US and UK Authorities Uncover 11 More Russian Hackers Related to Conti And TrickBot

Notice regarding joint operations between American and British authorities appeared on several sites simultaneously. As in the previous case of sanctions towards russian hackers, US Treasury and UK National Crime Agency released statements regarding it. They successfully managed to uncover the personalities of 11 individuals that are related to the Trickbot/Conti cybercriminal gang.

Authorities have found and proven the relation of the accused individuals to attacks on UK and US government and educational organisations, hospitals and companies. This in total led to a net loss of £27 million in the UK only, and over $800 million around the world. Despite the formal Conti group dissolution in June 2022, members remained active under the rule of other cybercriminal groups.

Authorities Published Hackers’ Personal Data

What may be the best revenge to someone fond of compromising identities than compromising their own identity? Authorities involved in the investigation and judgement probably think the same, as they have published detailed information about each of 11 sanctioned hackers.

What is the Conti/TrickBot group?

As cybercrime gangs are commonly named by their “mainstream” malware, the Conti gang was mostly known for their eponymous ransomware. But obviously, that was not the only payload they were using in their attacks. Throughout its lifetime, Conti was working with, or even directly using several stealer families. Among them is an infamous QakBot, whose botnet was hacked and dismantled at the edge of summer 2023, and TrickBot. They were mostly known as stand-alone names, besides being actively used in collaboration with different ransomware gangs, including Conti.

QakBot is an old-timer of the malware scene. Emerged in 2007 as Pinkslipbot, it quickly became successful as infostealer malware. With time, it was updated with new capabilities, particularly ones that make it possible to use it as an initial access tool/malware delivery utility. This predetermined the fate of this malware – it is now more known as a loader, than a stealer or spyware. Although it may be appropriate to speak of QBot in the past tense, as its fate after the recent botnet shutdown is unclear.

Trickbot’s story is not much different. The only thing in difference is its appearance date – it was first noticed in 2016. Rest of the story repeats – once an infostealer, then a modular malware that can serve as initial access tool and loader. Some cybercriminals who stand after Trickbot were already sanctioned – actually, they are the first sanctioned hackers ever.

Are sanctions seriously threatening hackers?

Actually, not much. Sanctions are not a detainment, thus the only thing they lose is property in the US and the UK. Though, I highly doubt that any of those 11 guys had any valuable property kept in the countries they were involved in attacks on. All this action is mostly a message to other hackers – “you are not as anonymous as you think you are, and not impunable.”. The very next step there may be their arrest – upon the fact of their arrival to the US/UK, or countries that assist them in questions of cybercrime investigation. But once again – I doubt they’re reckless enough to show up in the country where each police station has their mugshot pinned to the wanted deck.

The post NCA and DoJ Introduce New Sanctions Against Conti/Trickbot Hackers appeared first on Gridinsoft Blog.

Conti Hackers Work in Akira Ransomware Group

As mentioned above, Akira mainly attacks small and medium-sized businesses, and companies around the world become victims of the ransomware, although hackers focus on targets in the United States and Canada. The gang typically infiltrates target Windows and Linux systems through VPN services, especially if users have not enabled multi-factor authentication. To gain access to victims’ devices, attackers use compromised credentials, which they most likely buy on the dark web.

Once the system is infected, Akira seeks to delete backups that can be used to restore data, and then the ransomware encrypts files with specific extensions, adding the “.akira” extension to each of them. The ransom note that the attackers leave in the system is written in English, but contains many errors. In this message, the group claims that they do not want to cause serious financial damage to the victim, and the amount of the ransom will be determined based on the income and savings of the affected company. Usually Akira demands a ransom of between $200,000 and $4,000,000.

Experts point out that Akira uses “double extortion” tactics, not only encrypting victims’ data, but also stealing information from compromised systems before encryption. After that, the attackers threaten to publish or sell this data to other criminals if they do not receive a ransom.

The Akira ransomware is in many ways similar to the Conti ransomware that was shut down a year ago, the researchers said. The malware ignores the same types of files and directories, and uses a similar encryption algorithm. But it should be borne in mind that at the beginning of 2022, the Conti sources were made publicly available, and now the attribution of attacks has become more difficult.

Back in June, Avast researchers released similar data about Akira’s likely connection to Conti, saying that the creators of the new ransomware were at least “inspired by the leaked Conti source codes.”

There were other news upon Conti members’ activities past the group dissolution. Conti operators participated in attacks on Ukrainian companies. It’s worth noting that earlier this month, Avast released a free decryption tool for files affected by Akira attacks. So far, the tool only works on Windows, and after its release, the malware operators changed the encryption procedure to prevent free file recovery.

