We noticed one other ransomware operation shut down this week after first getting breached by legislation enforcement after which focusing on crucial infrastructure, placing them additional within the highlight of the US authorities.
What makes this unusual is that this appears to be a standard routine for the DarkSide, I imply BlackCat/ALPHV, ransomware operation which tends to hit crucial infrastructure, after which notice it was a giant mistake.
Because it was, they had been already being focused by a world legislation enforcement operation, permitting the FBI to hack the gang’s servers for months whereas amassing knowledge, decryptors, and in the end, seizing the area of the information leak website.
Whereas the Tor onion area seizure was a recreation of tug of conflict between the FBI and BlackCat, as a substitute of shutting down, the ransomware gang determined to proceed working and vowed to focus on US crucial infrastructure in revenge.
Roughly two months later, considered one of their associates attacked UnitedHealth Group’s Change Healthcare, a know-how options firm utilized by many pharmacies, physician’s places of work, and hospitals for billing claims for healthcare and prescriptions.
This assault led to extreme disruption within the US healthcare system, stopping pharmacies from accepting insurance coverage and low cost playing cards and, in some circumstances, inflicting sufferers to pay full value for drugs.
Just like their assault on Colonial Pipeline as DarkSide, which led to them to shut down, their rebrand as BlackCat/ALPHV has now shut down after the Change Healthcare assault.
Based on an affiliate, Optum, Change Healthcare’s father or mother firm and a subsidiary of UnitedHealth, paid a $22 million ransom to the ransomware operation to forestall the leaking of stolen knowledge and to obtain a file decryptor.
Nevertheless, this affiliate says that BlackCat stole the ransom and didn’t switch over a share of the cost, stating it was seized by the “feds.”
In actuality, BlackCat carried out an exit rip-off the place they stole the ransom, blamed legislation enforcement, and shut down, stating that they don’t need to be in courtroom once more.
Sadly, it is just a matter of time earlier than we see the ransomware operation rebrand underneath a brand new title to repeat this cycle.
In different information, the Stormous ransomware gang attacked the Duvel Belgian beer maker, which many contemplate crucial infrastructure.
Lastly, the Swiss authorities additionally warned that 65,000 of its paperwork had been leaked as a part of a Play ransomware assault on Xplain.
Contributors and people who offered new ransomware data and tales this week embody @demonslay335, @Seifreed, @fwosar, @malwrhunterteam, @billtoulas, @BleepinComputer, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @ddd1ms, @uuallan, @AShukuhi, @BrettCallow, @BushidoToken, @JBurnsKoven, @Jon__DiMaggio, @ValeryMarchive, @UK_Daniel_Card, @AlexMartin, @TalosSecurity, @CarlyPage_, and @pcrisk.
March 4th 2024
BlackCat ransomware turns off servers amid declare they stole $22 million ransom
The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate answerable for the assault on Optum, the operator of the Change Healthcare platform, of $22 million.
Ought to we ban ransom funds?
As cybercriminals proceed to reap the monetary rewards of their assaults, discuss of a federal ban on ransom funds is getting louder.
New STOP ransomware variants
PCrisk discovered new STOP ransomware variants that append the .wisz and .wiaw extensions.
New SkyNet ransomware variant
PCrisk discovered a SkyNet variant that appends the .payuranson extension and drops a ransom be aware named SkynetData.txt.
March fifth 2024
BlackCat ransomware shuts down in exit rip-off, blames the “feds”
The BlackCat ransomware gang is pulling an exit rip-off, attempting to close down and run off with associates’ cash by pretending the FBI seized their website and infrastructure.
GhostSec’s joint ransomware operation and evolution of their arsenal
Talos noticed the GhostSec and Stormous ransomware teams working collectively to conduct a number of double extortion assaults utilizing the GhostLocker and StormousX ransomware applications towards the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia in line with our evaluation of the disclosure messages posted by the group of their Telegram channels and Stormous ransomware knowledge leak website.
New Makop ransomware variant
PCrisk discovered a Makop variant that appends the .reload extension and drops a ransom be aware named +README-WARNING+.txt.
March sixth 2024
Duvel says it has “greater than sufficient” beer after ransomware assault
Duvel Moortgat Brewery was hit by a ransomware assault late final night time, bringing to a halt the beer manufacturing within the firm’s bottling services.
Capita, firm offering UK’s nuclear submarine coaching, confirms ‘cyber incident’
Capita, the UK’s largest outsourcing firm, confirmed Monday that an IT outage which left workers locked out of their accounts on Friday was brought on by “a cyber incident.”
New MedusaLocker ransomware variants
PCrisk discovered new MedusaLocker variants that append the .genesis15 and .duralock05 extensions and drop a ransom be aware named HOW_TO_BACK_FILES.html.
