[BreachExchange] Ragnar Locker teams up with Maze; Zorab ransomware imitates decryptor

Destry Winant destry at riskbasedsecurity.com
Wed Jun 10 10:24:52 EDT 2020


Shortly after the Maze ransomware gang teased that another threat
actor would be joining its newly formed cybercrime cartel, the group
has appeared to welcome the Ragnar Locker group into the fold.

Maze announced a new victim on its data dump website — in this case, a
marketing agency — but credited the Ragnar Locker group with actually
performing the attack. Additionally, an industry source told SC Media
that the Ragnar group has taken its own leak site offline. “Whether
this means they’ve permanently pulled the site and plan to distribute
all future leaks via Maze, I can’t say,” the source said.

Last week, it was reported that the actors behind the ransomware
LockBit teamed up with the Maze gang, publishing data it had stolen
from an architectural firm on Maze’s leak site. Maze confirmed that it
was planning to work with additional groups in the future so all
parties could mutually benefit.

Ragnar Locker recently made news for becoming what is believed to be
the first actor to exploit a virtual machine in order to disguise a
ransomware attack.

Other ransomware attacks cropped up as well.

Florence, Alabama hit by DopplePaymer ransomware

Mayor Steve Holt of Florence, Alabama reportedly told Krebs on
Security that his city was also hit by a DopplePaymer ransomware
attack and would pay a negotiated ransom of approximately $291,000 in

Security expert Brian Krebs reported that the attack struck Florence
on June 5, 12 days after he had informed city officials that an actor
had gained access to certain systems. (Krebs says was alerted to the
compromise through a tip from Hold Security.)

Krebs says the attack on the city — with a population of roughly
41,000 — was enabled via a DHL-themed phishing attack on an IT
manager. According to Krebs, the IT manager said the city attempted to
mitigate the compromise after it was alerted to the unauthorized
access, but it was too late.

New Zorab ransomware imitates STOP Djvu decryptor

BleepingComputer has reported that attackers are distributing a fake
STOP Djvu ransomware decryptor that is actually another malicious
encryptor program called Zorab.

STOP victims who download and run the false decryptor will actually
have their files doubly encrypted.

Last October, Emsisoft released a decryptor for STOP, and now it has
also released a decryptor for Zorab. To retrieve their files, Zorab
victims have to run both the Zorab and STOP decryptor, one after the
other. (However, this will only works for files encrypted by older
variants of STOP, Emsisoft notes.)

More information about the BreachExchange mailing list