The Week in Ransomware — September 9th 2022 — Schools under fire

Ransomware gangs have been busy this week, launching attacks against NAS devices, one of the largest hotel groups, IHG, and LAUSD, the second largest school district in the USA.

On Saturday, the DeadBolt ransomware operation launched a new attack on QNAP devices using a zero-day vulnerability in Photo Station. That same day, QNAP released security updates to fix the vulnerability, urging customers to install the update and not expose their devices on the Internet.

On Monday, both InterContinental Hotels Group (IHG) and Los Angeles Unified (LAUSD) school district were hit by ransomware attacks that disrupted the organizations’ technical operations.

For IHG, the attack disrupted their online reservation systems; for LAUSD, it impacted the school district’s IT systems.

However, even though the cyberattack impacted LAUSD’s technology infrastructure, the schools opened as usual for Los Angeles students.

Yesterday, the Vice Society ransomware told BleepingComputer that they were behind the attack on LAUSD and claimed to have stolen 500GB of data.

The responsible ransomware gang came as no surprise, as the FBI, CISA, and MS-ISAC released an advisory on Monday warning of the Vice Society targeting school districts.

We also saw some new ransomware research released this week:

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @LawrenceAbrams, @FourOctets, @Ionut_Ilascu, @serghei, @billtoulas, @fwosar, @VK_Intel, @struppigel, @BleepinComputer, @malwrhunterteam, @Seifreed, @DanielGallagher, @demonslay335, @jorntvdw, @PolarToffee, @MsftSecIntel, @CISAgov, @FBI, @pmbureau, @AdvIntel, @pcrisk, @PogoWasRight, @cPeterr, @security_score, and @Intel471Inc.

This is my analysis for PLAY Ransomware. I’ll be solely focusing on its anti-analysis and encryption features. There are a few other features such as DLL injection and networking that will not be covered in this analysis.

QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station.

PCrisk discovered new STOP ransomware variants that append the .oopu, .oodt, and .oovb extensions.

Leading hospitality company InterContinental Hotels Group PLC (also known as IHG Hotels & Resorts) says its information technology (IT) systems have been disrupted since yesterday after its network was breached.

Los Angeles Unified (LAUSD), the second largest school district in the U.S., disclosed that a ransomware attack hit its Information Technology (IT) systems over the weekend.

FBI, CISA, and MS-ISAC warned today of U.S. school districts being increasingly targeted by the Vice Society ransomware group, with more attacks expected after the start of the new school year.

Our Digital Forensics and Incident Response (DFIR) team was engaged in investigating a ransomware infection. We were able to determine that the ransomware involved is a new version of the BlackCat ransomware, based on the fact that the malware added new command line parameters that were not documented before.

Google says some former Conti cybercrime gang members, now part of a threat group tracked as UAC-0098, are targeting Ukrainian organizations and European non-governmental organizations (NGOs).

Someone is flooding Cobalt Strike servers operated by former members of the Conti ransomware gang with anti-Russian messages to disrupt their activity.

PCrisk discovered new STOP ransomware variants that append the .mmpu, .mmvb, and .mmdt extensions.

PCrisk found a sample for the new ‘Bl00dy Ransomware’ based on the Babuk ransomware family that appends the .bl00dy and drops the How To Restore Your Files.txt ransom note.

Bl00dy ransomware was first reported on by after the threat actors targeted New York medical practices.

Though there is no iron-clad evidence of Conti rebranding as Monti, Conti source was leaked publicly in March 2022. Consequently, it is possible that anybody could use the publicly available source code to create their own ransomware based on Conti. This could be the case with Monti from our analysis of the disassembled code. Monti’s entry point is very similar to Conti’s, as seen below. As such, Monti could be a rebrand of Conti or simply a new ransomware variant that has been developed using the leaked source code mentioned above.

Microsoft says an Iranian state-sponsored threat group it tracks as DEV-0270 (aka Nemesis Kitten) has been abusing the BitLocker Windows feature in attacks to encrypt victims’ systems.

PCrisk found a new VoidCrypt variant calling itself ‘Ballacks Ransomware’ that appends the .ballacks extension and drops a ransom note named ReadthisforDecode.txt.

PCrisk found the DoyUk Ransomware that appends the .doyuk extension and drops a ransom note named Restore Your Files.txt.

The Vice Society gang has claimed the ransomware attack that hit Los Angeles Unified (LAUSD), the second largest school district in the United States, over the weekend.

PCrisk found the new MLF ransomware that appends the .MLF extension.

Source: bleepingcomputer

1 total views, 1 views today



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chala Dandessa Debela

Chala Dandessa Debela


Name: Chala Dandessa. I was born in West Shewa Zone, Chobi District of Oromia Region, Ethiopia in 1989. I am founder of