Colossus Ransomware Hits Automotive Company in the U.S.

A new ransomware family called Colossus has snagged at least one victim in the United States as of last week, according to security researchers at ZeroFox.

Targeting Windows systems, the Colossus ransomware was used in an attack on an automotive group of dealerships based in the U.S., with its operators threatening to leak 200 GB of stolen data.

The cybercriminals, who were demanding $400,000 to be paid in exchange for the decryption key, have directed the victim to contact them via a “support page” on a custom domain.

ZeroFox’ security researchers note that the Colossus operators appear to be familiar with existing ransomware-as-a-service (RaaS) groups and might even be directly associated with one of them.

The operators registered the domain for the support portal on September 19, via Tucows, and are using dnspod as their DNS provider.

ZeroFox hasn’t observed dark web chatter related to a Colossus ransomware product or affiliate program, but that doesn’t mean that the operation isn’t associated with other ransomware-as-a-service (RaaS) groups.

In fact, the Colossus ransom note is similar to samples from EpsilonRed/BlackCocaine and REvil/Sodinokibi, suggesting the use of a similar builder. Furthermore, the cybercrime group also “follows a pattern of ransomware groups disappearing and reappearing with a rebranded name and similar toolsets,” the researchers note.

While a public Colossus-specific ransomware leak site doesn’t exist yet, one might emerge in the coming weeks, to leak data from a victim unwilling to pay the ransom.

Related: Links Found Between MSHTML Zero-Day Attacks and Ransomware Operations

Related: CISA Adds Ransomware Module to Cyber Security Evaluation Tool