Hello, world!

Ransomware in the News

Tired: Nemty | Wired: Nefilim

ZDNet reported on the Nemty crew shutting down after less than a year on the scene.

READ Nemty ransomware operation shuts down public RaaS

The availability of decrypters for versions of Nemty made this news unsurprising. The attacker appears to be dedicated crew out with a new, related strain of ransomware dubbed Nefilim.

Coverage

Maze hits IT services company Cognizant Technology Solutions

BleepingComputer broke the news of a ransomware attack against Cognizant. This attack has been attributed to Maze.

Cognizant acknowledged the incident both on Twitter and in a security incident update on their website.

Gambling company to set aside $30 million to deal with cyber-attack fallout

We have spoken previously about interesting SEC filings. ZDNet has a write-up on another interesting one. View the 8K directly on the SEC website.

Ransomware Round-Up

/etc

Survey of Email Address Providers in Ransomware Notes

Prior to looking more closely, I guessed that the majority of contact email addresses in ransomware notes are provided by ProtonMail or Tutanota. This is unsurprising given that these are the top results in a query for free encrypted email:

ProtonMail, TutaNota

I decided to take a quick look to test this assessment. Here is what I did:

Collect the ransomware notes published by Michael Gillespie on his Pastebin page

View the pastes here: Demonslay335’s Pastebin

I used a Python tool I wrote called Pastebin Bisque to download the pastes.

Assemble Yara rules to detect common email providers

I assembled a set of Yara rules that detect email addresses by email service provider. That repository is accessible here on GitLab.

Run the rules against the pastes

Run the rules and examine the results! Many of the ransomware notes reviewed include email addresses provided by Protonmail or Tutanota:

 99 ProtonMail
 49 Tutanota
 16 Yandex
 10 Mailru
  2 Msgsafe

FIN

Be well.