The Week in Ransomware – August 20th 2021

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360


Ransomware gangs continue to attack schools, companies, and even hospitals worldwide with little sign of letting up. Below we have tracked some of the ransomware stories that we are following this week.

Stories of particular interest revolve around new features and tactics used by some of the ransomware operations.

After analyzing the Conti training material leaked earlier this month, we learned that they use a legitimate remote access software to retain persistence on a compromised network. We also learned that they prioritize searching for cyber insurance policies and financial documents after taking control of a network.

Another report illustrates how threat actors are tracking researchers on Twitter as a new ransomware gang known as LockFile uses the PetitPotam attack to take over Windows domains.

Some of the attacks we saw this week were against the Brazilian National Treasury, Memorial Health System, and Japanese insurer Tokio Marine.

Finally, there is some good news, as Emsisoft has released a SynAck ransomware decryptor after the master decryption keys were released by the threat actors earlier this month.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @DanielGallagher, @jorntvdw, @Seifreed, @Ionut_Ilascu, @struppigel, @PolarToffee, @demonslay335, @VK_Intel, @BleepinComputer, @serghei, @malwrhunterteam, @FourOctets, @fwosar, @LawrenceAbrams, @symantec, @emsisoft, @AdvIntel, @IBMSecurity, and @fbgwls245.

August 14th 2021

New Karma ransomware

dnwls0719 found a a new Karma ransomware that appends the .KARMA extension and has a dedicated leak site.

Karma ransomware

August 16th 2021

Hive ransomware attacks Memorial Health System, steals patient data

In what appears to be an attack from the Hive ransomware gang, computers of the non-profit Memorial Health System have been encrypted, forcing staff to work with paper charts.

Colonial Pipeline reports data breach after May ransomware attack

Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to individuals affected by the data breach resulting from the DarkSide ransomware attack that hit its network in May.

August 17th 2021