Arctic Wolf researchers, in turn, focused on blockchain analysis and found three suspicious transactions in which Akira users transferred more than $600,000 to Conti-related addresses. According to experts, two discovered wallets have previously been linked to the management of Conti, and one of them received payments from several families of extortionists.

The post Conti Members Are Back in Action as Part of Akira Ransomware appeared first on Gridinsoft Blog.

Conti Ransomware in a nutshell

Conti ransomware, led by Russia-based threat actors, appeared in February 2020 and soon became one of the most active groups in the ransomware space. They use a Ransomware-as-a-Service attack model and pay affiliates for successful deployment. Conti’s structure was exposed in August 2021 when a former companion leaked training documents. Additionally, there are indications that the same group operates the Ryuk ransomware, but definitive proof is yet to be observed. Conti ransomware is known for its advanced capabilities. However, a key feature is that the people behind it are difficult to deal with. They often break promises to victims, even if they agree to pay. This means compliance may still result in leaked data or encrypted files.

The death of the Conti

The Russia-Ukraine war has contributed to the takedown of the Conti ransomware group since, in February 2022, Conti fully supported Russia’s invasion of Ukraine. As a result, such actions were met with negativity from anywhere, as members and the public. In addition, the insider leaked tens of thousands of internal chat logs to the public just four days after the official start of the Russia-Ukraine war, following Conti’s announcement of his support for Russia. Internal chat logs leaked to the public reveal Conti’s day-to-day operations and structure. Its structure resembled an ordinary organization’s, including salary structures and HR recruitment procedures.

Moreover, some employees were unaware that they worked for cybercriminals. However, those who did suspect what was going on were offered bonuses to stay silent. In addition to the fact that the leak included Conti ransomware source code, hints were found that the end was nearest for the group even before the leak.

The verdict is signed

Such a high-profile announcement to the group about support for Russia and threatening to act on its behalf made it nearly impossible for victim companies to negotiate with them. As a result, almost no payments were made to the group in the months following. This is usually discussed with law enforcement before deciding to pay the ransom. This is required to make sure they are legitimate. Still, Conti’s alignment with Russia made financial support to the group illegal and extremely risky. This significantly reduced the group’s income and weakened its ability to function.

What’s Becoming of Group members?

Experts report that the ransomware group Conti has ceased its activities. Its infrastructure has been shut down, and the group’s leaders have stated that the brand no longer exists. Subsequently, the extortion market was divided between Lockbit, which dominated, and smaller groups. Although the Conti brand no longer exists, experts believe that this crime syndicate will long play an essential role in the extortion industry.

Thus, experts believe that instead of the traditional rebranding (and subsequent transformation into a new group) of hacker groups, Conti broke up into smaller groups of extortionists to conduct attacks. As part of this “transformation,” small hack groups get an influx of experienced pentesters, negotiators, and operators from among Conti members. And the Conti syndicate, by splitting into smaller “cells” controlled by a single leader, gains mobility and the ability to evade the attention of law enforcement.

Post-Conti Groups

Conti’s latest attack was less potent than noisy. “The only goal Conti wanted to achieve with the last attack was to use the platform as a promotional tool, arrange its own ‘death,’ and then revive itself in the most plausible way possible,” experts say. In addition, according to the researchers, Conti has several subsidiaries, such as Royal, Black Basta, Silent Ransom Group, HelloKitty, AvosLocker, Zeon, Hive, BlackCat, and BlackByte.

Royal Ransomware

The Royal ransomware group has targeted over 1,000 organizations with a social engineering attack, tricking victims into trusting the attackers. The scheme involves pressuring victims to open a file that is actually a malware loader. If successful, victims can fall victim to ransomware. The group may have even created a fake version of the Midnight Group to further deceive victims. This variation of a gambit known as BazarCall involves scaring victims into thinking their systems have been locked by ransomware and manipulating them into installing the actual ransomware. Royal is a ransomware group splintered from Conti after backing the Kremlin’s war on Ukraine. The group targets healthcare companies and top-tier corporations for ransom demands ranging from $250,000 to over $2 million. They use BazarCall strategies and have recently targeted Linux systems. Their encryption scheme is implemented correctly, making recent backups or a decryptor the only way to recover lost files.

Black Basta

Black Basta is a group formerly called Conti Team Three. They typically use QBot to gain initial access and then deploy the main payload known as Black Basta ransomware. Additionally, the BlackByte and Karakurt groups are engaged in data exfiltration. The group is relatively new in 2022 and has made a name for itself. In a few months since its ransomware was first discovered, Black Basta has updated its toolkit and increased the number of victims worldwide. It operates on the ransomware-as-a-service principle. The number of Black Basta ransomware detections is currently low, probably because of how recently it was discovered.

