Hello, world!

Welcome to this double issue of the Ransomware Roundup! You will find two weeks worth of ransomware news and analysis in this double issue.

Ransomware in the News

Jupiter, Florida has a hard time. Again.

Jupiter (@townofjupiter) is a small town 87 miles north of Miami with a population of 55,156 at the 2010 Census. On April 1, The Palm Beach Post reported on a successful ransomware attack against the IT systems in Jupiter. Social media posts from the town suggest that they were aware of and working around the incident as early as March 30th (when Jupiter posted on their Facebook account that this incident was impacting their ability to process refunds for a summer camp cancelled due to coronavirus).

The town notified citizens of the incident in an Instagram post, a Twitter thread and with this announcement on their home page that that since been removed.

About

Was the ransom paid?: Unknown

Ransom Amount: Unknown

Entry Vector: Unknown

So much for the truce

Earlier in the COVID-19 response, several groups of ransomware operators indicated that they would refrain from attacking healthcare-related organizations during the global health pandemic. On one hand, ransomware operators would do well not to do anything especially egregious at this moment in order to avoid provoking a significant and well-resourced response. On the other hand, organizations should not always assume a rational actor and should not let these assertions lull them into a false sense of security. Following the coverage of these promises came news of a successful ransomware attack against a health provider by Maze, one of the operators who asserted activity against “all kinds of medical organizations” would cease “until the stabilization of the situation with virus” (Abrams 2020).

The victim in this case is Hammersmith Medicines Research, (@hmrlondon) online at hmrlondon.com.

Some of the data exfiltrated during the attack was posted on Maze’s website. After news of the incident broke widely, the data was removed.

About

Was the ransom paid?: No

Ransom Amount: Unknown

Entry Vector: Unknown

Ransomware Round-Up

• Stolen data of company that refused REvil ransom payment now on sale
• Medical and military contractor Kimchuk hit by data-stealing ransomware
• Cyber insurer Chubb had data stolen in Maze ransomware attack
• More Ransomware Gangs Join Data-Leaking Cult
• Maze Ransomware Leaked Files of Online Sports Betting Company BetUS
• FBI turns to insurers to grasp the full reach of ransomware
• Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here’s what to do
• Ransomware strikes biotech firm researching possible COVID-19 treatments - attributed to REvil/Sodinokibi
  

/etc

Getting up to speed with REvil/Sodinokibi

Several of this week’s stories refer to REvil/Sodinokibi making this a great time to collect and revisit some of the best write-ups on this particular ransomware strain. Here is a quick list of some of the best available resources on REvil/Sodinikibi as of this writing:

• Sodinokibi ransomware exploits WebLogic Server vulnerability - Cisco Talos team provides one of the earliest write-ups of Sodinokibi.
• Cybereason Noctornus - good technical analysis
• A connection between the Sodinokibi and GandCrab ransomware families? - Tesorion provides further data to bolster the connection between GandCrab and Sodinokibi.

• CB TAU Threat Intelligence Notification: Sodinokibi Ransomware - Carbon Black has a good, brief walkthrough and links to related IOCs on GitHub. Carbon Black’s Threat Analysis Unit hosts hashes, domains and Yara rules specifically focused on Sodinokibi.

  • IOCs_2019_Q3_Sodinokibi-Hashes.csv
  • IOCs_2019_Q3_Sodinokibi-Domains.csv
  • sodinokibi_ransomware_2019_Q3.yara

The ransomware attack on Travelex at the tail end of 2019 is attributed to REvil/Sodinokibi. This strain of ransomware has made its presence felt strongly especially considering that it is only been on the public radar for less than a year.

SEC Filings are interesting

The Form 8-K that 10x Genomics (NASDAQ: TXG) filed on April 1, 2020 contained news of the ransomware attack that it faced in March. This is a form that companies must file with the Securities and Exchange Commission when there is news that shreholders should know about; more info at the SEC website.

Ransomware Incident Response Playbook

Counteractive has a set of templates for incident response plans available on GitHub. Their ransomware playbook has many TODO items but is quite good.

Follow-Up

In the last issue, we discussed a French-language alert about Mespinoza/Pysa alert from CERT-FR. The English version of the report is now available as a PDF.

FIN

Stay safe.

Wash your hands.

Be kind to one another.