The Week in Ransomware - September 11th 2020 - A barrage of attacks
by Lawrence Abrams
This week has been filled with brutal ransomware attacks that targeted large organizations worldwide with million-dollar ransoms.
In what could be the first known time a ransomware affected a country's official operations, the Argentinian immigration office suffered a ransomware attack that halted border crossings into and out of the country.
We also reported attacks against large entities such as Newcastle University, Pakistan's largest private electricity provider K-Electric, Equinix, and SoftServe.
If this week has shown us anything, all organizations must become familiar with the Netwalker ransomware tactics and how they attack organizations.
Netwalker is responsible for three out of four of the large attacks this week. The amount of ransom payments they are generating indicates that their attacks have historically been successful.
Contributors and those who provided new ransomware information and stories this week include @BleepinComputer, @VK_Intel, @Seifreed, @FourOctets, @serghei, @struppigel, @LawrenceAbrams, @jorntvdw, @malwareforme, @demonslay335, @malwrhunterteam, @DanielGallagher, @fwosar, @Ionut_Ilascu, @PolarToffee, @GroupIB_GIB, @Kangxiaopao, @campuscodi, @siri_urz, @joakimkennedy, @CORE561, @fuscator
September 5th 2020
New Xorist variant
Onyx Mods found a new Xorist variant that appends the .emilisub extension.
September 6th 2020
Netwalker ransomware hits Argentinian government, demands $4 million
Argentina's official immigration agency, Dirección Nacional de Migraciones, suffered a Netwalker ransomware attack that temporarily halted border crossing into and out of the country.
September 7th 2020
DoppelPaymer ransomware hits Newcastle University, leaks data
UK research university Newcastle University says that it will take several weeks to get IT services back online after DoppelPaymer ransomware operators breached its network and took systems offline on the morning of August 30th.
New ThunderX Ransomware
S!Ri found a new ransomware called ThunderX that appends the .tx_locked extension.
New golang BlackRose ransomware
Joakim Kennedy found a new in-development ransomware called BlackRose.
September 8th 2020
Ransomware delays first day of school for Hartford, Connecticut
The Hartford School District in Connecticut has postponed their first day of school as they struggle with getting classroom and transportation systems restored and running after a Labor Day holiday weekend ransomware attack.
Netwalker ransomware hits Pakistan's largest private power utility
K-Electric, the sole electricity provider for Karachi, Pakistan, has suffered a Netwalker ransomware attack that led to the disruption of billing and online services.
New Matrix ransomware variant
Michael Gillespie found a new variant of the Matrix Ransomware that appends the .J91D extension and drops a ransom note named J91D_README.rtf.
New Xorist variant
Michael Gillespie found a new Xorist Ransmomware variant that appends the .hnx911.
New Matrix ransomware variant
Michael Gillespie found a new variant of the Matrix Ransomware that appends the .S996 extension and drops a ransom note named S996_INFO.rtf.
New MedusaLocker variant
Michael Gillespie found a new MedusaLocker Ransmomware variant that appends the .networkmaze.
New OGDO STOP variant
Michael Gillespie found a new STOP Ransomware variant that appends the .ogdo extension.
Thailand hostpital hit with ransomware
Saraburi Hospital was attacked by ransomware, unable to access data on the system. Affect the service of patients Anyone who has advice and can provide assistance, please tell the doctor in this link.
September 9th 2020
Leading US video delivery provider confirms ransomware attack
SeaChange International, a US-based leading supplier of video delivery software solutions, has confirmed a ransomware attack that disrupted its operations during the first quarter of 2020.
New Flamingo Ransomware
Michael Gillespie found a new ransomware that appends the .FLAMINGO extension and drops a ransom note named #READ ME.TXT.
New Dharma Ransomware variant
Xiaopao found new Dharma Ransomware variants that append the .blm and .eur extensions.
September 10th 2020
ProLock ransomware increases payment demand and victim count
Using standard tactics, the operators of ProLock ransomware were able to deploy a large number of attacks over the past six months, averaging close to one target every day.
Equinix data center giant hit by Netwalker Ransomware, $4.5M ransom
Data center and colocation giant Equinix has been hit with a Netwalker ransomware attack where threat actors are demanding $4.5 million for a decryptor and to prevent the release of stolen data.
SoftServe hit by ransomware, Windows customization tool exploited
Ukrainian software developer and IT services provider SoftServe suffered a ransomware attack on September 1st that may have led to the theft of customers' source code.
Ransomware accounted for 41% of all cyber insurance claims in H1 2020
Ransomware incidents have accounted for 41% of cyber insurance claims filed in the first half of 2020, according to a report published today by Coalition, one of the largest providers of cyber insurance services in North America.
September 11th 2020
Development Bank of Seychelles hit by ransomware attack
The Development Bank of Seychelles (DBS) was hit by ransomware according to a press statement published earlier today by the Central Bank of Seychelles (CBS).
Karachi police office computer system hacked, ransom demanded
Hackers hacked the computer system data of Karachi Police Office (KPO) Media Cell and demanded a ransom of 9 980. The data of Med or Cell is 700.GB Cybercrime officers arrived at the scene, seized the data system and launched an investigation.
New Consciousness Ransomware
MalwareHunterTeam found the new Consciousness Ransomware that appends the .Consciousness extension and drops a ransom note named Consciousness Ransomware Text Message.txt. Michael Gillespie said this is basically a wiper as it does not save the keys properly for encrypted files.
New BLM Dharma variant
Onyx Mods found a new Dharma Ransomware variant that appends the .blm extension.