The Week in Ransomware – May 6th 2022 – An Evolving Landscape
Ransomware operations continue to evolve, with new groups appearing and others quietly shutting down their operations or rebranding as new groups.
This was seen this week, with Advanced Intel CEO Vitali Kremez disclosing yesterday that the Conti brand, not the organization itself, was shutting down. However, this does not mean that the threat actors themselves are retiring.
This week, we also received confirmation that REvil, or at least some of its members, have relaunched the operation after a sample of their encryptor was found.
In research-related news, a security researcher discovered DLL hijacking vulnerabilities in ransomware operations and releasing DLLs that can be used to terminate the encryptors before they begin encrypting files.
This week, other research released is from Trellix, who reported that various ransomware operations are linked to North Korean government hacking groups, including the notorious Lazarus gang.
Attacks we saw this week include using fake Windows 10 updates to distribute Magniber ransomware and an attack on AGCO, a US agricultural machinery maker.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @Seifreed, @DanielGallagher, @LawrenceAbrams, @malwareforme, @jorntvdw, @BleepinComputer, @demonslay335, @PolarToffee, @fwosar, @billtoulas, @FourOctets, @struppigel, @VK_Intel, @serghei, @Ionut_Ilascu, @Trellix, @malvuln, @JakubKroustek, @R3MRUM, @malvuln, @pcrisk, @Amigo_A_, @Intel471Inc, @ValeryMarchive, and @blackfogprivacy.
April 30th 2022
Fake Windows 10 updates are being used to distribute the Magniber ransomware in a massive campaign that started earlier this month.
May 1st 2022
The notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks.
May 2nd 2022
PCrisk found new STOP ransomware variants that append the .mmob, .hhjk, and the .ttii extension.
May 3rd 2022
Several ransomware strains have been linked to APT38, a North Korean-sponsored hacking group known for its focus on targeting and stealing funds from financial institutions worldwide.
Analyzing malware strains from these ransomware gangs, a security researcher named hyp3rlinx found that the samples were vulnerable to DLL hijacking, a method usually leveraged by attackers to inject malicious code into a legitimate application.
May 4th 2022
PCrisk found new variant of the Teslarvng Ransomware that appends the .selena extension and drops a ransom note named selena.txt.
May 5th 2022
PCrisk found a new Xorist ransomware variant that appends the .Mal extension.
PCrisk found new STOP ransomware variants that append the .mine, .xcvf, .bbnm, .sijr, and the .egfge xtensions.
PCrisk found new Phobos ransomware variant that appends the .GUCCI extension.
The Conti ransomware’s brand is sHeading 2hutting down
Ransomware gangs are apparently no different. Thanks to the Conti Leaks, Intel 471 researchers found evidence that the Conti ransomware group kept a close eye on other ransomware groups and borrowed some of their techniques and best practices for its own operations. Additionally, Intel 471 also observed the Conti group’s affiliates and managers cooperating with other gangs, which included the LockBit, Maze and Ryuk teams.
In 2020, 2021 and now 2022, BlackFog’s state of ransomware in 2022 measures publicly disclosed attacks globally. We also produced an annual summary of our findings in the 2021 ransomware attack report. In 2022 we will be tracking even more statistics, such as data exfiltration and several others as the year progresses. As usual you can also subscribe to have the report delivered to your inbox every month.
May 6th 2022
AGCO, a leading US-based agricultural machinery producer, has announced it was hit by a ransomware attack impacting some of its production facilities.
This new version had been mentioned in mid-March. In particular, it must fix an encryption bug in MSSQL databases. Its use in cyberattacks has begun.
PCrisk found a new Chaos ransomware variant that calls itself Odaku ransomware.