The Week in Ransomware – May 20th 2022 – Another One Bites the Dust
Ransomware attacks continue to slow down, likely due to the invasion of Ukraine, instability in the region, and subsequent worldwide sanctions against Russia.
This does not mean, though, that there has been no ransomware activity.
This week’s biggest news is the Conti ransomware gang beginning to shut down their operation, with internal infrastructure taken offline and team leaders/members told that the brand is ending.
While the ‘Conti’ brand may be shut down, cybersecurity firm Advanced Intel says that the cybercrime syndicate will continue to operate, with members joining other ransomware operations or the Conti leadership taking over smaller operations.
By splintering into smaller ‘cells,’ it is believed that Conti will be able to evade law enforcement more easily and simply switch between different ransomware operation’s encryptors. While this may mean less revenue for the syndicate, it creates greater mobility for the overall operation.
Other news this week includes the charging of a Venezuelan doctor to create the Thanos and Jigsaw ransomware families, QNAP warning customers that a new DeadBolt campaign is targeting NAS devices, and a report that ransomware gangs are increasingly use vulnerabilities for initial access.
Finally, Publishing giant Nikkei disclosed that its Singapore branch suffered a ransomware attack.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwrhunterteam, @struppigel, @FourOctets, @LawrenceAbrams, @DanielGallagher, @Seifreed, @Ionut_Ilascu, @VK_Intel, @BleepinComputer, @jorntvdw, @demonslay335, @billtoulas, @fwosar, @serghei, @malwareforme, @y_advintel, @AdvIntel, @vxunderground, @douglasmun, @GroupIB_GIB, @PRODAFT, @kateconger, @pcrisk, @Amigo_A_, and @Fortinet
May 16th 2022
The US Department of Justice today said that Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, created and rented Jigsaw and Thanos ransomware to cybercriminals.
The PRODAFT Threat Intelligence (PTI) team has assembled this report to provide in-depth knowledge about Wizard Spider.
PCrisk found a new EarthGrass ransomware that appends the .34r7hGr455 extension and drops a ransom note named Read ME (Decryptor).txt.
May 17th 2022
A Russian hacking cartel carried out an extraordinary cyberattack against the government of Costa Rica, crippling tax collection and export systems for more than a month so far and forcing the country to declare a state of emergency.
Conti accuses LockBit and AlphV or stealing from affiliates
In this vein, FortiGuard Labs recently came across a variant of the Chaos ransomware that appears to side with Russia. This blog explains the vicious consequences that the Chaos variant delivers to a compromised machine.
PCrisk found a new STOP ransomware variant that appends the .dfwe extension.
May 18th 2022
After suffering a ransomware attack by the Hive operation, the Bank of Zambia made it clear that they were not going to pay by posting a picture of male genitalia and telling the hackers to s… (well, you can use your imagination).
PCrisk found a new STOP ransomware variant that appends the .fdcv extension.
PCrisk found the new CryptBit ransomware that appends the .cryptbit extension and drops the CryptBIT-restore-files.txt ransom note.
May 19th 2022
Security researchers are warning that external remote access services continue to be the main vector for ransomware gangs to breach company networks but there’s a notable uptick in exploiting vulnerabilities.
Taiwan-based network-attached storage (NAS) maker QNAP warned customers on Thursday to secure their devices against attacks pushing DeadBolt ransomware payloads.
Publishing giant Nikkei disclosed that the group’s headquarters in Singapore was hit by a ransomware attack almost one week ago, on May 13, 2022.
The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more.
PCrisk found a new STOP ransomware variant that appends the .fefg extension.
May 20th 2022
On May 19, 2022, the admin panel of the Conti ransomware gang’s official website, Conti News, was shut down. The negotiations service site was also down, while the rest of the infrastructure: from chatrooms to messengers, and from servers to proxy hosts was going through a massive reset.
PCrisk found a ransomware named ZareuS that appends the .ZareuS extension and drops a ransom note named HELP_DECRYPT_YOUR_FILES.txt.