Like most modern ransomware, Black Basta has a more targeted approach to selecting its victims rather than relying on spray-and-pray tactics. However, the speed with which the malware authors have increased their arsenal of attacks and developed a new Linux build merits further investigation by the ransomware gang behind it.

Zeon Ransomware

The Zeon ransomware was first detected in late January 2022 and is characterized as unsophisticated at the mass production level. Zeon ransomware prompts victims to visit a TOR-based payment portal. Zeon is a precursor to the Royal ransomware. ZeonThanos targets small and medium-sized businesses (SMBs). It spreads via phishing emails, services such as Remote Desktop Protocol (RDP), and third-party platforms (e.g., Empire, Metasploit, Cobalt Strike).

Silent Ransom Group

Luna Moth, aka the Silent Ransom Group, began with a campaign to hack organizations with fake subscription renewals. The group used phishing campaigns that provided remote access tools to steal corporate data. Having stolen sensitive data, the group has threatened to share the files publicly unless a ransom is paid. Luna Moth engages in callback phishing, a social engineering attack that requires the attacker to interact with the target to achieve their goals. This attack style is more resource-intensive but less complex than script-based attacks and is said to have a much higher success rate.

AvosLocker

AvosLocker is another variant working on the RaaS model. First spotted in July 2021, and several variants have been released. One notable feature of AvosLocker campaigns is the use of AnyDesk. This is a remote administration tool (RAT) for connecting to victim computers. In this way, the operator can manually control and infect the machine. It can also run safely as part of an evasive hacking tactic. Attackers sell the stolen data on their website in addition to their double extortion scheme. This could be a way to further monetize one successful attack or save a failed attack.

Experts also believe Conti members have created new and autonomous groups that focus entirely on stealing data rather than encrypting it. These groups include Karakurt, BlackByte, and Bazarcall.

How to protect against ransomware?

Based on the above, we understand ransomware can cause problems for individual users and businesses. Therefore, protecting against ransomware requires a holistic and comprehensive approach and preventive measures. The following recommendations will help prevent ransomware infections and be generally helpful when surfing the Internet.

For users

To prevent a ransomware infection, it is sufficient to follow cyber hygiene, which is as follows:

• Only click on links and only open attachments in an email if you are sure of the reliability of the sender.
• Don’t use hacked software. Often there is an unpleasant surprise in the form of a virus and a disabled license check in the installer.
• Update the operating system on time and the software you use. This is how developers fix detected vulnerabilities.
• Use reliable antivirus software. If malware does get on your computer, the protection tool will neutralize it before it is deployed and begins its dirty actions.

Hint: You can enable display file extensions in Explorer settings. This will help you recognize fake files that are executable but masquerade as document files.

For businesses

The following tips can help prevent a ransomware attack on your organization:

• Make backups. Use a data backup and recovery for all critical information. Note that backups connected to the network can also be affected by ransomware. Therefore, your backup files should be appropriately protected and stored offline so attackers can’t use them. Ideally, implement the 3-2-1 rule, keeping three copies of your information. The data is stored on two different types of storage, and one of those media is off-site. It’s also essential to test the backups periodically to ensure they work and maintain data integrity.
• Application safelisting. A safelist identifies which applications can be downloaded and run on the network. Any unauthorized program or website not on the safelist will be restricted or blocked. Limit users’ ability (permissions) to install and run software applications unnecessarily. Apply the “least privilege” to all systems and services. Restricting these privileges can prevent malicious software from running or limit its spread across the network.
• Endpoint security. As enterprises begin to expand, the number of end users increases. This creates more endpoints, such as laptops, smartphones, and servers, that must be protected. Unfortunately, each remote endpoint creates the opportunity for criminals to gain access to the main network. When you work from home or for a larger company, consider endpoint detection and response (EDR) for all network users.
• Train the team. Because end users and employees are the most common cyberattack gateways, security training is key to preventing ransomware spread. Everyone protects the organization when employees know how to detect and avoid malicious emails. In addition, security training can teach team members what to pay attention to in an email before they click a link or download and open an attachment.

The post Conti Ransomware Heritage in 2023 – What is Left? appeared first on Gridinsoft Blog.

Who are Conti and FIN7?

