Ransomware that cares, TLD concerns and the “Sangria Tempest” cyberthreat

Adam Nemeroff / Unsplash

Welcome to Changelog for 5/21/23, published by Synack! Nathaniel Mott here with a recap of what happened in cyber this week. Programming note: Changelog will not publish next week as we observe Memorial Day in the U.S.


The payload

What if ransomware could be used for good? That reads like a contrarian #slatepitch, but it’s the question a group of cybercriminals is looking to answer.

CyberScoop reported on Thursday that an “unnamed group that is at least publicly claiming to be driven by anti-capitalist sentiment and its own brand of cyber benevolence” has “attacked nearly 200 organizations in less than two months.” But instead of demanding a traditional ransom, the group has reportedly told victims to donate to a charity.

This isn’t the first time ransomware has been used to extort victims of something other than cryptocurrency. The so-called GoodWill ransomware popped up in 2022 with a series of demands—distributing blankets to unhoused people, taking poor children to a chain restaurant and paying off someone’s medical bills—rather than an attempt to make some money.

BleepingComputer reported that this group, which it dubs “MalasLocker,” has primarily targeted organizations running Zimbra software. Unfortunately, it’s not clear if organizations that capitulate to the group’s demands by donating to charity have actually received the encryption keys needed to restore their systems. That makes all the difference in deciding if this group is a modern Robin Hood and his Ransomware Gang or just a bunch of bad actors. And for victims, ransomwaring is not caring: It can never be fun.

The week, compiled

It’s never a good sign when infosec Twitter can’t stop talking about domain names. Usually this happens when infrastructure tied to a particular threat actor is revealed, or when folks discuss the ease with which adversaries can set up lookalike domains such as “fac3book.com” and the like.

This week it was because Google made a series of new top-level domains (TLDs) available to the public. These TLDs—identified by the characters that appear after the dot in a URL, so “security” in “readme.security,” for example—include “dad,” “phd” and “foo.” Those are fine. Experts say the new “zip” and “mov” TLDs, on the other hand, are cause for concern.

Tomas Sobek / Unsplash

The fear is that attackers will be able to use the “zip” TLD in particular to conduct phishing attacks. Not everyone is convinced this will prove to be a problem, especially if organizations block the “zip” TLD entirely, but it’s not hard to imagine someone nefarious at least attempting to take advantage of the newly blurred line between file extension and TLD.

Here are some of the other stories that caught my eye last week:

Reuters: Montana has banned TikTok. New legislation that prohibits Apple and Google from offering the app in their marketplaces was passed on Wednesday, and provided it survives the inevitable barrage of complaints and court challenges, it will go into effect in 2024. State lawmakers cited intelligence gathering concerns stemming from TikTok’s ownership by Chinese company ByteDance.

TechCrunch: Capita, an outsourcing company that was hacked in April and discovered earlier this month to have left 655GB of data openly accessible to anyone with an internet connection, has reportedly started informing its customers that their data may have been compromised as well.

Microsoft: FIN7—a cybercriminal group that Microsoft tracks as Sangria Tempest yet somehow continues to be known by Mandiant’s humdrum “FIN[X]” naming system—has been spotted deploying its first ransomware since late 2021. Microsoft said on Twitter that “the group was observed deploying the Clop ransomware in opportunistic attacks in April 2023.”

A message from Synack

Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.

Flash memory

Friday marked the 25th anniversary of L0pht’s famous 1998 testimony before the U.S. Senate regarding the security problems found in practically everything else related to computing. (L0pht member Joe Grand shared a video of the testimony on YouTube in 2011; it’s worth the watch. And check out README editor-in-chief Blake Sobczak’s podcast interview with former L0pht member Space Rogue while you’re at it.)

Decipher’s oral history of L0pht—which the outlet described as “a small, loosely connected group of hackers that would help shape the future of the hacker scene and go on to define the security industry as we know it today”—includes an installment devoted to this Senate testimony. It’s named after the boldest claim made during the testimony: that a single member of L0pht could take down the internet in 30 minutes or less.

This could have been a wake-up call. The Washington Post argued in 2015 that it wasn’t. “What happened instead was a tragedy of missed opportunity,” the Post wrote, “and 17 years later the world is still paying the price in rampant insecurity.” Now, eight years after the publication of that article, we’re still struggling to learn the lessons we should’ve learned 25 years ago. Maybe things’ll be different in another 25.

Local files

The Guardian: The Philadelphia Inquirer was targeted by a ransomware attack this week in what The Guardian described as “the worst disruption to the Inquirer in decades.” The paper said this attack wouldn’t stop it from covering Philadelphia’s mayoral primary election on Tuesday, however, and has been able to continue publishing news stories online.

The Record: The Oklahoma Institute of Allergy Asthma and Immunology announced earlier this month that it had closed two clinics “due to a cybersecurity event,” The Record reported, which was later clarified to mean the organization was “locked out of everything” required to operate.


I didn’t play tee-ball as a kid, so I didn’t know what to expect when my four-and-a-half-year-old son joined a local team a few weeks ago. Now that I’ve seen a few practices and a couple of games, I have the answer: chaos.

Some kids want to hit the ball as hard as they can, run to first base and make their way “home” as quickly as possible. Others have proven to be more interested in chewing on their gloves, picking dandelions or chatting with their friends. Nobody is keeping score; I suspect that nobody could.

Diana Polekhina / Unsplash

Eventually these kids will have to decide if they want to move on to little league or if their experience with America’s pastime stop with tee-ball. But I think there’s something pure about the fun they’re having right now, even if half of them couldn’t care less about actually playing the game.

Have a little fun. Embrace the chaos. You just might like it.

That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. See you in June!