Ransomware Roundup: 02.18.22

Not wanting to be outdone by last week’s influx of BlackCat related ransomware activity, the RaaS group known as BlackByte is back in the news after hitting the San Francisco 49ers’ and several US critical infrastructure sectors including government facilities, financial institutions and food & agriculture companies. Details are scant but some reports state that the criminal group has been leveraging multiple Microsoft Exchange Server vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) chained together, aka ProxyShell, for initial access into the victim organizations. The FBI and US Secret Service released a joint advisory (PDF) that includes Indicators of Compromise (IoCs) from the attacks.

‍

While BlackByte was dealt a blow last year when Trustwave researchers released a free decryptor tool due to poor implementation of AES, it’s clear that the group has “improved” their ransomware offering and is back in business.

‍

Emil Frey, Europe’s largest car dealer with over $3.29 billion USD in sales in 2020, was hit by the notorious Hive ransomware group in January. Hive is best known for attacking at least 28 healthcare organizations in 2021.  

‍

It’s annual cyber threat report season and one interesting takeaway from SonicWall’s 2022 Threat Report is an estimated 105% overall increase in YoY growth and up 239% since 2019. If RaaS groups were VC-backed startups, clearly they would be on the path to IPO. While numbers like this are difficult to fully source, the growth rates of ransomware continues on.

‍

Lastly, SentinelOne researchers report that an Iran-aligned group has targeted VMware Horizon Log4J flaws to spread ransomware.

‍