First of all, let’s explain why the presence of actors from FIN7 and the ceased Conti gang is so noteworthy. FIN7 is a cybercrime gang that likely operates from Russia and Ukraine. It is also known under the names of Carbanak (after the backdoor they use), ITG14 and ALPHV/BlackCat. They are most notorious for collaborations with widely-known threat actors, like Ruyk and REvil ransomware, and the release of their own ransomware, called ALPHV. It is still running, and had a couple of noteworthy attacks the past year.

Conti is a similar and different story simultaneously. They have built their image around an eponymous ransomware sample. Same as FIN7, this group of cybercriminals consists of actors from ex-USSR countries. However, the start of the war in February 2022 led to a quarrel among the group’s top-management and further publication of its source code. That, eventually, led to the group’s dissolution. Previous to these events, Conti was a prolific ransomware gang with a major share on the market.

Their collaboration is an expected thing. Nature abhors a vacuum, so after the gang breakup its members promptly joined other groups, or started new ones. However, the collaboration with other gangs on the creation of brand-new malware is a pretty outstanding case. That may be a great start of a new character on the scene, a new threat actor, or just a powerful boost to the FIN7 gang.

Domino Backdoor Description

Domino is a classic example of a modern backdoor that is capable of malware delivery. It is noticed for spreading a separate malware dropper, coined Domino Loader. The former provides only remote access to the targeted system, while the latter serves for malware deployment. This duo is spotted for being used in a pretty unique multi-step malware spreading campaign.

Dave Loader is a classic dropper malware example – the one which serves only to deliver other malware. Its presence in this scheme, however, gives an interesting clue about the possible relations between Domino and Conti ransomware gang. The infection proceeds with the delivery of Domino backdoor and, in a quick succession, its dropper module. Then, at the final stage, Domino drops a Project Nemesis stealer. The latter aims generally at credentials from social networks, VPN clients and cryptocurrency services.

Why, Exactly, a Collaboration?

The key things that point to the fact that Domino backdoor is a collaboration rather than a stand-alone development is the use of Dave Loader as a delivery way, and sharing certain code elements with FIN7’s brainchild Lizar Malware. Dave is an internal product of Conti gang, used exclusively in its cyberattacks. It never leaked, contrary to the Conti ransomware code, thus there’s no way that a third party uses it. Lizar Loader a.k.a Tirion/DiceLoader, on the other hand, is an auxiliary malware used by FIN7. Domino malware shares major parts of code with this loader, including bot ID generation and data package encryption mechanisms. Moreover, the IPs range where Domino’s command servers are hosted is pretty close to the one FIN7 uses for their C2s; both ranges belong to MivoCloud hosting.

Domino Backdoor & Loader Analysis

Analysts from IBM Security Intelligence already got their hands on Domino samples, both backdoor and dropper. First things first – so let’s start from a backdoor.

Domino Backdoor

It arrives to the infected system as a C++ 64-bit DLL file. The form of DLL file makes it easier for crooks to perform a stealth execution. Droppers Domino generally rely on running it using the shellcode embedded into the payload retrieved from the command server. Once executed, Domino starts hashing the system data in order to generate a bot ID value. Primarily, it looks for username and system name; additionally, malware takes its process ID and adds it to the hash. Its final form looks like a648628c13d928dc-3250.

Hashing proceeds with further decryption of the Domino’s code. It carries an XOR-encrypted code in a data section of its binary; the 16-bit decryption XOR key is placed right before this section. This part contains not only further execution instructions, but also C2 communication data.

C2 Communications

To secure the data transfer, it generates a 32-bit key and uses an embedded RSA public key to encrypt it. This, however, is used only for an initial connection. After that, malware continues with collecting information about the system. For further C2 connections, the malware uses the AES-256-CBC key, which also comes into the initial package. Same as in the first case, Domino generates a public key on the run and uses it to cipher the data package.

It is also interesting how Domino backdoor picks the C2 address it will use as primary. By design, there are only two C2 addresses in the malware configuration section. If the parent system for the malware belongs to a domain (i.e. LAN or WAN), it uses the second IP as a primary. When the computer is stand-alone, Domino chooses the first one.

To guide the malware, C2 sends it a set of commands and a payload. Same as data that goes from the client, they are encrypted. Commands instruct not only about the action, but also about the preferred way to run the payload. The set of commands is like the following:

Domino Loader

Domino Loader resembles the Domino Backdoor in many ways, so the naming convention there is quite obvious. This malware uses the same methods of C2 requests encryption. However, the amount of data gathered about the system is way less; its capabilities are concentrated around retrieving and running the payload’s DLL. It uses an infamous ReflectiveDLLInjection project – a concept of DLL injection technique. This, however, is not the only possible way of the Loader operations – it can change its behaviour depending on the command from the C2 that comes as a supplementary to a payload. It most definitely depends on the form the payload arrives in.

