Warnings on emerging ransomware threats; critical HP printer updates issued
Posted by: GuidePoint Security
Published 12/9/21, 9:30am
What you need to know
In recent cybersecurity news headlines, businesses are being warned of two emerging ransomware threats—Sabbath and Yanluowang—targeting organizations operating in the fields of education, healthcare, natural resources, finance, manufacturing, IT services, consulting, and engineering. In addition, the information technology company Hewlett-Packard (HP) has issued patches to address vulnerabilities found in approximately 150 different printer models.
- An unholy threat: ransomware operators dubbed ‘Sabbath’ targeting critical US infrastructure
- Warnings about ransomware strain called Yanluowang
- Updates to address critical printer vulnerabilities issued by HP
Cybersecurity news final thoughts: The ransomware revolving door
Ransomware operators love to play the name and affiliate change game, often pivoting between the type of ransomware they’re using and the name they go by. In the last year, there were countless news reports of gangs that shut down (some voluntarily, others by force), re-emerged, changed names, or changed affiliate programs.
For example, there was the shutdown and demise of REvil ransomware affiliate operations, the supposed shutdown of DarkSide ransomware, and the creation of a new DarkSide affiliate program named BlackMatter, not to mention the constant stream of new ransomware strains and affiliate groups flipping between ransomware-as-a-service (RaaS) operations, as in the case of the emerging Yanluowang ransomware strain being delivered by threat actors connected previously to the Thieflock ransomware.
Ransomware gangs have a history of reinventing themselves when the need arises. In fact, one could say that reinvention (and not invention) is the mother of necessity in this case. Hermes became Ryuk which became Conti. Bitpaymer became Doppelpaymer which became Grief, which all fall under the ‘Evil Corp’ gang (and is also associated with the Dridex and WastedLocker ransomware). And Cerber became Gandcrab which eventually became REvil/Sodinokibi. Gangs also ‘disappear’ when law enforcement turns the heat up or when they want to revamp or redesign their malware to improve distribution, infection rates, or profitability. Affiliates do the same, flipping between RaaS services when another ransomware strain appears more lucrative.
Ransomware gangs have also been known to rebrand themselves or their products when they want to avoid sanctions, as in the case of Evil Corp. Any business paying ransoms to Evil Corp could incur hefty fines imposed by the U.S. Office of Foreign Asset Control, so Evil Corp (of Dridex, Locky, and BitPaymer notoriety) simply went under the radar for a while and re-emerged with several new strains of ransomware known as WastedLocker and PayloadBIN.
Security experts that submerge themselves deep in the dark underground of ransomware research spend extensive time tracking the tactics, techniques, and procedures (TTPs) of these gangs to help identify ransomware strains, their source, and how to minimize (or even prevent) an attack.
This hard work can pay off, as evidenced by the recent arrests, indictments, and funds seizure associated with REvil/Sodinokibi affiliate operators.
Despite law enforcement’s best efforts, though, it is still extremely unlikely that businesses will see an end to the ransomware blight anytime soon. The important thing to remember is that a ransomware threat by any other name would still reek with the putrid stench of villainy. Regardless of the name they go by, ransomware operators can’t be trusted, and no business should engage with ransomware attackers believing that these criminals will act in good faith and honor any agreements. Therefore, to further ransomware research and help identify attackers, it is critically important that all ransomware victims remember to report the attack to local law enforcement and work with a ransomware incident response team.