BleepingComputer reports that at least one group of actors is behind a wave of emails to U.S. companies falsely claiming to have stolen their data and demanding a ransom.
Messages to enterprises reportedly started appearing as early as March 16, in which the actors impersonated known ransomware groups including the Silent Ransom Group, who also call themselves Luna Moth, and the Surtr ransomware group. In one instance, a group calling themselves Midnight or the Midnight Group sent a message to a former senior financial planner of a certain company, claiming that they have breached the company's systems and stolen 600 GB of "essential data."
Risk consulting firm Kroll's managed detection and response division also reported in March that organizations began receiving similar emails on March 23, under the name of the Silent Ransom Group, and threatening distributed denial-of-service attacks if their demands are not met. Meanwhile, incident response company Arete reported Midnight as impersonating Surtr and SRG while targeting previous ransomware attack victims.
Malicious QR code messages have also been increasingly leveraged to compromise the sector, with Office 365 used to send over 15,000 of such messages to education entities, a Microsoft Threat Intelligence report showed.
While DumpForums claimed to have infiltrated the company's corporate GitLab server, mail server, and software management services, Dr. Web emphasized that the incident had not resulted in any customer data compromise.
Misconfigured Magento or OpenCart instances may have been targeted to facilitate the deployment of Mongolian Skimmer, which uses various event-handling methods to ensure extensive compatibility while hiding malicious activity with heavy Unicode character utilization.