Arctic Wolf has observed a significant increase in the number of malicious files delivered and opened via OneNote email attachments. Unlike malicious Word and Excel files, infected OneNote files do not require the security prompt asking the end-user to allow macros, thus increasing the chances of unknowingly running the malicious executable.

The annual State CIO Top 10 priorities list issued by the National Association of State Chief Information Officers shows that while the technology initiatives remain relatively unchanged, there is a slight shuffle around priorities. Cybersecurity continues to take the number one spot and will likely be the case for years to come, given the increase in ransomware attacks across industries and organizations of all sizes.

Our annual Ransomware Report shares the latest trends and developments of the most active threat groups, and their victims to help businesses better protect themselves.

Early Friday morning, February 3, 2023, Arctic Wolf Labs began monitoring a new ransomware campaign targeting public-facing ESXi servers. The campaign has grown exponentially over the weekend, with approximately 3,000 victims worldwide as of early-Monday morning. Based on reporting from OVH, the threat actors behind this campaign are likely leveraging a nearly two year old heap overflow vulnerability (CVE-2021-21974) in VMware ESXi’s OpenSLP service.

Ransomware is one of the most painful threats to organizations worldwide. As this industry keeps on growing both in number of groups and improved technology, every now and then global authorities are able to get their hands on individuals and important data that can mitigate and prevent this threat. This week, the FBI was able to take down the notorious Hive Ransomware group’s Onion Site.

Over the weekend, a relatively new ransomware group named Nevada Ransomware initiated a first massive campaign, targeting any ESXi machine that is exposed to the internet. The group seemed to compromise hundreds of servers over the weekend and caused major damage. Although the scale of this campaign is one of the biggest we have seen, it might already have a solution.

Hive has been seized by law enforcement, but were likely to still see these initial access methods and tactics used across other threat actor groups.

Cybersecurity is a complex term, it’s become all-encompassing and constantly evolving to include new and emerging technologies, attacks, actors, and a myriad of other points. What this means for organizations large, medium, and small is that each must have a cybersecurity plan in place. An interesting point, however, is despite the mindshare cybersecurity now enjoys, the industry itself is still in its relative infancy.

Redline infostealer gathers information and steals high value data from an infected machine. The Redline infostealer is considered one of the most dangerous malware currently being used in the wild and has been used in countless trojanized software, applications, games and cracked software. In addition to data exfiltration, Redline also has the capability to connect to a command and control (C2) server to download, upload files as well as perform remote commands.