In early June 2020, the Maze gang teamed up with other crypto-malware actors to extort non-paying victims using its shared data leaks platform. Maze wasn’t the only strain that made news. Those behind the REvil family also attracted the security community’s attention when it began auctioning off data stolen by their creation. Additionally, security researchers discovered two new crypto-malware groups: Kupidon and Avaddon.

Top Story: Maze’s New Extortion Cartel

On June 3, digital security intelligence firm KeLa informed Bleeping Computer that the Maze ransomware gang had added information stolen from an architectural firm to its “Maze News” data leak site. This data dump wasn’t the first time Maze had publicly posted the stolen data of a victim who had refused to meet a ransom demand, but it was the first time Maze’s actors had used their site to publish the information stolen by a different ransomware group. Indeed, the information had come from a successful attack conducted by the LockBit Ransomware-as-a-Service (RaaS) platform.

Bleeping Computer contacted the Maze operators for clarification. In their response, the ransomware actors revealed they had partnered with LockBit to share their experience and data leaks platform. They also disclosed that another ransomware group would be joining their cartel in the coming days and that other gangs had shared their desire to join in the future.

Sure enough, Bleeping Computer learned of a “Maze News” posting pertaining to the Ragnar Locker ransomware strain just days later.

Also in Ransomware News

  • Victim Data Auctioned Off by REvil Ransomware Group: In the beginning of June, KrebsonSecurity learned that the malicious actors responsible for distributing REvil ransomware had posted an update on their “Happy Blog” dark web data leak site. The post announced that the digital attackers would begin auctioning off three databases and more than 22,000 files which they had stolen from an agricultural company. In their update, REvil’s handlers announced that the minimum deposit was $5,000 and that the bidding for the entire collection of stolen data would start at $50,000.
  • New Kupidon and Avaddon Ransomware Strains Discovered: On June 5, Bleeping Computer reported on a security researcher’s discovery of a new ransomware strain back in the beginning of May. The crypto-malware threat, detected as “Kupidon,” targeted both users and corporations at the time of discovery. After performing its encryption routine, the ransomware instructed the victim in its ransom note to visit a Tor site that contained an image of cupid and an email address for receiving payment instructions. News of Kupidon came just days before the computer self-help site learned about an attack campaign in which malspam emails containing a smily or winky face had leveraged a malicious JavaScript downloader to infect victims with samples of the new Avaddon ransomware family.
  • Decryption Tool Released for Tycoon Ransomware: The BlackBerry Research and Intelligence Team uncovered Tycoon, a multi-platform ransomware written in Java. The researchers found that malicious actors were using a trojanized java runtime environment (JRE) along with an obscure java image format to target Windows and Linux machines operated by SMBs in the education and software industries. Over the course of their analysis, the researchers found that Tycoon had reused a common RSA private key and subsequently wondered whether victims could recover their data encrypted by earlier versions of the ransomware for free. Emsisoft confirmed this to be the case when it released its updated RedRum decryption software (The earliest version of Tycoon had a .redrum file extension, per Dark Reading.).
  • QNAP Storage Devices Targeted by eChoraix Ransomware: At the beginning of June, ID-Ransomware documented a surge of reports from eChoraix victims seeking help to recover their data. A closer look revealed that the malicious actors who perpetrated those attacks gained access to QNAP storage devices by abusing vulnerabilities or by brute-forcing weak passwords. Upon gaining access, the ransomware then ran its decryption routine before dropping a ransom demand in which it asked victims to hand over a ransom fee of $500.
  • Thanos RaaS Tool Connected to Hakbit: According to Recorded Future, Insikt Group discovered Thanos Ransomware-as-a-Service (RaaS) for sale on an exploit forum while investigating the weaponization of RIPlace technique. In the process of analyzing the new ransomware, Insikt Group found that Thanos shared similar code with Hakbit, among other commonalities. These connections led Insikt Group to conclude that malicious actors had constructed Hakbit using the Thanos ransomware builder.

How to Defend Against Ransomware

Security professionals can help their organizations defend against a ransomware infection by ensuring they have access to the latest threat intelligence. These information feeds will give them the necessary data they need to stay on top of the latest crypto-malware attacks and techniques. Infosec personnel should also leverage an endpoint management tool to monitor their endpoints for suspicious activity that could be indicative of a ransomware infection.

More from News

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…

New Survey Shows Burnout May Lead to Attrition

For many organizations and the cybersecurity industry as a whole, improving retention and reducing the skills gap is a top priority. Mimecast’s The State of Ransomware Readiness 2022: Reducing the Personal and Business Cost points to another growing concern — burnout that leads to attrition. Without skilled employees, organizations cannot protect their data and infrastructure from increasing cybersecurity attacks. According to Mimecast’s report, 77% of cybersecurity leaders say the number of cyberattacks against their company has increased or stayed the…

Alleged FBI Database Breach Exposes Agents and InfraGard

Recently the feds suffered a big hack, not once, but twice. First, the FBI-run InfraGard program suffered a breach. InfraGard aims to strengthen partnerships with the private sector to share information about cyber and physical threats. That organization experienced a major breach in early December, according to a KrebsOnSecurity report. Allegedly, the InfraGard database — containing contact information of over 80,000 members — appeared up for sale on a cyber crime forum. Also, the hackers have reportedly been communicating with…