A Menacing Duo – Ransomware and Emotet

Prior to the WaterISAC advisory on Friday, members have had plenty of reason to keep ransomware top of mind, including the significant increase in Emotet detections since the trojan’s reawakening this July. Between the CISA/MS-ISAC Ransomware Guide and subsequent combined Alert (AA20-280A) noting the targeting of state and local governments with Emotet phishing emails, members have been kept equipped and apprised to address these perpetual menaces. And that was all before the ransomware scourge against healthcare organizations and the commensurate CISA/FBI/HHS Alert (AA20-302A) last week. Furthermore, recent data by HP and Bromium not only validates the surge in detected Emotet attacks, but supports an increase in ransomware campaigns during Q3 of this year, as Emotet is often used as a downloader to install additional malware (e.g., QakBot, TrickBot), including human-operated ransomware. For more on recent Emotet observed activity, visit Infosecurity Magazine.

A-Maze-d and Confused

In related ransomware news… Remember GandCrab? The ransomware that seemingly “retired” in June 2019, but then reemerged under different names (REvil, Sodinikibi) with behavior even worse than their predecessor? Seems the group responsible for Maze ransomware is taking a page out of GandCrab’s book, although to what degree is unknown. Maze, the double extortion pioneers have called it quits. While the group claims they have officially closed down their ransomware operation and will no longer be leaking new companies’ data on their site, Maze “affiliates” have reportedly moved to the new Egregor ransomware operator – Egregor, Maze, and another ransomware called Sekhmet, are believed to be created from the same software. Egregor was the subject of a recent WaterISAC members-only advisory published on Friday. Only time will tell if this prominent and pioneering ransomware group will come back more disagreeable than before. For more on the Maze shutdown, visit BleepingComputer.