March seventh 2024
FBI: U.S. misplaced file $12.5 billion to on-line crime in 2023
FBI’s Web Crime Criticism Heart (IC3) has launched its 2023 Web Crime Report, which recorded a 22% enhance in reported losses in comparison with 2022, amounting to a file of $12.5 billion.
Switzerland: Play ransomware leaked 65,000 authorities paperwork
The Nationwide Cyber Safety Centre (NCSC) of Switzerland has launched a report on its evaluation of a knowledge breach following a ransomware assault on Xplain, disclosing that the incident impacted hundreds of delicate Federal authorities recordsdata.
LockBit: How the franchise is attempting to stage a comeback
Because the Cronos authorized operation, the LockBit 3.0 mafia franchise has endeavored to persuade that enterprise continues as if nothing had occurred. Examination of his claims exhibits a really completely different actuality.
March eighth 2024
UnitedHealth brings some Change Healthcare pharmacy providers again on-line
Optum’s Change Healthcare has began to deliver programs again on-line after struggling a crippling BlackCat ransomware assault final month that led to widespread disruption to the US healthcare system.
That is it for this week! Hope everybody has a pleasant weekend!
Contributors and people who offered new ransomware data and tales this week embody: @demonslay335, @Seifreed, @fwosar, @malwrhunterteam, @billtoulas, @BleepinComputer, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @ddd1ms, @uuallan, @AShukuhi, @BrettCallow, @BushidoToken, @JBurnsKoven, @Jon__DiMaggio, @ValeryMarchive, @UK_Daniel_Card, @AlexMartin, @TalosSecurity, @CarlyPage_, and @pcrisk
March 4th 2024
BlackCat ransomware turns off servers amid declare they stole $22 million ransom
The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate answerable for the assault on Optum, the operator of the Change Healthcare platform, of $22 million.
Ought to we ban ransom funds?
As cybercriminals proceed to reap the monetary rewards of their assaults, discuss of a federal ban on ransom funds is getting louder.
New STOP ransomware variants
PCrisk discovered new STOP ransomware variants that append the .wisz and .wiaw extensions.
New SkyNet ransomware variant
PCrisk discovered a SkyNet variant that appends the .payuranson extension and drops a ransom be aware named SkynetData.txt.
March fifth 2024
BlackCat ransomware shuts down in exit rip-off, blames the “feds”
The BlackCat ransomware gang is pulling an exit rip-off, attempting to close down and run off with associates’ cash by pretending the FBI seized their website and infrastructure.
GhostSec’s joint ransomware operation and evolution of their arsenal
Talos noticed the GhostSec and Stormous ransomware teams working collectively to conduct a number of double extortion assaults utilizing the GhostLocker and StormousX ransomware applications towards the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia in line with our evaluation of the disclosure messages posted by the group of their Telegram channels and Stormous ransomware knowledge leak website.
New Makop ransomware variant
PCrisk discovered a Makop variant that appends the .reload extension and drops a ransom be aware named +README-WARNING+.txt.
March sixth 2024
Duvel says it has “greater than sufficient” beer after ransomware assault
Duvel Moortgat Brewery was hit by a ransomware assault late final night time, bringing to a halt the beer manufacturing within the firm’s bottling services.
Capita, firm offering UK’s nuclear submarine coaching, confirms ‘cyber incident’
Capita, the UK’s largest outsourcing firm, confirmed Monday that an IT outage which left workers locked out of their accounts on Friday was brought on by “a cyber incident.”
New MedusaLocker ransomware variants
PCrisk discovered new MedusaLocker variants that append the .genesis15 and .duralock05 extensions and drop a ransom be aware named HOW_TO_BACK_FILES.html.
March seventh 2024
FBI: U.S. misplaced file $12.5 billion to on-line crime in 2023
FBI’s Web Crime Criticism Heart (IC3) has launched its 2023 Web Crime Report, which recorded a 22% enhance in reported losses in comparison with 2022, amounting to a file of $12.5 billion.
Switzerland: Play ransomware leaked 65,000 authorities paperwork
The Nationwide Cyber Safety Centre (NCSC) of Switzerland has launched a report on its evaluation of a knowledge breach following a ransomware assault on Xplain, disclosing that the incident impacted hundreds of delicate Federal authorities recordsdata.
LockBit: How the franchise is attempting to stage a comeback
Because the Cronos authorized operation, the LockBit 3.0 mafia franchise has endeavored to persuade that enterprise continues as if nothing had occurred. Examination of his claims exhibits a really completely different actuality.
March eighth 2024
UnitedHealth brings some Change Healthcare pharmacy providers again on-line
Optum’s Change Healthcare has began to deliver programs again on-line after struggling a crippling BlackCat ransomware assault final month that led to widespread disruption to the US healthcare system.
That is it for this week! Hope everybody has a pleasant weekend!