Select Page

The Week in Ransomware – February 18th 2022 – Mergers & Acquisitions

The Week in Ransomware – February 18th 2022 – Mergers & Acquisitions

Business relationship

The big news this week is that the Conti ransomware gang has recruited the core developers and managers of the TrickBot group, the developers of the notorious TrickBot malware.

This recruitment drive now allows the Conti ransomware gang to focus on developing further stealthy malware, such as BazarBackdoor, while letting the TrickBot malware slowly wane away due to its easy detection by antivirus software.

With this “merger,” Conti has evolved into an actual cybercrime syndicate with different groups focusing on developing malware for each leg of a ransomware attack, ranging from initial access to encrypting.

This week’s other news is the FBI disclosing that BlackByte breached US critical infrastructure, and a new report by Chainalysis gives us a better glimpse of the ransomware payment ecosystem.

New ransomware attacks we learned about this week, including BlackByte’s attack on the San Francisco 49ers, Mizuno getting hit by ransomware, and BlackCat confirming they were behind the attack on Swissport.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @fwosar, @Ionut_Ilascu, @DanielGallagher, @PolarToffee, @LawrenceAbrams, @FourOctets, @Seifreed, @serghei, @malwareforme, @VK_Intel, @jorntvdw, @malwrhunterteam, @demonslay335, @struppigel, @JakubKroustek, @Ax_Sharma, @S2W_Official, @pcrisk, @chainalysis, @briankrebs, and @Amigo_A_.

February 13th 2022

NFL’s San Francisco 49ers hit by Blackbyte ransomware attack

The NFL’s San Francisco 49ers team is recovering from a cyberattack by the BlackByte ransomware gang who claims to have stolen data from the American football organization.

New STOP Ransomware variants

Jakub Kroustek found new STOP Ransomware variants that append the .qnty and .iips extensions.

New Dharma Ransomware variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .kl extension.

New Sojusz ransomware

Amigo-A found a a new ransomware named Sojusz that appends the .sojusz extension.

February 14th 2022

Sports brand Mizuno hit with ransomware attack delaying orders

Sports equipment and sportswear brand Mizuno is affected by phone outages and order delays after being hit by ransomware, BleepingComputer has learned from sources familiar with the attack.

FBI: BlackByte ransomware breached US critical infrastructure

The US Federal Bureau of Investigation (FBI) revealed that the BlackByte ransomware group has breached the networks of at least three organizations from US critical infrastructure sectors in the last three months.

Russian Cybercriminals Drive Significant Ransomware and Cryptocurrency-based Money Laundering Activity

In this section, we’ll delve into two intertwined areas of Russia’s crypto crime ecosystem that, together, have serious implications for cybersecurity, compliance, and national security: ransomware and money laundering.

Wazawaka Goes Waka Waka

This post concerns itself with the other half of Wazawaka’s identities not mentioned in the first story, such as how Wazawaka also ran the Babuk ransomware affiliate program, and later became “Orange,” the founder of the ransomware-focused Dark Web forum known as “RAMP.”

New D3adCrypt ransomware

Amigo-A found a a new ransomware dubbed D3adCrypt that appends the .d3ad extension and drops ransom notes named d3ad_Help.txt and d3ad_Help.hta.

February 15th 2022

BlackCat (ALPHV) claims Swissport ransomware attack, leaks data

The BlackCat ransomware group, aka ALPHV, has claimed responsibility for the recent cyber attack on Swissport that caused flight delays and service disruptions.

New LockDown ransomware variant

Karsten Hahn spotted a new variant of the LockDown ransomware variant that appends the .cantopen extension.

February 16th 2022

The Chainalysis 2022 Crypto Crime Report

Sure enough, we updated our ransomware numbers a few times throughout 2021, reflecting new payments we hadn’t identified previously. As of January 2022, we’ve now identified just over $692 million in 2020 ransomware payments — nearly double the amount we initially identified at the time of writing last year’s report.

February 17th 2022

Tracking SugarLocker ransomware & operator

As a result of hunting for the SugarLocker ransomware, it is presumed that the operator has been producing SugarLocker ransomware since at least early 2021. It seems that ransomware has actually been distributed since the second half of last year, but no attack cases have been confirmed so far. They do not operate a data leak site, and it seems that the ransomware name has been changed recently, so it does not appear to be active yet.

New STOP Ransomware variants

PCrisk found new STOP Ransomware variants that append the .ckae and .eucy extensions.

A Method for Decrypting Data Infected with Hive Ransomware

Among the many types of malicious codes, ransomware poses a major threat. Ransomware encrypts data and demands a ransom in exchange for decryption. As data recovery is impossible if the encryption key is not obtained, some companies suffer from considerable damage, such as the payment of huge amounts of money or the loss of important data. In this paper, we analyzed Hive ransomware, which appeared in June 2021. Hive ransomware has caused immense harm, leading the FBI to issue an alert about it. To minimize the damage caused by Hive Ransomware and to help victims recover their files, we analyzed Hive Ransomware and studied recovery methods. By analyzing the encryption process of Hive ransomware, we confirmed that vulnerabilities exist by using their own encryption algorithm. We have recovered the master key for generating the file encryption key partially, to enable the decryption of data encrypted by Hive ransomware. We recovered 95% of the master key without the attacker’s RSA private key and decrypted the actual infected data. To the best of our knowledge, this is the first successful attempt at decrypting Hive ransomware. It is expected that our method can be used to reduce the damage caused by Hive ransomware.

While a very interesting read on decrypting ransomware, Michael Gillespie says that it may not be a practical method to decrypt files encrypted by Hive.

February 18th 2022

Conti ransomware gang takes over TrickBot malware operation

After four years of activity and numerous takedown attempts, the death knell of TrickBot has sounded as its top members move under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier BazarBackdoor malware.

New MonaLisa ransomware

Amigo-A found a a new ransomware dubbed MonaLisa that appends the .barrel or .nekochan extensions and drops ransom notes named info.txt or info.hta.

That’s it for this week! Hope everyone has a nice weekend!

Source: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-18th-2022-mergers-and-acquisitions/