Padlock

Ransomware operations continue to evolve, with new groups appearing and others quietly shutting down their operations or rebranding as new groups.

This was seen this week, with Advanced Intel CEO Vitali Kremez disclosing yesterday that the Conti brand, not the organization itself, was shutting down. However, this does not mean that the threat actors themselves are retiring.

This week, we also received confirmation that REvil, or at least some of its members, have relaunched the operation after a sample of their encryptor was found.

In research-related news, a security researcher discovered DLL hijacking vulnerabilities in ransomware operations and releasing DLLs that can be used to terminate the encryptors before they begin encrypting files.

This week, other research released is from Trellix, who reported that various ransomware operations are linked to North Korean government hacking groups, including the notorious Lazarus gang.

Attacks we saw this week include using fake Windows 10 updates to distribute Magniber ransomware and an attack on AGCO, a US agricultural machinery maker.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @Seifreed, @DanielGallagher, @LawrenceAbrams, @malwareforme, @jorntvdw, @BleepinComputer, @demonslay335, @PolarToffee, @fwosar, @billtoulas, @FourOctets, @struppigel, @VK_Intel, @serghei, @Ionut_Ilascu, @Trellix, @malvuln, @JakubKroustek, @R3MRUM, @malvuln, @pcrisk, @Amigo_A_, @Intel471Inc, @ValeryMarchive, and @blackfogprivacy.

April 30th 2022

Fake Windows 10 updates infect you with Magniber ransomware

Fake Windows 10 updates are being used to distribute the Magniber ransomware in a massive campaign that started earlier this month.

May 1st 2022

REvil ransomware returns: New malware sample confirms gang is back

The notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks.

May 2nd 2022

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .mmob, .hhjk, and the .ttii extension.

May 3rd 2022

New ransomware strains linked to North Korean govt hackers

Several ransomware strains have been linked to APT38, a North Korean-sponsored hacking group known for its focus on targeting and stealing funds from financial institutions worldwide.

Conti, REvil, LockBit ransomware bugs exploited to block encryption

Analyzing malware strains from these ransomware gangs, a security researcher named hyp3rlinx found that the samples were vulnerable to DLL hijacking, a method usually leveraged by attackers to inject malicious code into a legitimate application.

May 4th 2022

New Teslarvng ransomware variant

PCrisk found new variant of the Teslarvng Ransomware that appends the .selena extension and drops a ransom note named selena.txt.

May 5th 2022

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .Mal extension.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .mine, .xcvf, .bbnm, .sijr, and the .egfge xtensions.

New 'Gucci' Phobos ransomware variant

PCrisk found new Phobos ransomware variant that appends the .GUCCI extension.

The Conti ransomware's brand is sHeading 2hutting down

Cybercrime loves company: Conti cooperated with other ransomware gangs

Ransomware gangs are apparently no different. Thanks to the Conti Leaks, Intel 471 researchers found evidence that the Conti ransomware group kept a close eye on other ransomware groups and borrowed some of their techniques and best practices for its own operations. Additionally, Intel 471 also observed the Conti group’s affiliates and managers cooperating with other gangs, which included the LockBit, Maze and Ryuk teams.

BlackFog's The State of Ransomware in 2022 report

In 2020, 2021 and now 2022, BlackFog’s state of ransomware in 2022 measures publicly disclosed attacks globally. We also produced an annual summary of our findings in the 2021 ransomware attack report. In 2022 we will be tracking even more statistics, such as data exfiltration and several others as the year progresses. As usual you can also subscribe to have the report delivered to your inbox every month.

May 6th 2022

US agricultural machinery maker AGCO hit by ransomware attack

AGCO, a leading US-based agricultural machinery producer, has announced it was hit by a ransomware attack impacting some of its production facilities.

Ransomware: LockBit 3.0 begins to be used in cyberattacks

This new version had been mentioned in mid-March. In particular, it must fix an encryption bug in MSSQL databases. Its use in cyberattacks has begun.

New Odaku Ransomware

PCrisk found a new Chaos ransomware variant that calls itself Odaku ransomware.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

Police arrest Conti and LockBit ransomware crypter specialist

The Week in Ransomware - May 17th 2024 - Mailbombing is back

The Week in Ransomware - May 10th 2024 - Chipping away at LockBit

Affirm says cardholders impacted by Evolve Bank data breach

Meet Brain Cipher — The new ransomware behind Indonesia's data center attack