The commands convention is pretty much the same as in the Domino Backdoor. A single-byte blob that precedes the payload indicates what exactly the malware should do. Aside from that, the payload is succeeded with a value that notifies malware about the preferred method of loading. If the value is >0, malware allocates memory within the process it runs in, and runs the DLL payload at the offset that equals the value. That method, actually, requires the aforementioned ReflectiveDLLInjection technique.

Value 0 corresponds to running the payload as a .NET assembly. This supposes calling for VirtualAlloc for memory allocation, and a PAGE_EXECUTE_READWRITE for securing this area. Assembly.Load function finishes the job by making the payload run.

Once the value is -1, Domino Loader runs a PE loading procedure. First, it allocates memory in its current process – same as in the case of DLL loading. Then, however, it copies the headers and sections to the newly allocated memory area, loads the imports of the PE file, and finally runs it. In this case, malware applies the offsets present within the payload PE sections.

Protection against Domino Backdoor/Domino Loader

This malware is rare enough, so it is quite hard to judge on its counteraction ways. Nonetheless, they are definitely needed, as it promises to be pretty dangerous. First and foremost sources of such instructions – spreading ways – are unclear. It may possibly become more obvious in future when Domino will see more popularity. Thus now only common steps may have significant efficiency.

Use a security solution that features a zero-trust protection policy. Only having no trusted programs at all you can be sure that your security tool will not miss a new cunning malware that hides behind a benign program. Zero-trust has its downsides, but they’re much less critical than a paralysed workflow after a ransomware attack.

Improve your network security. This is Domino-specific advice, as this malware features a pretty limited list of only two C2 servers. It may be changed in future, but currently it is not a big deal to block them. This, however, will be much easier to accomplish by having a Network Detection and Response solution. It automatically weeds out potentially malicious requests, and also offers a lot of analytics information. Stopping malware from contacting the C2 makes it useless, as it cannot deliver payloads and do other unpleasant things.

The post Domino Backdoor is Lead by FIN7 and Conti Actors appeared first on Gridinsoft Blog.

It is believed that from mid-April to June 2022, hackers have already organized at least six such phishing campaigns.

Let me remind you that the TrickBot hack group (aka ITG23, Gold Blackburn and Wizard Spider) is considered a financially motivated group, which is known mainly due to the development of the TrickBot banking Trojan of the same name. Over the years, TrickBot has evolved from a classic banker designed to steal funds from bank accounts to a multifunctional dropper that spreads other threats (from miners and ransomware to infostealers).

Let me also remind you that we wrote that TrickBot causes crashes on the machines when cybersecurity experts studying it.

The report notes that, according to researchers, the group recently came under the control of Conti, and Conti operators expressed full agreement with the policy of the Russian authorities at the beginning of Russia’s aggression against Ukraine.

According to IBM Security X-Force, TrickBot has recently turned its attention to Ukraine, and tools such as IcedID, CobaltStrike, AnchorMail and Meterpreter have been used in targeted attacks. It is emphasized that earlier Ukraine was not of interest to hackers, and most of the group’s malware is now configured in such a way that it does not run on systems where the Ukrainian language is not detected.

The company report states that the group often used the threat of a nuclear conflict as bait, distributing the malicious Nuclear.xls file, through which the new AnchorMail malware was already spreading.

The researchers also note the use by hackers of the new Forest cryptor, which is used to avoid detection and protect the CobaltStrike and IcedID payloads. It is assumed that its developer, distributor or operator may be part of the group itself, or have a partnership with TrickBot.

The post TrickBot Hack Group Systematically Attacks Ukraine appeared first on Gridinsoft Blog.

So we were able to learn that the group’s goal was to focus its forces on cryptocurrency, get to the blockchain, developing a variety of solutions for this. It also became known about the dissolution of the staff within the company and its brand, which is disappearing, but the organization remains steadfast. These changes do not affect the activities of the gang of extortionists, but on the contrary, they continue, so to say, in their spirit.

The cryptocurrency and the blockchains were leaked, namely from chats discussing plans. These conversations took place between the group’s main figures, namely Stern (Chairman or President) and Mango (Chief Operating Officer, who is in charge of internal affairs at Conti).

Four scenarios

Just because the gang started using blockchain actively doesn’t mean that Conti developed something to use it. If you consider all the expectations of the management, then the investment goes to the development of its own applications blockchain. While there is no development detail in the chat rooms, the content provides insight into the range of possible applications. It is also possible to launch your cryptocurrency, and maybe even use the blockchain for internal communications and smart contracts, among other things.

