The Week in Ransomware – February 18th 2022 – Mergers & Acquisitions
The big news this week is that the Conti ransomware gang has recruited the core developers and managers of the TrickBot group, the developers of the notorious TrickBot malware.
This recruitment drive now allows the Conti ransomware gang to focus on developing further stealthy malware, such as BazarBackdoor, while letting the TrickBot malware slowly wane away due to its easy detection by antivirus software.
With this “merger,” Conti has evolved into an actual cybercrime syndicate with different groups focusing on developing malware for each leg of a ransomware attack, ranging from initial access to encrypting.
This week’s other news is the FBI disclosing that BlackByte breached US critical infrastructure, and a new report by Chainalysis gives us a better glimpse of the ransomware payment ecosystem.
Also Read: PDP Act (Personal Data Protection Act) Laws and Regulation
New ransomware attacks we learned about this week, including BlackByte’s attack on the San Francisco 49ers, Mizuno getting hit by ransomware, and BlackCat confirming they were behind the attack on Swissport.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @fwosar, @Ionut_Ilascu, @DanielGallagher, @PolarToffee, @LawrenceAbrams, @FourOctets, @Seifreed, @serghei, @malwareforme, @VK_Intel, @jorntvdw, @malwrhunterteam, @demonslay335, @struppigel, @JakubKroustek, @Ax_Sharma, @S2W_Official, @pcrisk, @chainalysis, @briankrebs, and @Amigo_A_.
February 13th 2022
NFL’s San Francisco 49ers hit by Blackbyte ransomware attack
The NFL’s San Francisco 49ers team is recovering from a cyberattack by the BlackByte ransomware gang who claims to have stolen data from the American football organization.
New STOP Ransomware variants
Jakub Kroustek found new STOP Ransomware variants that append the .qnty and .iips extensions.
New Dharma Ransomware variant
Jakub Kroustek found a new Dharma Ransomware variant that appends the .kl extension.
New Sojusz ransomware
Amigo-A found a a new ransomware named Sojusz that appends the .sojusz extension.
Also Read: What Does Resolution Of Data Really Means
February 14th 2022
Sports brand Mizuno hit with ransomware attack delaying orders
Sports equipment and sportswear brand Mizuno is affected by phone outages and order delays after being hit by ransomware, BleepingComputer has learned from sources familiar with the attack.
FBI: BlackByte ransomware breached US critical infrastructure
The US Federal Bureau of Investigation (FBI) revealed that the BlackByte ransomware group has breached the networks of at least three organizations from US critical infrastructure sectors in the last three months.
Russian Cybercriminals Drive Significant Ransomware and Cryptocurrency-based Money Laundering Activity
In this section, we’ll delve into two intertwined areas of Russia’s crypto crime ecosystem that, together, have serious implications for cybersecurity, compliance, and national security: ransomware and money laundering.
Wazawaka Goes Waka Waka
This post concerns itself with the other half of Wazawaka’s identities not mentioned in the first story, such as how Wazawaka also ran the Babuk ransomware affiliate program, and later became “Orange,” the founder of the ransomware-focused Dark Web forum known as “RAMP.”
New D3adCrypt ransomware
Amigo-A found a a new ransomware dubbed D3adCrypt that appends the .d3ad extension and drops ransom notes named d3ad_Help.txt and d3ad_Help.hta.
February 15th 2022
BlackCat (ALPHV) claims Swissport ransomware attack, leaks data
The BlackCat ransomware group, aka ALPHV, has claimed responsibility for the recent cyber attack on Swissport that caused flight delays and service disruptions.
New LockDown ransomware variant
Karsten Hahn spotted a new variant of the LockDown ransomware variant that appends the .cantopen extension.
February 16th 2022
The Chainalysis 2022 Crypto Crime Report
Sure enough, we updated our ransomware numbers a few times throughout 2021, reflecting new payments we hadn’t identified previously. As of January 2022, we’ve now identified just over $692 million in 2020 ransomware payments — nearly double the amount we initially identified at the time of writing last year’s report.
February 17th 2022
Tracking SugarLocker ransomware & operator
As a result of hunting for the SugarLocker ransomware, it is presumed that the operator has been producing SugarLocker ransomware since at least early 2021. It seems that ransomware has actually been distributed since the second half of last year, but no attack cases have been confirmed so far. They do not operate a data leak site, and it seems that the ransomware name has been changed recently, so it does not appear to be active yet.
New STOP Ransomware variants
PCrisk found new STOP Ransomware variants that append the .ckae and .eucy extensions.
A Method for Decrypting Data Infected with Hive Ransomware
Among the many types of malicious codes, ransomware poses a major threat. Ransomware encrypts data and demands a ransom in exchange for decryption. As data recovery is impossible if the encryption key is not obtained, some companies suffer from considerable damage, such as the payment of huge amounts of money or the loss of important data. In this paper, we analyzed Hive ransomware, which appeared in June 2021. Hive ransomware has caused immense harm, leading the FBI to issue an alert about it. To minimize the damage caused by Hive Ransomware and to help victims recover their files, we analyzed Hive Ransomware and studied recovery methods. By analyzing the encryption process of Hive ransomware, we confirmed that vulnerabilities exist by using their own encryption algorithm. We have recovered the master key for generating the file encryption key partially, to enable the decryption of data encrypted by Hive ransomware. We recovered 95% of the master key without the attacker’s RSA private key and decrypted the actual infected data. To the best of our knowledge, this is the first successful attempt at decrypting Hive ransomware. It is expected that our method can be used to reduce the damage caused by Hive ransomware.
While a very interesting read on decrypting ransomware, Michael Gillespie says that it may not be a practical method to decrypt files encrypted by Hive.
February 18th 2022
Conti ransomware gang takes over TrickBot malware operation
After four years of activity and numerous takedown attempts, the death knell of TrickBot has sounded as its top members move under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier BazarBackdoor malware.
New MonaLisa ransomware
Amigo-A found a a new ransomware dubbed MonaLisa that appends the .barrel or .nekochan extensions and drops ransom notes named info.txt or info.hta.
0 Comments