This week in ransomware – Friday, July 15, 2022

Will they call the next one Frazier?

“Lilith” is the name of one of the new varieties of ransomware identified in a recent report by security firm Cyble in a blog entitled New Ransomware Groups on the Rise. Lilith was, for trivia buffs, in Judaic mythology the first wife of Adam who was supplanted by Eve and went on to become an evil spirit. The name is probably more familiar to fans of the 1990’s hit series “Frazier.

“Lilith is another in the family of so called “double extortion” varieties – it first steals data, then encrypts it on the victim machine and demands a ransom for the decryption key. The ransom note is contained in a file called Restore_Your_Files.txt. Victims are given three days to negotiate the price for the decryption software. If the ransom is not paid by this deadline, the cyber crooks threaten to begin leaking the data.

Less creatively named, but equally or even more dangerous, is another ransomware variety named in the report. RedAlert or N13V encrypts virtual files and virtual disks. It targets Windows and Linux VMWare ESXi servers.

RedAlert is operated manually. The threat actors first do a complete takeover of the system and then perform functions such as stopping all virtual machines before executing the attack, ensuring that all files are encrypted.

RedAlert only accepts ransom payments in Monero, which makes it somewhat unique among ransomware groups. According to Wikipedia, “Monero is a decentralized cryptocurrency… with privacy-enhancing technologies that obfuscate transactions to achieve anonymity and fungibility. Observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories.”

AlphV/BackCat – The cat comes back with a vengeance

The BlackCat ransomware gang (aka AlphV) has resumed operations. Most recently it claimed it has breached Japanese gaming company Bandai Namco and stolen corporate data.

Bandai Namco publishes popular video games such as Elden Ring, Dark Souls, Pac-Man, Tekken, Gundam, Soulcalibur, and more. The company has confirmed that they had suffered a cyberattack.

The AlphV/BlackCat ransomware group started operations in November 2021, and is widely assumed to be a rebrand of the DarkSide/BlackMatter gang. DarkSide/BlackMatter gained world-wide attention when it attacked Colonial Pipelines.

While the attack on Colonial catapulted the gang to international fame, it also drew the full weight of global law enforcement. Following that, the gang stayed quiet for brief period, only to resume life as AlphV/Black Cat.

It then rocketed back to again become one of the top ransomware threats globally, and by April the FBI published a warning that BlackCat had breached over 60 entities worldwide.

Out with a bang – and a free decryptor

The threat actor behind ransomware AstraLocker announced this week that they are shutting down and plan to shift to cryptomining. As they were exiting, the did provide a zip file with a free decryptor for anyone compromised by their ransomware.

The group left with this quote, still tongue in cheek (or so we hope):

“It was fun, and fun things always end sometime. I’m closing the operation, decryptors are in zip files, clean. I will come back,” AstraLocker’s developer told us. “I’m done with ransomware for now. I’m going in cryptojaking lol.”