Of all the chats leaked into the network, we were able to identify four scenarios for blockchain applications, namely: extortion, corporate espionage, cryptocurrency market manipulation, as well as building an internal communications network.

Focus on corporate espionage

Its blockchain is a good option for Conti. After all, having it, the gang will be much more convenient to store stolen data, as this data will become almost untouchable, which complicates the task of removing them from the server competitors or investigators. A good opportunity for the company is to have a place to store stolen data, in which case Conti will become more focused on its criminal operations.

Blockchain is a good place to store stolen data, as well as a place to hold private auctions on stolen data. Sales and buyers will naturally because everything will pass through private channels, away from the eyes of the community. Not working in public is the way these extortion gangs operate. But Conti doesn’t want to be a big platform either, because the bigger your activity, the more attention to your activity.

Subscriptions and discounts

It is envisaged that blockchain applications will be more focused on the development of Conti’s racketeering business. In the future, the stolen data may be broken down into microtransactions, as well as offering incremental payments to victims, redeeming the data in parts. A system of smart contracts and automatic transactions are also being developed. It is a kind of reliable subscription for data return.

The ransom for blackmail materials and confidential data will be significantly higher than the other less important pieces of information. also, Conti may in the future provide discounts and promotions when paying on a certain day or holiday. That way, they’ll have some sort of plausible impact on the victim and her decision to pay them.

A cryptocurrency of their own

Creating a cryptocurrency is another strategic business move, by Conti. It will be sold into a fictitious scheme. Proprietary coins can be used for money laundering, manipulation, and sale.

Running a cryptocurrency now is a good choice because the interest in it is now more than great. The income from this now exceeds any savings and investment. It is also a good way for those who do not trust their government much.

Communication under the radar

The creation of an internal communication system could not but interest Conti to include this in its list of developments. From the leaked information we can understand that the situation in the internal communication is not quite, so to speak, smooth. The problem with negative psychological impact is also confusion within the gang. By creating a social network based on the blockchain, it is possible to have a clearer, safer and simpler exchange of information. An established communication system may make Conti more efficient and less visible to investigative control agencies.

New approach needed

There is no active phase of Conti activity after the last leaks. And the main thing to understand is that the technical approach to unmasking Conti activities is no longer enough. Well, I guess the operative schematics of the investigation will be the financial investigations because the blockchain is getting more and more turnover. It is possible but difficult to track crypto-cash flows. For cyberspace, focusing on destruction is something new because it was previously only for national security forces.

But still, attacks and destruction are a good way to deal with Conti. So different thinking is used for detection. It is only a question of whether this is legally and morally correct. Of course, the easiest way would be to regulate the crypto market, but this goal is not as realistic as one would like.

Most of all from this picture, the concern is that if Conti succeeds with blockchains, the multitude of other gangs of extortionists will follow their example, and here begins the most interesting how to deal with them and what are the methods of this fight.

The post Conti’s blockchain plans: an ominous prospect appeared first on Gridinsoft Blog.

Conti and LockBit 2.0 are outstanding operators regarding how many targets they managed to attack. The period analyzed is from November 2019 to March 2022. Within that timespan, Conti went offensive on 805 companies while LockBit 2.0 reached the ominous 666. These two ransomware operators are responsible for almost 45% of all the extortion attacks worldwide within the named period. And that is considering that LockBit reached its current activity level only in July 2021. Taking into account the rumors about the Conti group end, LockBit 2.0 might beat Conti in numbers of successful attacks even sooner than in August 2022, which was the earlier assessment.

Victim Companies Locations

Location-wise, the strategies of the two gangs show significant differences. Although North American and Western European companies lead by the number of enterprises targeted by both racketeering groups, that’s where the similarities end and differences begin. Conti’s much more focused on North America: more than two-thirds of this operator’s victims are there. The second position goes to Europe, and the rest, which is 7%, are all other regions.

As for LockBit 2.0, everything’s different. Both Western Europe and North America occupy roughly four-sixths of targets on LockBit’s victim list; America takes a larger part, of course. But unlike in the Conti case, the remaining number of victims (more than Western Europe, around 20% of the total) is distributed in favor of Asia and the Pacific, another considerable part goes to South America, and the remaining targets are in the Middle East, Eastern Europe, and Africa.

The distribution of targets in the case of LockBit is much closer to the distribution of the gross domestic product worldwide. Except for the Asian region. China‘s economy obviously dominates there, and China’s GDP is the world’s highest. However, this country is seemingly “spared” by ransomware actors in question. In the Asia and Pacific region, Conti makes a clear accent on victimizing English-speaking countries: Australia, New Zealand, Singapore, and India. We will reflect on the reasons for that in the conclusions to this item.

