While ransomware attacks slowed during Russia’s invasion of Ukraine and subsequent sanctions, the threat of malware continues to affect organizations around the world.
This can be seen with Costa Rica declaring a national emergency after suffering a massive computer systems outage caused by a Conti Ransomware attack in April.
These outages impact utilities, including requiring people to pay taxes in banks rather than online.
This statement comes shortly after the US government offered a $15 million reward for locating and identifying Conti ransomware members.
Secureworks also analyzed the new REvil ransomware samples, confirming previous reports that the ransomware gang has returned. With the threat actors having both the REvil source code and the Tor private keys, it’s clear that the operation somehow got back.
Other news this week includes a technical analysis from Black Basta with the Conti gang denying involvement in the new operation.
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @Ionut_Ilascu, @Seifreed, @billtoulas, @PolarToffee, @VK_Intel, @fwosar, @malwareforme, @malwhunterteam, @DanielGallagher, @demonslay335, @BleepinComputer, @serghei, @LawrenceAbrams, @struppigel, @FourBytes, @TrendMicro, @kaspersky, @Secureworks, @BrettCallow, @bofheaded, @pcrisk, @ValeryMarchive, @kevincollier, @andrewselsky, @Amigo_A_and @petrovic082.
May 7, 2022
US offers $15 million reward for information on Conti ransomware gang
The US State Department is offering up to $15 million for information that helps identify and locate the leaders and co-conspirators of the infamous Conti ransomware gang.
New Kekpop ransomware
Petrović found a new ransomware that adds the .kekpop extension and drops a ransom note named Readme.html.
May 9, 2022
Costa Rica declares national emergency after Conti ransomware attacks
Costa Rican President Rodrigo Chaves has declared a national emergency following cyberattacks by ransomware group Conti against several government agencies.
REvil Development Builds Confidence About Reemerging GOLD SOUTHFIELD
Secureworks® Counter Threat Unit™ (CTU) researchers analyzed REvil ransomware samples that were uploaded to the VirusTotal scanning service after the GOLD SOUTHFIELD threat group infrastructure resumed activity in April 2022 The infrastructure had been shut down since October 2021. Analysis of these samples indicates that the developer has access to REvil’s source code, increasing the likelihood that the threat group has reappeared. The identification of several samples containing different modifications and the absence of a new official version indicate that REvil is under active development.
Review of Black Basta Ransomware infection routine
Black Basta, a new ransomware gang, has risen to prominence rapidly in recent weeks after causing massive breaches to organizations in a short period of time.
Lincoln College closes after 157 years due to ransomware attack
Lincoln College, a liberal arts school in rural Illinois, announced it would close later this month, 157 years after its founding and following a severe hit to its finances from the pandemic of COVID-19 and a recent ransomware attack.
New TitanCrypt ransomware
Risk found a new variant of Jcrypt called TitanCrypt which adds the .titancrypt and drops a ransom note named ___RECOVER__FILES__.titancrypt.txt.
New “Japan” ransomware variant
PCrisk has found ransomware that adds the .Japan extension to encrypted files and drops a ransom note named how to decrypt.txt.
May 10, 2022
New Xorist variant
PCrisk found a new Xoris variant by adding the .WanaCray2023+ and file a ransom note named HOW TO DECRYPTE .txt FILES.
Hackers Strike Web Hosting Provider Linked to Oregon Elections
A week before the Oregon primary election, the secretary of state’s office is taking steps to protect the integrity of its online system where campaign finance records are posted after a web hosting provider was hit by a ransomware attack.
May 11, 2022
New ransomware trends in 2022
Ahead of Anti-Ransomware Day, we’ve summarized the trends shaping the ransomware landscape in 2022. This year, ransomware is no less active than before: cybercriminals continue to threaten retailers and businesses nationwide , old malware variants return while new ones develop. Observing and evaluating these trends not only provides us with threat information for combating cybercrime today, but also helps us infer what trends might see in the coming months and better prepare for them.
Conti denies any involvement in the new Black Basta gang
Conti continues to threaten the Peruvian government and also states that he is not associated with the new Black Basta operation.
New BlueSky ransomware
Dreamer discovered a new ransomware operation named BlueSky.

May 12, 2022
Ransomware: Has Moscow given free rein to its cybercriminals in Latin America?
Links between Conti and the FSB have been revealed. The cybercriminal SME has been very aggressive against Costa Rica and Peru, while Latin America seems particularly affected. Fifteen countries in the region have come out against the invasion of Ukraine.
New STOP ransomware variants
PCrisk has found new STOP ransomware variants that add the .kruu, .iflaand .byya expansions.
May 13, 2022
New variant of STOP ransomware
PCrisk has found a new STOP ransomware variant that adds the .errz extension.
New TxLocker ransomware
Amigo-A found a new TxLocker ransomware that adds the .txlck extension and drops a ransom note named f1x_instructions.txt.