Today's column brings you two weeks of information on the latest ransomware attacks and research after we skipped last week's article.

The big news over the past two weeks is the continued drama plaguing BlackCat/ALPHV after their infrastructure suddenly stopped working for almost five days. Multiple sources told BleepingComputer that this outage was related to a law enforcement operation, but BlackCat claims the outages were caused by a hardware/hosting issue.

However, BleepingComputer has learned that some of the BlackCat/ALPHV affiliates are not buying the explanation and have started to contact victims directly via email to perform negotiations outside of the ransomware operation's Tor negotiation sites.

It is unclear if that is because they are working on their final victims under this operation before they switch to another gang or if they feel the ALPHV operation has been compromised in some manner.

Whatever the reasons, the LockBit operation is taking advantage of the drama. The cybercrime gang has told BleepingComputer that they see this as a Christmas gift and have started recruiting ALPHV's affiliates.

In other news, we learned about numerous ransomware attacks over the past two weeks, including:

• Tipalti is investigating claims that BlackCat breached their systems and stole data. So far, there is no indication that this is true.
• Norton Healthcare disclosed a data breach after a May BlackCat ransomware attack.
• Toyota Financial Servers disclosed a data breach after Medusa leaked data.
• Kraft Heinz says they are investigating claims that the Snatch Team extortion group breached their systems.
• HTC Global Services confirmed they suffered a cyberattack after BlackCat leaked data.
• Navy contractor Austal USA confirms cyberattack after Hunters International leaks data.
• Sony says they are investigating the claims that Rhysida breached Insomniac Games.

Finally, law enforcement has had some confirmed actions this week, including arresting a money launderer linked to Hive ransomware and a Russian pleading guilty to running a crypto exchange used by ransomware gangs.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @demonslay335, @billtoulas, @fwosar, @Seifreed, @serghei, @BleepinComputer, @LawrenceAbrams, @Ionut_Ilascu, @ValeryMarchive, @BushidoToken, @azalsecurity, @SentinelOne, @g0njxa, @AlvieriD, @ShadowStackRE, @AShukuhi, @BrettCallow, @GossiTheDog, @vmiss33, @pcrisk, and @RESecurity.

December 3rd 2023

Linux version of Qilin ransomware focuses on VMware ESXi

A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date.

December 4th 2023

Tipalti investigates claims of data stolen in ransomware attack

Tipalti says they are investigating claims that the ALPHV ransomware gang breached its network and stole 256 GB of data, including data for Roblox and Twitch.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .elpy and drops ransom notes named info.txt and info.hta.

RA World encryptor

PCrisk found the encryptor for the new RA World operation, which appends the .RAWLD extension and drops a ransom note named Data breach warning.txt.

New Xorist variant

PCrisk found a new Xorist variant that appends the .xro extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

December 5th 2023

HTC Global Services confirms cyberattack after data leaked online

IT services and business consulting company HTC Global Services has confirmed that they suffered a cyberattack after the ALPHV ransomware gang began leaking screenshots of stolen data.

December 6th 2023

Qilin ESXi encryptor analysis

Qilin ransomware has built a highly configurable malware family that makes use of the local ESXi tooling to increase the success rate of encrypting and ransoming their victim.

Navy contractor Austal USA confirms cyberattack after data leak

Austal USA, a shipbuilding company and a contractor for the U.S. Department of Defense (DoD) and the Department of Homeland Security (DHS) confirmed that it suffered a cyberattack and is currently investigating the impact of the incident.

New STOP ransomware variants

PCRisk found new STOP ransomware variants that append the .nbwr and .nbzi extensions.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .GrafGrafel and drops ransom notes named info.txt and info.hta.

December 7th 2023

Russian pleads guilty to running crypto-exchange used by ransomware gangs

Russian national Anatoly Legkodymov pleaded guilty to operating the Bitzlato cryptocurrency exchange that helped ransomware gangs and other cybercriminals launder over $700 million.

December 8th 2023

ALPHV ransomware site outage rumored to be caused by law enforcement

A law enforcement operation is rumored to be behind an outage affecting ALPHV ransomware gang's websites over the last 30 hours.

Norton Healthcare discloses data breach after May ransomware attack

Kentucky health system Norton Healthcare has confirmed that a ransomware attack in May exposed personal information belonging to patients, employees, and dependents.

New HiddenTear variant

PCrisk found a new HiddenTear ransomware variant that appends the .funny extension and drops a ransom note named readme.txt.

December 11th 2023

Toyota warns customers of data breach exposing personal, financial info

Toyota Financial Services (TFS) is warning customers it suffered a data breach, stating that sensitive personal and financial data was exposed in the attack.

Cold storage giant Americold discloses data breach after April malware attack

Cold storage and logistics giant Americold has confirmed that over 129,000 employees and their dependents had their personal information stolen in an April attack, later claimed by Cactus ransomware.

New STOP ransomware variants

PCRisk found new STOP ransomware variants that append the .hhuy and .hhaz extensions.

December 12th 2023

Spider-Man 2 developer Insomniac Games hit by Rhysida ransomware attack

Ransomware operator Rhysida has posted limited data that appears to back up its claim that it has successfully hacked video game developer Insomniac Games.

December 13th 2023

LockBit ransomware now poaching BlackCat, NoEscape affiliates

The LockBit ransomware operation is now recruiting affiliates and developers from the BlackCat/ALPHV and NoEscape after recent disruptions and exit scams.

French police arrests Russian suspect linked to Hive ransomware

French authorities arrested a Russian national in Paris for allegedly helping the Hive ransomware gang with laundering their victims' ransom payments.

Technical analysis of Rhysida

ShadowStackRE has published a technical analysis of the Rhysida ransomware encryptor.

Mallox Resurrected | Ransomware Attacks Exploiting MS-SQL Continue to Burden Enterprises

In this post, we highlight recent Mallox activity, explain the group’s initial access methods and provide a high-level analysis of recent Mallox payloads to help defenders better understand and defend against this persistent threat.

December 14th 2023

Kraft Heinz investigates hack claims, says systems ‘operating normally’

Kraft Heinz has confirmed that their systems are operating normally and that there is no evidence they were breached after an extortion group listed them on a data leak site.

December 15th 2023

Exposing The Cyber-Extortion Trinity - BianLian, White Rabbit, And Mario Ransomware Gangs Spotted In A Joint Campaign

Based on a recent Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency (LEA) and one of the leading investment organizations in Singapore, Resecurity, Inc. (USA) has uncovered a meaningful link between three major ransomware groups. Resecurity’s HUNTER (HUMINT) unit spotted the BianLian, White Rabbit, and Mario ransomware gangs collaborating in a joint extortion campaign targeting publicly-traded financial services firms.

New STOP ransomware variants

PCRisk found new STOP ransomware variants that append the .ljuy and .ljaz extensions.

That's it for this week! Hope everyone has a nice weekend!