Industries and Company Sizes

Victimized industries are mostly the same for both operators, and no specific sphere is targeted purposefully by either ransomware group. The top most attacked industries are the same for LockBit and Conti: financial, IT, manufacturing, materials, professional services, and construction.

What is more curious is the difference between the size of attacked companies. Conti concentrates on enterprises with a relatively large number of employees. For instance, 237 attack cases (the highest number, considering Trend Micro’s selection of company sizes) fall under enterprises with 51-200 employees. LockBit’s maximum (222 attacks) is directed against companies employing 11-50 people. As for larger entities (201-500 employees), Conti’s haul here is 182 attacks and LockBit’s – 89. One of LockBit’s victims, according to Trend Micro, is a company consisting of one person.

Conclusions

The fact that Hong Kong is an alleged location of the LockBit gang leader might explain the group’s discretion in attacking China. An official investigation might critically jeopardize the group’s commander, his haven, and further operations.

In the case of Conti, everything is different. This ransomware group declared its support of Russia in the context of Russia’s invasion of Ukraine. Therefore, Conti attacks Russia’s opponents, mainly the USA, and holds its hand from victimizing Russia’s allies, such as China and most of the former Soviet Republics.

The distribution of LockBit’s victims and companies arguably proves the group’s claims to be out of politics and only financially motivated. Earlier, LockBit 2.0 even made a media performance promising to disclose data stolen from Mandiant, a cyber security giant, at the full tilt of the RSA cybersecurity conference. What preceded this prank was Mandiant report on LockBit’s connection with the Russian ransomware gang Evil Corp, which LockBit strictly denied.

The post Conti vs. LockBit 2.0 – a Trend Micro Research in Brief appeared first on Gridinsoft Blog.

The departure of the last Conti servers offline was noticed on Wednesday, June 22, by the participants of the DarkFeed project (ransomware monitoring). On Friday, according to BleepingComputer, they were still unavailable.

Conti completed the shutdown

In the second half of May, the group behind Conti began to wind down operations related to this ransomware. The servers used for communications and data storage were taken out of service, the service for negotiating with victims was disabled, and information about successful attacks was not uploaded to the site.

The organized crime group put up a smoke screen to hide these works from outsiders. A single participant was still active on the site. He continued to publish some stolen data (in fact, the results of previous attacks) and teased one of the latest victims – the government of Costa Rica. A massive Conti attack on government agencies in Costa Rica occurred in April. Attackers managed to steal 672 GB of data from 27 organizations and stop several vital services. As a result, a state of emergency was declared in the country.

The decision to abolish the Conti brand is overdue, primarily due to increased attention from the cybersecurity community and law enforcement agencies. Attacks of malefactors became too bold and loud. The recent leakage of internal data of organized crime groups pushed some Twitter users to collect dossiers on criminals. The US authorities, for their part, announced a reward of up to $10 million for the heads of the crime syndicate leaders.

Conti operators have actively established partnerships and willingly taken less fortunate colleagues under their wing, they can now afford to work under other brands. They might join smaller groups and keep friendly relations with their leaders and specialists – testers, developers, and programmers. Anyway, the decision to kill the Conti brand was right – to avoid repeating the fate of REvil group.

About Conti group

Conti ransomware group was one of the first “reborn” of an older ransomware group. Ryuk ransomware, which appeared in summer 2018, decided to stop roughly after two years of a successful activity that brought the group over 400 BTC. However, they were not aiming for a retirement – instead, they chose to rebrand. After a 3-month vacation in autumn 2020, they appeared under the name of the Conti group.

During the next 19 months of activity, Conti quickly reached the highest positions in ransomware ratings. Its competitors were very big names, such as REvil, LockBit, BlackMatter and DarkSide. Some of them are shut down at the moment. Some did the rebranding and are acting under a different name. However, they all never reached the same market share – at one moment, Conti accounted for almost 50% of all ransomware attacks against corporations.

Good start, bad final

It is obvious that such a great cybercriminal success is an object of interest for executive authorities. The latter was glad to meet any possible weakness, which happened at the beginning of the Russia-Ukraine war. Apparently, the group consisted of both Ukrainians and Russians – and after the war began, the group chiefs (likely Russians) claimed their full support of a “special military operation in Ukraine”. The Ukrainian part of the group decided to make grand mischief – by leaking the source codes of ransomware. That made it possible to use it not only for attacking russian companies – NB65 ransomware did it almost instantly after the leak, but also to trace the group’s chiefs. To avoid further deanonymization and capture, they decided to shut down their activity. And in the last few days, they removed the rest of their infrastructure from the Darknet page.

