KillSec and Yurei execute successful ransomware attacks

Ransomware gangs continue to evolve, with some reemerging stronger than ever. The BlackCat ransomware gang, for instance, ceased operations in March 2024 following an exit scam, while LockBit quickly revived itself after law enforcement actions. Variants like LockBit have shown resilience, evolving into LockBit 5.0, which features faster encryption, enhanced evasion techniques, and a revamped affiliate program. Recent articles highlight both established and emerging ransomware groups, including the resurgence of Petya in a new strain.

On September 8, the KillSec ransomware group targeted MedicSolution, a Brazilian healthcare software provider, threatening to leak 34 GB of sensitive data, including over 94,000 files containing lab results and patient records. The breach stemmed from insecure AWS S3 buckets, with exposure potentially lasting several months. Meanwhile, the newcomer Yurei ransomware group claimed its first victim on September 5, attacking MidCity Marketing, a food manufacturing company in Sri Lanka, and subsequently targeting victims in India and Nigeria. Yurei’s operators, likely based in Morocco, utilised a modified version of open-source Prince-Ransomware, making detection more challenging. Additionally, researchers at ESET discovered HybridPetya, a sophisticated malware that combines NotPetya’s destructive capabilities with Petya’s recoverable encryption, capable of bypassing UEFI Secure Boot protections and posing a persistent threat even after system reinstallation.