Ransomware assaults focusing on VMware ESXi and different digital machine platforms are wreaking havoc among the many enterprise, inflicting widespread disruption and lack of companies.
Panera’s huge IT outage final month that took down inner techniques, the web site, cell apps, and telephones was brought on by a ransomware assault encrypting the corporate’s digital machines.
Whereas the corporate has been capable of restore servers from backups, it took virtually per week for his or her techniques to be restored.
Equally, Omni Lodges suffered a large outage, which took down the corporate’s reservation system, telephones, and door lock system. The outage was so extreme that visitors needed to contact a resort worker to be let into their rooms, as key playing cards didn’t work.
Omni Lodges confirmed just a few days later that they suffered a cyberattack, with BleepingComputer studying that it was as soon as once more a ransomware assault encrypting the corporate’s digital machines. BleepingComputer has been advised that Omni is restoring from backups as properly.
This week, Chilean internet hosting supplier IxMetro Powerhost additionally disclosed a ransomware assault the place the menace actors encrypted the internet hosting firm’s VMware ESXI servers. These servers powered prospects’ digital personal servers (VPS), additionally bringing their web sites down.
Sadly, they weren’t as fortunate as Panera and Omni Lodges, because the menace actors additionally encrypted the corporate’s backups. The menace actors behind this assault, generally known as SEXi, demanded two bitcoins per buyer to obtain a decryptor.
Whereas digital machine platforms, like VMware ESXi, make it a lot simpler for enterprises to handle assets and servers, they’ve additionally turn out to be a really tempting goal for ransomware gangs.
As an organization’s servers at the moment are centrally positioned as digital machines, menace actors can merely encrypt a single VMware server to carry out huge disruption to an organization’s operations.
Admins should tighten safety on their digital machine platforms by making use of the newest safety updates to VM software program and the host working techniques, utilizing administrative credentials completely different from these of the Home windows area, and making use of tighter entry controls.
At this time, the Chilean authorities’s CSIRT issued an advisory warning the enterprise to improve VMware software program to the newest variations and provided recommendation on securing servers.
Whereas attackers focusing on digital machines are nothing new, this week’s assaults proceed to indicate that they’re important IT techniques that must be correctly secured to stop disastrous outages.
Contributors and those that supplied new ransomware data and tales this week embody: @fwosar, @LawrenceAbrams, @billtoulas, @BleepinComputer, @serghei, @Ionut_Ilascu, @Seifreed, @malwrhunterteam, @demonslay335, @1ZRR4H, @BushidoToken, @pcrisk, @JakubKroustek, @AJVicens, @TrendMicro, @AlexMartin, @jgreigj, @TheDFIRReport, @SonicWall, and @CSIRTGOB.
April 1st 2024
Yacht retailer MarineMax discloses information breach after cyberattack
MarineMax, self-described as one of many world’s largest leisure boat and yacht retailers, says attackers stole worker and buyer information after breaching its techniques in a March cyberattack.
From OneNote to RansomNote: An Ice Chilly Intrusion
This intrusion began in late February of 2023 and lasted by late March of 2023. The menace actor initially gained entry by a phishing marketing campaign, during which they distributed emails containing malicious OneNote attachments. Throughout this era, OneNote recordsdata had surged in reputation amongst preliminary entry brokers. This rise was primarily on account of their functionality to avoid e mail attachment blocking guidelines and evade detection by current safety mechanisms.
April 2nd 2024
Omni Lodges experiencing nationwide IT outage since Friday
Omni Lodges & Resorts has been experiencing a chain-wide outage that introduced down its IT techniques on Friday, impacting reservation, resort room door lock, and point-of-sale (POS) techniques.
New GlobeImposter variant
PCrisk discovered a brand new GlobeImposter variant that appends the .schrodingercat extension and drops a ransom be aware named how_to_back_files.html.
April third 2024
Jackson County in state of emergency after ransomware assault
Jackson County, Missouri, is in a state of emergency after a ransomware assault took down some county companies on Tuesday.
Internet hosting agency’s VMware ESXi servers hit by new SEXi ransomware
Chilean information middle and internet hosting supplier IxMetro Powerhost has suffered a cyberattack by the hands of a brand new ransomware gang generally known as SEXi, which encrypted the corporate’s VMware ESXi servers and backups.
Omni Lodges confirms cyberattack behind ongoing IT outage
Omni Lodges & Resorts has confirmed a cyberattack prompted a nationwide IT outage that’s nonetheless affecting its areas.
Unveiling the Fallout: Operation Cronos’ Influence on LockBit Following Landmark Disruption
Our new article offers key highlights and takeaways from Operation Cronos’ disruption of LockBit’s operations, in addition to telemetry particulars on how LockBit actors operated post-disruption.
Chaos Ransomware Operator Provides Up Decryption Device for Free
The SonicWall CaptureLabs menace analysis workforce have been lately monitoring ransomware created utilizing the Chaos ransomware builder. The builder appeared in June 2021 and has been utilized by many operators to contaminate victims and demand fee for file retrieval. The pattern we analyzed lead us to a dialog with the operator who freely gave up the decryptor program.
New STOP ransomware variants
PCrisk discovered new STOP ransomware variants that append the .uazq and .uajs extensions.
April 4th 2024
Leicester Metropolis Council confirms ransomware assault after confidential paperwork leaked
Leicester Metropolis Council in England has confirmed that final month’s cyber incident was a ransomware assault after being made conscious that the criminals behind the incident had uploaded stolen paperwork to their darkish internet extortion website.
New ‘Unkno’ ransomware
PCrisk discovered a brand new ransomware based mostly off the leaked Babuk supply code that appends the .unkno and drops a ransom be aware named RESTORE_YOUR_FILES.txt.
New Chaos ransomware variant
PCrisk discovered a brand new Chaos ransomware variant that drops a LEIA-ME.txt ransom be aware and appends a random extension.
‘An attack on the reputation of Palau’: officers query who was actually behind ransomware incident
They rapidly found two separate ransom notes: one on a sheet of paper within the printer from the LockBit ransomware gang and one in a README textual content file put alongside Palau’s encrypted paperwork from the DragonForce ransomware gang.
April fifth 2024
Panera Bread week-long IT outage brought on by ransomware assault
Panera Bread’s latest week-long outage was brought on by a ransomware assault, in line with individuals aware of the matter and emails seen by BleepingComputer.
ALPHV steps up laundering of Change Healthcare ransom funds
Six weeks after executing an assault that crippled components of the U.S. well being care system, the cybercrime gang linked to the incident has picked up the tempo of laundering the proceeds of an alleged ransom fee, even because the hackers implicated within the breach proceed to keep up a low profile.
New Makop variant
PCrisk discovered a brand new Makop variant that appends the .datah extension.
New ransomware variant
PCrisk discovered a brand new python ransomware that appends the .rincrypt extension and drops a ransom be aware named READ THIS.txt.
New STOP ransomware variant
Jakub Kroustek discovered a brand new STOP ransomware variant that appends the .kaaa extension.
New Dharma ransomware variant
Jakub Kroustek discovered a brand new Dharma variant that appends the .hunt extension.
