The Week in Ransomware – February 4th 2022 – Critical Infrastructure

Fuel empty

Critical infrastructure suffered ransomware attacks, with threat actors targeting an oil petrol distributor and oil terminals in major ports in different attacks.

Earlier this week, German petrol distributor Oiltanking suffered a ransomware attack allegedly by the new ALPHV/BlackCat ransomware operation.

Soon after, oil terminals in major ports disclosed that they too suffered ransomware attacks. However, officials do not believe the attacks are linked.

If critical infrastructure was not bad enough, the Conti ransomware gang attacked British snacks giant KP Snacks, causing disruptions in the supply chain.

The UK’s HHS released a summary of the findings from the attack on Ireland’s HSE and said that 80% of the IT systems were encrypted during the attack.

Finally, RecordedFuture conducted an interview with the ALPHV ransomware gang, which provides some interesting insights into their new operation.

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @demonslay335, @PolarToffee, @malwrhunterteam, @struppigel, @serghei, @billtoulas, @Ionut_Ilascu, @FourOctets, @malwareforme, @VK_Intel, @LawrenceAbrams, @fwosar, @DanielGallagher, @BleepinComputer, @Seifreed, @cybereason, @Ax_Sharma, @Walmarttech, @JakubKroustek, @Amigo_A_, @mattburgess1, @fbgwls245, @pcrisk, @ddd1ms, @AdamJanofsky, and @BrettCallow.

January 31st 2022

QNAP: DeadBolt ransomware exploits a bug patched in December

Taiwan-based network-attached storage (NAS) maker QNAP urges customers to enable firmware auto-updating on their devices to defend against active attacks.

New Phobos Ransomware variant

PCrisk found a Phobos ransomware variant that appends the .makop extension. Makop is the name of a different ransomware operation.

February 1st 2022

German petrol supply firm Oiltanking paralyzed by cyber attack

Oiltanking GmbH, a German petrol distributor who supplies Shell gas stations in the country, has fallen victim to a cyberattack that severely impacted its operations.

Cyberspies linked to Memento ransomware use new PowerShell malware

An Iranian state-backed hacking group tracked as APT35 (aka Phosphorus or Charming Kitten) is now deploying a new backdoor called PowerLess and developed using PowerShell.

Inside Trickbot, Russia’s Notorious Ransomware Gang

Internal messages WIRED has viewed shed new light on the operators of one of the world’s biggest botnets.

New STOP Ransomware variant

Amigo-A found a new STOP ransomware variant that appends the .bbbw extension.

February 2nd 2022

KP Snacks giant hit by Conti ransomware, deliveries disrupted

KP Snacks, a major producer of popular British snacks has been hit by the Conti ransomware group affecting distribution to leading supermarkets.

Business services provider Morley discloses ransomware incident

Morley Companies Inc. disclosed a data breach after suffering a ransomware attack on August 1st, 2021, allowing threat actors to steal data before encrypting files.

New STOP Ransomware variants

Jakub Kroustek found two new STOP ransomware variants that append the .bbbr or .bbbe extensions.

New STOP ransomware variant

PCRisk found a new STOP ransomware variant that appends the .maiv extension.

New ransomware requires YouTube subscriptions

MalwareHunterTeam found a new ransomware that requires you to subscribe to a YouTube channel to decrypt your files. Seems more like a joke.

Ghost Cyber Team

February 3rd 2022

New STOP ransomware variant

PCRisk found a new STOP ransomware variant that appends the .qqqr extension.

European oil port terminals hit by cyberattack

Major oil terminals in some of Western Europe’s biggest ports have fallen victim to a cyberattack at a time when energy prices are already soaring, sources confirmed on Thursday.

String of cyberattacks on European oil and chemical sectors likely not coordinated, officials say

The attacks targeted organizations in Belgium, the Netherlands, and Germany, including some of the largest ports in the region. Cybersecurity officials from those countries on Thursday said they do not have reason to believe that the attacks are linked to one another.

February 4th 2022

Swissport ransomware attack delays flights, disrupts operations

Aviation services company Swissport International has disclosed a ransomware attack that has impacted its IT infrastructure and services, causing flights to suffer delays.

HHS: Conti ransomware encrypted 80% of Ireland’s HSE IT systems

A threat brief published by the US Department of Health and Human Services (HHS) on Thursday paints a grim picture of how Ireland’s health service, the HSE, was overwhelmed and had 80% of its systems encrypted during last year’s Conti ransomware attack.

A look at the new Sugar ransomware demanding low ransoms

A new Sugar Ransomware operation actively targets individual computers, rather than corporate networks, with low ransom demands.

An ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe’

A representative from the group, which has also been called BlackCat in some reports, agreed to talk to Recorded Future analyst Dmitry Smilyanets about the group’s background, intentions, and plans for the future. The interview was conducted in Russian via TOX messaging, and was translated to English with the help of a linguist from Recorded Future’s Insikt Group. It has been lightly edited for clarity.

New SG1995 Ransomware

dnwls0719 found a new ransomware that appends the .SG1995 extension.

Spiderman

That’s it for this week! Hope everyone has a nice weekend!