Hello, world!

Welcome back to the Ransomware Roundup! Ransomware has been impacted by the novel coronavirus but like most of us, ransomware actors are adhering to the sage advice:

• Improvise
• Adapt
• Overcome

Ransomware in the News

Jamaica National Group

On March 20, 2020, Jamaica National Group, a financial services company in Jamaica, announced a ransomware attack it experienced last week. The Statement on JN Group System Challenges is on their blog but lacks any further detail about the nature of the attack or the ransom. Their comments with a customer on Instagram indicate that customer-facing systems are still being repaired with no timeline available.

About

Was the ransom paid?: Unknown

Ransom Amount: Unknown

Entry Vector: Unknown

Finastra

On March 21st, Finastra (@FinastraFS) revealed that it believed it fell victim to a ransomware attack. Finastra asserts on their Website that they are the third-larges financial services company in the world. The company’s statement, which has been updated, is here. Brian Krebs has the story.

About

Was the ransom paid?: Unknown

Ransom Amount: Unknown

Entry Vector: Unknown

Ransomware actors respond to COVID-19

This week, ransomware attackers and defenders communicated updates to how they will behave in light of the uncertainty due to COVID-19. One one hand, BleepingComputer contacted various ransomware operators. They assert that the operators of DoppelPaymer and Maze responded with notes confirming that they will modify or curtail their activity during this time. The notes in the article linked above are worth a read.

Should these assertions turn out to be false or should a health care organization fall victim to a less nobel ransomware operator, BleepingComputer also reports that Emsisoft and Coveware are providing pro bono ransomware related services to healthcare providers.

An update to The Register’s coverage of this news suggests that Maze’s operators hit a medical research company in violation of the “no ransomware against healthcare organizations during a global pandemic” promise.

FireEye Report

This week, FireEye released a report They Come in the Night: Ransomware Deployment Trends about trends in ransomware deployments.

Both [BleepingComputer]() and [ZDNet]() provide insights from the report.

Updates: CovidLock

4865083501

That is the hardcoded decryption key for CovidLock, the ransomware we discussed in last week’s issue, as provided by DomainTools in their technical update this week.

Ransomware Round-Up

• New Nefilim Ransomware Threatens to Release Victims’ Data
• Ransomware Gangs to Stop Attacking Health Orgs During Pandemic
• France warns of new ransomware gang targeting local governments

• Police investigate ransomware attack at Jamaica National

  /etc

  CERT-FR alert on Mespinoza/Pysa

  The French CERT issued an alert about the operators of ransomware dubbed Mespinoza/Pysa. As of this writing, the alert is only available in French as a PDF. I put a Google Translated version of the English text here. ZDNet has a good summary and analysis of the alert.

  List of Coronavirus-related malware

  Lukas Stefanko is maintaining a public list of known Coronavirus-related Android malware. While this is not exclusively ransomware, it includes ransomware and may be of interest to Ransomware Roundup readers.

FIN

Stay safe.

Wash your hands. Regularly. For at least twenty seconds.

Be kind to one another.