The Week in Ransomware – May 20th 2022 – Another One Bites the Dust
Ransomware attacks continue to slow down, likely due to the invasion of Ukraine, instability in the region, and subsequent worldwide sanctions against Russia.
This does not mean, though, that there has been no ransomware activity.
This week’s biggest news is the Conti ransomware gang beginning to shut down their operation, with internal infrastructure taken offline and team leaders/members told that the brand is ending.
While the ‘Conti’ brand may be shut down, cybersecurity firm Advanced Intel says that the cybercrime syndicate will continue to operate, with members joining other ransomware operations or the Conti leadership taking over smaller operations.
By splintering into smaller ‘cells,’ it is believed that Conti will be able to evade law enforcement more easily and simply switch between different ransomware operation’s encryptors. While this may mean less revenue for the syndicate, it creates greater mobility for the overall operation.
What this means for the Costa Rican government, which was severely impacted by a recent Conti attack, is unclear.
Other news this week includes the charging of a Venezuelan doctor to create the Thanos and Jigsaw ransomware families, QNAP warning customers that a new DeadBolt campaign is targeting NAS devices, and a report that ransomware gangs are increasingly use vulnerabilities for initial access.
Also Read: PDPA compliance and progressive HR practices: Why this tandem makes sense
Finally, Publishing giant Nikkei disclosed that its Singapore branch suffered a ransomware attack.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwrhunterteam, @struppigel, @FourOctets, @LawrenceAbrams, @DanielGallagher, @Seifreed, @Ionut_Ilascu, @VK_Intel, @BleepinComputer, @jorntvdw, @demonslay335, @billtoulas, @fwosar, @serghei, @malwareforme, @y_advintel, @AdvIntel, @vxunderground, @douglasmun, @GroupIB_GIB, @PRODAFT, @kateconger, @pcrisk, @Amigo_A_, and @Fortinet
May 16th 2022
US links Thanos and Jigsaw ransomware to 55-year-old doctor
The US Department of Justice today said that Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, created and rented Jigsaw and Thanos ransomware to cybercriminals.
[WS] Wizard Spider Group In-Depth Analysis
The PRODAFT Threat Intelligence (PTI) team has assembled this report to provide in-depth knowledge about Wizard Spider.
New EarthGrass ransomware
PCrisk found a new EarthGrass ransomware that appends the .34r7hGr455 extension and drops a ransom note named Read ME (Decryptor).txt.
May 17th 2022
Russian Hacking Cartel Attacks Costa Rican Government Agencies
A Russian hacking cartel carried out an extraordinary cyberattack against the government of Costa Rica, crippling tax collection and export systems for more than a month so far and forcing the country to declare a state of emergency.
Conti accuses LockBit and AlphV or stealing from affiliates
Chaos Ransomware Variant Sides with Russia
In this vein, FortiGuard Labs recently came across a variant of the Chaos ransomware that appears to side with Russia. This blog explains the vicious consequences that the Chaos variant delivers to a compromised machine.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .dfwe extension.
May 18th 2022
National bank hit by ransomware trolls hackers with dick pics
After suffering a ransomware attack by the Hive operation, the Bank of Zambia made it clear that they were not going to pay by posting a picture of male genitalia and telling the hackers to s… (well, you can use your imagination).
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .fdcv extension.
New CryptBit ransomware
PCrisk found the new CryptBit ransomware that appends the .cryptbit extension and drops the CryptBIT-restore-files.txt ransom note.
May 19th 2022
Ransomware gangs rely more on weaponizing vulnerabilities
Security researchers are warning that external remote access services continue to be the main vector for ransomware gangs to breach company networks but there’s a notable uptick in exploiting vulnerabilities.
QNAP alerts NAS customers of new DeadBolt ransomware attacks
Taiwan-based network-attached storage (NAS) maker QNAP warned customers on Thursday to secure their devices against attacks pushing DeadBolt ransomware payloads.
Also Read: Changes to the access and correction obligations you should know
Media giant Nikkei’s Asian unit hit by ransomware attack
Publishing giant Nikkei disclosed that the group’s headquarters in Singapore was hit by a ransomware attack almost one week ago, on May 13, 2022.
Conti ransomware shuts down operation, rebrands into smaller units
The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .fefg extension.
May 20th 2022
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
On May 19, 2022, the admin panel of the Conti ransomware gang’s official website, Conti News, was shut down. The negotiations service site was also down, while the rest of the infrastructure: from chatrooms to messengers, and from servers to proxy hosts was going through a massive reset.
New ZareuS ransomware variant
PCrisk found a ransomware named ZareuS that appends the .ZareuS extension and drops a ransom note named HELP_DECRYPT_YOUR_FILES.txt.