The infamous Conti and REvil/Sodinokibi ransomware gangs seem to have ignored the impact of internal struggles and government actions against their nefarious activities, according to the intelligence now emerging from the security community.
As regular followers of the ransomware gang drama soap opera Conti, who is famous for stealing data and then leaking it, will now know. was itself affected by a series of leaks end of February 2022, after declaring his support for Russia’s war against Ukraine.
This action likely alienated several members of the group in Ukraine and resulted in a deluge of new information for analysts to digest.
REvil, meanwhile, appears to have been taken down by coordinated law enforcement actions during a brief period when the US and Russia aligned on anti-ransomware action, following meetings between Joe Biden and Vladimir Putin in 2021.
But as we will see, Conti remains very active and REvil seems to be back in business.
So what’s new and what should security professionals do?
According to Secureworkswhich follows Conti as Gold Ulrick in his threat actor matrix, the gang has been busy, quickly adapted in response to the public disclosure of its communications and operational details, and its activity is currently close to the peak levels observed in 2021.
Analysts from Secureworks’ Counter Threat Unit (CTU) recently revealed that Conti’s leak site averaged 43 victims per month in 2021, peaking at 95 in November, before dropping during the Christmas. It then resumed until February 27, 2022, when the @ContiLeaks Twitter account began leaking data. Despite this, the number of reported casualties in March jumped to more than 70.
“While these types of leaks may have prompted some threat groups to change their communication methods or tools, Gold Ulrick appears to have continued and even increased the tempo of its operations without disruption,” the CTU team said in a recently updated blog post.
Gold Ulrick member “Jordan Conti” confirmed this continuation and the minimal impact of the disclosures in a March 31, 2022 post on the underground RAMP forum.
“CTU researchers have previously observed this character advertising Conti, providing updates on takedown efforts, and recruiting affiliates,” they said.
The message claims that the site only lists victims who have not paid – standard procedure for a site to double exploit name and shame – and implies that Conti has a payment success rate of 50%, so double that. this number of victims may exist, although the CTU team has not yet verified these claims.
The “Jordan Conti” character also indicated that the gang plans to evolve their ransomware, intrusion methods, and approaches to working with data. This was confirmed by researchers Marc Elias, Jambul Tologonov and Alexandre Mundo from Trellis (née McAfee Enterprise), which also recently published new information on Conti’s targeting of VMware ESXi Hypervisors with a Linux variant of its ransomware. The Trellix team detected Conti for Linux downloaded in the wild on April 4 and claims that it is the first publicly known sample.
Conti’s existence for Linux is nothing new – the first mention of a Linux variant was in May 2021 – but leaked conversations between gang members suggest it had several bugs and went through a long process of development, including live trials on real-world victims, many of whom apparently complained that when they paid the ransom, the decryptor did not work properly.
In one case, the gang demanded a ransom of $20 million, but were forced to settle for $1 million because something went wrong – this particular victim also refused the decryptor despite the payment.
Trellix said his intelligence reinforces that despite the leaks and reputational damage suffered, the gang is not going anywhere and has found time to continue working on its “product”.
“Analysis of Conti’s leaks revealed that threat actors are continually adjusting and improving their Linux variant of ransomware, and it’s likely that in the future we’ll see more of its actions against Western organizations,” they wrote. they stated.
“Given that the Conti ransomware sample we analyzed was recently uploaded to VirusTotal, we assume that the ransomware group continues to perform its campaigns and operations by encrypting data from companies around the world and extorting ransom payment for their own personal gain.”
REvil: Not all it may seem
Meanwhile, REvil, or perhaps more accurately someone claiming to be REvil, reappeared on April 20 and was quickly spotted by the community.
Researchers have reported that REvil’s servers on the Tor network are heading for a seemingly new operation, hence the lack of clarity at this time as to what is really going on – there may be connections with members still at large from the REvil gang, or even other ransomware gangs, whose presence has been inferred.
According to beeping computer, the relaunched ‘Happy Blog’ leak site listed 26 victims (at the time of writing), although some of them appeared to be older victims.
Many questions remain about the supposed reappearance of REvil, but a theory that has gained traction holds that following the closure of communication channels between the United States and Russia on security matters there is a fortnight from now, Moscow might have given tacit permission to REvil to resume targeting organizations in the West.
digital shadows Chris Morgan, Senior Cyber Threat Analyst, said: “REvil’s potential return coincides with the closure of channels for discussing cybersecurity issues between the United States and Russia. This decision was likely made due to the breakdown of relations between the United States and Russia following the ongoing war between Russia and Ukraine.
“As a result, it is realistic that Russian authorities have dropped their investigation into the group, or have otherwise indicated that REvil may resume operations.
Morgan added: “It is currently unclear whether the restart of infrastructure associated with REvil represents a true return to activity for the group, a scam or a potential honeypot operation by law enforcement. “
Although the recent activity of Conti and, supposedly, REvil, has drawn the attention of the security community, the resilience of cybercriminal gangs following the actions taken against them is normal, as demonstrated at many times. This was, to some extent, to be expected.
The only factor that has changed in recent weeks is, of course, Russia’s illegal war against Ukraine, which has resulted in Russia’s isolation and expulsion from many international systems.
This is important because although ransomware operators have always been financially motivated criminals, rather than state-backed advanced persistent threat groups, many, if not most, ransomware gangs operate from Russia, and we long suspected that they are doing so with the approval of, or at least a blind eye from, the Russian government.
Although there is little evidence that Russia is orchestrating a major cyber war against the West – the NCSC continues to advise organizations to take reasonable precautions – it is certainly possible that Russia could pressure more cyber operators. ransomware as part of cyber warfare, or that ransomware operators might take action to support Moscow on their own.
In terms of an organization’s immediate response, there’s not much you can do other than strengthen existing defenses against ransomware attacks or implement them if you haven’t already.
Further information on the steps to take to defend against ransomware attacks is available from the National Cyber Security Centerand as always, the first piece of advice is to focus on properly protected backups of important data first, and never pay a ransom, as there is no guarantee that your affected data will be restored.