While ransomware continues to mount attacks and all businesses need to remain vigilant, ransomware news has been relatively slow this week. However, there were still some interesting stories which we describe below.
The most interesting story this week is CNN’s report on Conti Leaks, a Ukrainian researcher who had access to Conti’s internal servers for years.
After Conti sided with Russia over the invasion of Ukraine, the researcher retaliated by leaking internal conversations and source code from the Conti Ransomware gang, offering researchers and law enforcement an overview of their operations.
Another interesting piece of news is a clever “IPFuscation” technique used by the Hive ransomware gang to obfuscate payloads by representing them as IP addresses to evade detection. Running the list of IP addresses through a decoder results in a binary payload that can be installed.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @FourBytes, @jorntvdw, @LawrenceAbrams, @Seifreed, @serghei, @malwhunterteam, @DanielGallagher, @VK_Intel, @malwareforme, @Ionut_Ilascu, @struppigel, @demonslay335, @fwosar, @billtoulas, @BleepinComputer, @rivitna2, @MinervaLabs, @Amigo_A_, @SentinelOne, @AquaSecTeam, @ContiLeaks, @snlyngaasand @pcrisk.
March 27, 2022
Hive ransomware ports its Linux VMware ESXi encryptor to Rust
The Hive ransomware operation converted its VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to spy on the victim’s ransom negotiations.
March 28, 2022
SunCrypt ransomware is still alive and active in 2022
SunCrypt, a ransomware-as-a-service (RaaS) operation that rose to prominence in mid-2020, is said to still be active, if only barely, as its operators continue to work to give its strain new capabilities.
Amigo-A found a new ransomware that drops a ransom note named Hello.txt.
March 29, 2022
Threat Alert: First Python Ransomware Attack Targeting Jupyter Laptops
The Nautilus team discovered a Python-based ransomware attack that for the first time targeted Jupyter Notebook, a popular tool used by data scientists. The attackers gained initial access through misconfigured environments, then executed a ransomware script that encrypts every file at a given path on the server and deletes itself after execution to conceal the attack. Since Jupyter notebooks are used to analyze data and create data models, this attack can cause significant damage to organizations if these environments are not properly backed up.
Risk found a new variant of Dharma ransomware that adds the .snwd extension.
March 30, 2022
Hive ransomware uses new ‘IPfuscation’ trick to hide payload
Threat analysts have discovered a new obfuscation technique used by the Hive ransomware gang, which involves IPv4 addresses and a series of conversions that ultimately lead to a Cobalt Strike beacon being downloaded.
‘I can fight with a keyboard’: How a Ukrainian IT specialist exposed a notorious Russian ransomware gang
As Russian artillery began raining down on his homeland last month, a Ukrainian computer scientist decided to fight back in the best way he knew how: by sabotaging one of Russia’s most fearsome ransomware gangs.
March 31, 2022
LockBit Victim Estimates Cost of Ransomware Attack at $42 Million
Atento, a customer relationship management (CRM) service provider, released its financial performance results for 2021, which show a massive impact of $42.1 million due to a ransomware attack suffered by the company in October last year.
Risk found new STOP ransomware variants that add the .voom, .mpag, .gtysWhere .udla expansions.