Ransomware Week – May 13, 2022

While ransomware attacks slowed during Russia’s invasion of Ukraine and subsequent sanctions, the threat of malware continues to affect organizations around the world.

This can be seen with Costa Rica declaring a national emergency after suffering a massive computer systems outage caused by a Conti Ransomware attack in April.

These outages impact utilities, including requiring people to pay taxes in banks rather than online.

This statement comes shortly after the US government offered a $15 million reward for locating and identifying Conti ransomware members.

Secureworks also analyzed the new REvil ransomware samples, confirming previous reports that the ransomware gang has returned. With the threat actors having both the REvil source code and the Tor private keys, it’s clear that the operation somehow got back.

Other news this week includes a technical analysis from Black Basta with the Conti gang denying involvement in the new operation.

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @Ionut_Ilascu, @Seifreed, @billtoulas, @PolarToffee, @VK_Intel, @fwosar, @malwareforme, @malwhunterteam, @DanielGallagher, @demonslay335, @BleepinComputer, @serghei, @LawrenceAbrams, @struppigel, @FourBytes, @TrendMicro, @kaspersky, @Secureworks, @BrettCallow, @bofheaded, @pcrisk, @ValeryMarchive, @kevincollier, @andrewselsky, @Amigo_A_and @petrovic082.

May 7, 2022

US offers $15 million reward for information on Conti ransomware gang

The US State Department is offering up to $15 million for information that helps identify and locate the leaders and co-conspirators of the infamous Conti ransomware gang.

New Kekpop ransomware

Petrović found a new ransomware that adds the .kekpop extension and drops a ransom note named Readme.html.

May 9, 2022

Costa Rica declares national emergency after Conti ransomware attacks

Costa Rican President Rodrigo Chaves has declared a national emergency following cyberattacks by ransomware group Conti against several government agencies.

REvil Development Builds Confidence About Reemerging GOLD SOUTHFIELD

Secureworks® Counter Threat Unit™ (CTU) researchers analyzed REvil ransomware samples that were uploaded to the VirusTotal scanning service after the GOLD SOUTHFIELD threat group infrastructure resumed activity in April 2022 The infrastructure had been shut down since October 2021. Analysis of these samples indicates that the developer has access to REvil’s source code, increasing the likelihood that the threat group has reappeared. The identification of several samples containing different modifications and the absence of a new official version indicate that REvil is under active development.

Review of Black Basta Ransomware infection routine

Black Basta, a new ransomware gang, has risen to prominence rapidly in recent weeks after causing massive breaches to organizations in a short period of time.

Lincoln College closes after 157 years due to ransomware attack

Lincoln College, a liberal arts school in rural Illinois, announced it would close later this month, 157 years after its founding and following a severe hit to its finances from the pandemic of COVID-19 and a recent ransomware attack.

New TitanCrypt ransomware

Risk found a new variant of Jcrypt called TitanCrypt which adds the .titancrypt and drops a ransom note named ___RECOVER__FILES__.titancrypt.txt.

New “Japan” ransomware variant

PCrisk has found ransomware that adds the .Japan extension to encrypted files and drops a ransom note named how to decrypt.txt.

May 10, 2022

New Xorist variant

PCrisk found a new Xoris variant by adding the .WanaCray2023+ and file a ransom note named HOW TO DECRYPTE .txt FILES.

Hackers Strike Web Hosting Provider Linked to Oregon Elections

A week before the Oregon primary election, the secretary of state’s office is taking steps to protect the integrity of its online system where campaign finance records are posted after a web hosting provider was hit by a ransomware attack.

May 11, 2022

New ransomware trends in 2022

Ahead of Anti-Ransomware Day, we’ve summarized the trends shaping the ransomware landscape in 2022. This year, ransomware is no less active than before: cybercriminals continue to threaten retailers and businesses nationwide , old malware variants return while new ones develop. Observing and evaluating these trends not only provides us with threat information for combating cybercrime today, but also helps us infer what trends might see in the coming months and better prepare for them.

Conti denies any involvement in the new Black Basta gang

Conti continues to threaten the Peruvian government and also states that he is not associated with the new Black Basta operation.

Conti message

New BlueSky ransomware

Dreamer discovered a new ransomware operation named BlueSky.

BlueSky Tor website
BlueSky Tor website

May 12, 2022

Ransomware: Has Moscow given free rein to its cybercriminals in Latin America?

Links between Conti and the FSB have been revealed. The cybercriminal SME has been very aggressive against Costa Rica and Peru, while Latin America seems particularly affected. Fifteen countries in the region have come out against the invasion of Ukraine.

New STOP ransomware variants

PCrisk has found new STOP ransomware variants that add the .kruu, .iflaand .byya expansions.

May 13, 2022

New variant of STOP ransomware

PCrisk has found a new STOP ransomware variant that adds the .errz extension.

New TxLocker ransomware

Amigo-A found a new TxLocker ransomware that adds the .txlck extension and drops a ransom note named f1x_instructions.txt.

It’s all for this week ! I hope everyone is having a good weekend!

About Matthew Berkey

Check Also

Super Eagles ready to face off in San Jose

After more than 30 hours of travel from Nigeria, the Super Eagles The delegation is …