Hello, world!
Welcome back to the Ransomware Roundup! Ransomware has been impacted by the novel coronavirus but like most of us, ransomware actors are adhering to the sage advice:
- Improvise
- Adapt
- Overcome
Ransomware in the News
Jamaica National Group
On March 20, 2020, Jamaica National Group, a financial services company in Jamaica, announced a ransomware attack it experienced last week. The Statement on JN Group System Challenges is on their blog but lacks any further detail about the nature of the attack or the ransom. Their comments with a customer on Instagram indicate that customer-facing systems are still being repaired with no timeline available.
About
Was the ransom paid?: Unknown
Ransom Amount: Unknown
Entry Vector: Unknown
Finastra
On March 21st, Finastra (@FinastraFS) revealed that it believed it fell victim to a ransomware attack. Finastra asserts on their Website that they are the third-larges financial services company in the world. The company’s statement, which has been updated, is here. Brian Krebs has the story.
About
Was the ransom paid?: Unknown
Ransom Amount: Unknown
Entry Vector: Unknown
Ransomware actors respond to COVID-19
This week, ransomware attackers and defenders communicated updates to how they will behave in light of the uncertainty due to COVID-19. One one hand, BleepingComputer contacted various ransomware operators. They assert that the operators of DoppelPaymer and Maze responded with notes confirming that they will modify or curtail their activity during this time. The notes in the article linked above are worth a read.
Should these assertions turn out to be false or should a health care organization fall victim to a less nobel ransomware operator, BleepingComputer also reports that Emsisoft and Coveware are providing pro bono ransomware related services to healthcare providers.
An update to The Register’s coverage of this news suggests that Maze’s operators hit a medical research company in violation of the “no ransomware against healthcare organizations during a global pandemic” promise.
FireEye Report
This week, FireEye released a report They Come in the Night: Ransomware Deployment Trends about trends in ransomware deployments.
Both [BleepingComputer]() and [ZDNet]() provide insights from the report.
Updates: CovidLock
4865083501
That is the hardcoded decryption key for CovidLock, the ransomware we discussed in last week’s issue, as provided by DomainTools in their technical update this week.
Ransomware Round-Up
- New Nefilim Ransomware Threatens to Release Victims’ Data
- Ransomware Gangs to Stop Attacking Health Orgs During Pandemic
- France warns of new ransomware gang targeting local governments
Police investigate ransomware attack at Jamaica National
/etc
CERT-FR alert on Mespinoza/Pysa
The French CERT issued an alert about the operators of ransomware dubbed Mespinoza/Pysa. As of this writing, the alert is only available in French as a PDF. I put a Google Translated version of the English text here. ZDNet has a good summary and analysis of the alert.
List of Coronavirus-related malware
Lukas Stefanko is maintaining a public list of known Coronavirus-related Android malware. While this is not exclusively ransomware, it includes ransomware and may be of interest to Ransomware Roundup readers.
FIN
Stay safe.
Wash your hands. Regularly. For at least twenty seconds.
Be kind to one another.