Shortly after the Maze ransomware gang teased that another threat actor would be joining its newly formed cybercrime cartel, the group has appeared to welcome the Ragnar Locker group into the fold.

Maze announced a new victim on its data dump website — in this case, a marketing agency — but credited the Ragnar Locker group with actually performing the attack. Additionally, an industry source told SC Media that the Ragnar group has taken its own leak site offline. “Whether this means they’ve permanently pulled the site and plan to distribute all future leaks via Maze, I can’t say,” the source said.

Last week, it was reported that the actors behind the ransomware LockBit teamed up with the Maze gang, publishing data it had stolen from an architectural firm on Maze’s leak site. Maze confirmed that it was planning to work with additional groups in the future so all parties could mutually benefit.

Ragnar Locker recently made news for becoming what is believed to be the first actor to exploit a virtual machine in order to disguise a ransomware attack.

Other ransomware attacks cropped up as well.

Florence, Alabama hit by DopplePaymer ransomware

Mayor Steve Holt of Florence, Alabama reportedly told Krebs on Security that his city was also hit by a DopplePaymer ransomware attack and would pay a negotiated ransom of approximately $291,000 in bitcoin.

Security expert Brian Krebs reported that the attack struck Florence on June 5, 12 days after he had informed city officials that an actor had gained access to certain systems. (Krebs says was alerted to the compromise through a tip from Hold Security.)

Krebs says the attack on the city — with a population of roughly 41,000 — was enabled via a DHL-themed phishing attack on an IT manager. According to Krebs, the IT manager said the city attempted to mitigate the compromise after it was alerted to the unauthorized access, but it was too late.

New Zorab ransomware imitates STOP Djvu decryptor

BleepingComputer has reported that attackers are distributing a fake STOP Djvu ransomware decryptor that is actually another malicious encryptor program called Zorab.

STOP victims who download and run the false decryptor will actually have their files doubly encrypted.

Last October, Emsisoft released a decryptor for STOP, and now it has also released a decryptor for Zorab. To retrieve their files, Zorab victims have to run both the Zorab and STOP decryptor, one after the other. (However, this will only works for files encrypted by older variants of STOP, Emsisoft notes.)