May 18, 2024


It's the Technology

Monsters Inc, Stingless Bees, and BlackFog makes the threats clear. This Week in Ransomware – Sunday December 4, 2022

Monsters Inc, Stingless Bees, and BlackFog makes the threats clear. This Week in Ransomware – Sunday December 4, 2022

We know that monsters aren’t real, but they’re still a threat

Software company ESET has detected a new ransomware variant named RansomBoggs in organizations in Ukraine.

The ransom note that accompanies the attack claims to be written by James P. Sullivan, the main character in the movie Monsters Inc. Other references to the movie are also reported to be in the code.

RansomBoggs note (ESET)

ESET points out that this new variant shares many similarities with previous attacks by a group known as Sandworm. It uses a PowerShell script to distribute .NET ransomware.

Sandworm is reportedly a group of elite state-sponsored Russian hackers, active for decades, with a reputation for attacking infrastructure and control systems.

Security blog Bleeping Computer stated that they are “believed to be part of Unit 74455 of the Russian GRU’s Main Center for Special Technologies.”

The group has been linked to earlier attacks on Ukraine infrastructure with the KillDisk wiper as well as the NotPetya ransomware. The U.S. Department of Justice charged six members of the group for activities related to the NotPetya ransomware attack, as well as attacks on the 2018 Winter Games and the 2017 elections in France.

It also doesn’t float like a butterfly

A new ransomware group has emerged which has been named Trigona, after a family of stingless bees. The group has adopted a logo which features a person in a cyber bee costume.

Source:  Malware Hunter Team tweet

While the group has been active for some time, it has recently launched a new Tor site where it accepts Monero for ransom payments. Monero bills itself as a secure, private and untraceable currency.

Lawrence Abrams from security blog Bleeping Computer has done some deeper analysis on Trigona.

BlackFog issues a list of ransomware attacks with a number of Canadian attacks

Security firm BlackFog issued its State of Ransomware in 2022 report, with a month-by-month review of some of the major attacks from the past year. The list is drawn from attacks around the world, and is a rather depressing year in review. A number of prominent Canadian organizations made the list, including Sobeys, the Ontario Secondary School Teacher’s Federation, the Montreal Tourism Agency, Bell Technical Services, the John Diefenbaker International Airport, and more.

The list is worth looking at, if only to gain a clear picture of the sheer range of organizations that have been affected by ransomware. Statistics and mapping are one way to view the problem, but going month by month through the lists of companies brings the problem into stunning clarity.