealth, paid a $22 million ransom to the ransomware operation to prevent the leaking of stolen data and to receive a file decryptor.

However, this affiliate says that BlackCat stole the ransom and did not transfer over a share of the payment, stating it was seized by the "feds."

In reality, BlackCat performed an exit scam where they stole the ransom, blamed law enforcement, and shut down, stating that they do not want to be in court again.

Unfortunately, it is only a matter of time before we see the ransomware operation rebrand under a new name to repeat this cycle.

In other news, the Stormous ransomware gang attacked the Duvel Belgian beer maker, which many consider critical infrastructure.

Finally, the Swiss government also warned that 65,000 of its documents were leaked as part of a Play ransomware attack on Xplain.

Contributors and those who provided new ransomware information and stories this week include @demonslay335, @Seifreed, @fwosar, @malwrhunterteam, @billtoulas, @BleepinComputer, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @ddd1ms, @uuallan, @AShukuhi, @BrettCallow, @BushidoToken, @JBurnsKoven, @Jon__DiMaggio, @ValeryMarchive, @UK_Daniel_Card, @AlexMartin, @TalosSecurity, @CarlyPage_, and @pcrisk.

March 4th 2024

BlackCat ransomware turns off servers amid claim they stole $22 million ransom

The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate responsible for the attack on Optum, the operator of the Change Healthcare platform, of $22 million.

Should we ban ransom payments?

As cybercriminals continue to reap the financial rewards of their attacks, talk of a federal ban on ransom payments is getting louder.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .wisz and .wiaw extensions.

New SkyNet ransomware variant

PCrisk found a SkyNet variant that appends the .payuranson extension and drops a ransom note named SkynetData.txt.

March 5th 2024

BlackCat ransomware shuts down in exit scam, blames the "feds"

The BlackCat ransomware gang is pulling an exit scam, trying to shut down and run off with affiliates’ money by pretending the FBI seized their site and infrastructure.

GhostSec’s joint ransomware operation and evolution of their arsenal

Talos observed the GhostSec and Stormous ransomware groups operating together to conduct several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia according to our assessment of the disclosure messages posted by the group in their Telegram channels and Stormous ransomware data leak site.

New Makop ransomware variant

PCrisk found a Makop variant that appends the .reload extension and drops a ransom note named +README-WARNING+.txt.

March 6th 2024

Duvel says it has "more than enough" beer after ransomware attack

Duvel Moortgat Brewery was hit by a ransomware attack late last night, bringing to a halt the beer production in the company's bottling facilities.

Capita, company providing UK’s nuclear submarine training, confirms ‘cyber incident’

Capita, the United Kingdom’s largest outsourcing company, confirmed Monday that an IT outage which left staff locked out of their accounts on Friday was caused by “a cyber incident.”

New MedusaLocker ransomware variants

PCrisk found new MedusaLocker variants that append the .genesis15 and .duralock05 extensions and drop a ransom note named HOW_TO_BACK_FILES.html.

March 7th 2024

FBI: U.S. lost record $12.5 billion to online crime in 2023

FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which recorded a 22% increase in reported losses compared to 2022, amounting to a record of $12.5 billion.

Switzerland: Play ransomware leaked 65,000 government documents

The National Cyber Security Centre (NCSC) of Switzerland has released a report on its analysis of a data breach following a ransomware attack on Xplain, disclosing that the incident impacted thousands of sensitive Federal government files.

LockBit: How the franchise is trying to stage a comeback

Since the Cronos legal operation, the LockBit 3.0 mafia franchise has endeavored to convince that business continues as if nothing had happened. Examination of his claims shows a very different reality.

March 8th 2024

UnitedHealth brings some Change Healthcare pharmacy services back online

Optum's Change Healthcare has started to bring systems back online after suffering a crippling BlackCat ransomware attack last month that led to widespread disruption to the US healthcare system.

That's it for this week! Hope everyone has a nice weekend!

 

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Seifreed, @fwosar, @malwrhunterteam, @billtoulas, @BleepinComputer, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @ddd1ms, @uuallan, @AShukuhi, @BrettCallow, @BushidoToken, @JBurnsKoven, @Jon__DiMaggio, @ValeryMarchive, @UK_Daniel_Card, @AlexMartin, @TalosSecurity, @CarlyPage_, and @pcrisk

March 4th 2024

BlackCat ransomware turns off servers amid claim they stole $22 million ransom

The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate responsible for the attack on Optum, the operator of the Change Healthcare platform, of $22 million.

Should we ban ransom payments?

As cybercriminals continue to reap the financial rewards of their attacks, talk of a federal ban on ransom payments is getting louder.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .wisz and .wiaw extensions.

New SkyNet ransomware variant

PCrisk found a SkyNet variant that appends the .payuranson extension and drops a ransom note named SkynetData.txt.

March 5th 2024

BlackCat ransomware shuts down in exit scam, blames the "feds"

The BlackCat ransomware gang is pulling an exit scam, trying to shut down and run off with affiliates’ money by pretending the FBI seized their site and infrastructure.

GhostSec’s joint ransomware operation and evolution of their arsenal

Talos observed the GhostSec and Stormous ransomware groups operating together to conduct several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia according to our assessment of the disclosure messages posted by the group in their Telegram channels and Stormous ransomware data leak site.

New Makop ransomware variant

PCrisk found a Makop variant that appends the .reload extension and drops a ransom note named +README-WARNING+.txt.

March 6th 2024

Duvel says it has "more than enough" beer after ransomware attack

Duvel Moortgat Brewery was hit by a ransomware attack late last night, bringing to a halt the beer production in the company's bottling facilities.

Capita, company providing UK’s nuclear submarine training, confirms ‘cyber incident’

Capita, the United Kingdom’s largest outsourcing company, confirmed Monday that an IT outage which left staff locked out of their accounts on Friday was caused by “a cyber incident.”

New MedusaLocker ransomware variants

PCrisk found new MedusaLocker variants that append the .genesis15 and .duralock05 extensions and drop a ransom note named HOW_TO_BACK_FILES.html.

March 7th 2024

FBI: U.S. lost record $12.5 billion to online crime in 2023

FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which recorded a 22% increase in reported losses compared to 2022, amounting to a record of $12.5 billion.

Switzerland: Play ransomware leaked 65,000 government documents

The National Cyber Security Centre (NCSC) of Switzerland has released a report on its analysis of a data breach following a ransomware attack on Xplain, disclosing that the incident impacted thousands of sensitive Federal government files.

LockBit: How the franchise is trying to stage a comeback

Since the Cronos legal operation, the LockBit 3.0 mafia franchise has endeavored to convince that business continues as if nothing had happened. Examination of his claims shows a very different reality.

March 8th 2024

UnitedHealth brings some Change Healthcare pharmacy services back online

Optum's Change Healthcare has started to bring systems back online after suffering a crippling BlackCat ransomware attack last month that led to widespread disruption to the US healthcare system.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

Prudential Financial now says 2.5 million impacted by data breach

Change Healthcare lists the medical data stolen in ransomware attack

The Week in Ransomware - May 17th 2024 - Mailbombing is back

The Week in Ransomware - May 10th 2024 - Chipping away at LockBit

Patelco shuts down banking systems following ransomware attack