Will they come back? No one knows, but I am sure analysts will quickly uncover such a comeback. Conti had several unique features that make it possible to trace their software without a mistake. The rest of the group is located in Russia, and after the cease any cooperation with the USA in the cybersecurity space, this country is likely the safest place for cybercriminals. Unless they criticize Putin, of course. Still, there is an unanswered question – what can the victims do if they did not contact the crooks before they went offline? Other groups usually release the keys after claiming the shutdown. This one did not say a word.

The post Conti Ransomware Shutdown, Site Disabled appeared first on Gridinsoft Blog.

Conti, a notorious Russian ransomware gang responsible for the attack on Irish medical institutions last year, is believed to be disbanded after the internal correspondence of the gang members got into the possession of journalists. Later on (in March,) the source code of the ransomware used by the group also got leaked. Conti, originating in Russia, previously declared its support of the Russian government regarding the invasion of Ukraine. The group’s Jabber-servers were hacked, and chats were published after that. Later, two websites used by the group to communicate with victims and leak data ceased working.

However, specialists don’t expect the group to disappear. Many former Conti members founded new groups or joined the existing ones even before the gang stopped working. The known ransomware crews where Conti gangsters found their places include BlackCat, Hive, AvosLocker, HelloKitty, Quantum, and others. There are also non-encoding extortion businesses founded by other Conty participants: Karakurt, BlackByte, and Bazarcall Collective. Thus, only brand is gone, but the malefactors will hardly change their ways.

Statistics

May showed an 18% decrease in ransomware activity compared to April. As before, the most attacked sectors were the industrial sector, consumer cyclicals, and technology (31%, 22%, and 10% of attacks, respectively.) Lockbit 2.0 remained the most raging ransomware actor in May, with not less than 95 victims on its account (40% of cases.) The mentioned Conti was also active alongside Hive and recently emerged Black Basta (17 cases, 7%.) The total number of ransomware attacks in May amounted to 236 (against April’s 289.)

NCC Group is a British information security advisor company based in Manchester. With over 15 thousand clients worldwide, NCC Group is presented on the London Stock Exchange and is one of the constituents of the FTSE 250 Index. Every months, the company issues a “Threat Pulse” – a comprehensive report on the world’s cyber threat landscape.

The post NCC Group’s May 2022 Threat Report Reflects Conti’s End appeared first on Gridinsoft Blog.

More and more amateur hackers appeared after February, 24

The most common hacks were attacks of viruses-lockers, which put on the screen the national inscription “Slava Ukraini” as researchers of the region claim. Lockers are the precursors of ransomware, they do not encrypt files, but lock the screen, displaying a banner over the top. Statistics showed that about 11% of all cyberattacks from January-April 2022 were aimed at Ukraine and 40% at Russia. The cybernetics world boomed from that. The cybernetics world boomed from that.

Also connected to the #WarinUkraine, the number of lockscreen ransomware variants also grew in T1 2022. Russia was targeted by 40% of such attacks, while Ukraine only by 11%. The Win/Lockscreen.AWI variant even displayed the title “Slava Ukraini”. 2/5 pic.twitter.com/r1IjvhRVP2

— ESET research (@ESETresearch) June 10, 2022

It is believed that many hackers live in the CIS countries, so until this year their activities were not so clearly manifested on the territory of Russia and Ukraine, most likely because of their location or retaliation from Russia. After February 24, 2022, when Russia launched the so-called special operation, that is, the war, the number of extortion programs has grown exponentially. This is also confirmed by Igor Kabina, the senior ESET detection engineer.

Russia reached the all-time high in its share in ransomware attacks

The infamous Conti group could not help but distinguish itself against the background of all this. In the beginning, the backgrounds were announced to be valiant to Vladimir Putin, after which the Ukrainian insider created a Twitter account in which he exposed this Ransomware gang. Of course, after the revelation in May, this group magically left the arena. Since then, other companies, such as LockBit, have not expressed their preferences brightly to avoid this.

Igor Kabina, the senior ESET detection engineer, claims in her interview that such hacks and attacks will be even more focused on all of this because the military ideology and propaganda are escalating. And as the number of pro-Russian and pro-Ukrainian extortion programs grows, the news will continue to be disappointing for many companies that will fall under the risks of hacking and attacks by these extortionists.

The post War in Ukraine triggered a Stream of amateurish ransomware appeared first on Gridinsoft Blog.