The Week in Ransomware – May 13th 2022 – A National Emergency
While ransomware attacks have slowed during Russia’s invasion of Ukraine and the subsequent sanctions, the malware threat continues to affect organizations worldwide.
This can be seen with Costa Rica declaring a national emergency after suffering a massive IT systems outage caused by a Conti Ransomware attack in April.
These outages are impacting public services, including requiring people to pay taxes at banks rather than online.
This declaration comes soon after the US government offered a $15 million reward for the location and identification of Conti ransomware members.
Secureworks also analyzed the new REvil ransomware samples, confirming previous reports that the ransomware gang has returned. With the threat actors having both the REvil source code and Tor private keys, it is clear that the operation has returned in some manner.
Other news this week includes a technical analysis of Black Basta with the Conti gang denying they are involved in the new operation.
Also Read: The DNC Singapore: Looking At 2 Sides Better
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @Ionut_Ilascu, @Seifreed, @billtoulas, @PolarToffee, @VK_Intel, @fwosar, @malwareforme, @malwrhunterteam, @DanielGallagher, @demonslay335, @BleepinComputer, @serghei, @LawrenceAbrams, @struppigel, @FourOctets, @TrendMicro, @kaspersky, @Secureworks, @BrettCallow, @bofheaded, @pcrisk, @ValeryMarchive, @kevincollier, @andrewselsky, @Amigo_A_, and @petrovic082.
May 7th 2022
The US Department of State is offering up to $15 million for information that helps identify and locate leadership and co-conspirators of the infamous Conti ransomware gang.
Petrovic found a new ransomware that appends the .kekpop extension and drops a ransom note named ReadMe.html.
May 9th 2022
The Costa Rican President Rodrigo Chaves has declared a national emergency following cyber attacks from Conti ransomware group on multiple government bodies.
Secureworks® Counter Threat Unit™ (CTU) researchers analyzed REvil ransomware samples that were uploaded to the VirusTotal analysis service after the GOLD SOUTHFIELD threat group’s infrastructure resumed activity in April 2022. The infrastructure had been shuttered since October 2021. Analysis of these samples indicates that the developer has access to REvil’s source code, reinforcing the likelihood that the threat group has reemerged. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.
Black Basta, a new ransomware gang, has swiftly risen to prominence in recent weeks after it caused massive breaches to organizations in a short span of time.
Lincoln College, a liberal-arts school from rural Illinois, says it will close its doors later this month, 157 years since its founding and following a brutal hit on its finances from the COVID-19 pandemic and a recent ransomware attack.
PCrisk found a new variant of Jcrypt called TitanCrypt that appends the .titancrypt and drops a ransom note named ___RECOVER__FILES__.titancrypt.txt.
PCrisk found a ransomware that is appending the .japan extension to encrypted files and drops a ransom note named how to decrypt.txt.
May 10th 2022
PCrisk found a new Xoris variant appending the .WanaCray2023+ and dropping a ransom note named HOW TO DECRYPT FILES.txt.
A week before Oregon’s primary election, the secretary of state’s office is moving to protect the integrity of its online system where campaign finance records are published after a web hosting provider was hit by a ransomware attack.
May 11th 2022
Ahead of the Anti-Ransomware Day, we summarized the tendencies that characterize ransomware landscape in 2022. This year, ransomware is no less active than before: cybercriminals continue to threaten nationwide retailers and enterprises, old variants of malware return while the new ones develop. Watching and assessing these tendencies not only provides us with threat intelligence to fight cybercrime today, but also helps us deduce what trends may see in the months to come and prepare for them better.
Conti denies involvement in new Black Basta gang
Conti continues to threaten the government of Peru and also states that they are not associated with the new Black Basta operation.
New BlueSky ransomware
Dreamer discovered a new ransomware operation named BlueSky.
May 12th 2022
Links between Conti and the FSB have come to light. The cybercriminal SME has been very aggressive against Costa Rica and Peru, while Latin America appears to be particularly affected. Fifteen countries in the region have spoken out against the invasion of Ukraine.
PCrisk found new STOP ransomware variants that append the .kruu, .ifla, and .byya extensions.
May 13th 2022
PCrisk found a new STOP ransomware variant that appends the .errz extension.
Amigo-A found a new TxLocker ransomware that appends the .txlck extension and drops a ransom note named f1x_instructions.txt.