The big news in the cyberattacks that occurred on February 12-18, 2022 was that the Conti ransomware group hired the core developers and managers of the TrickBot group, the developers of the TrickBot malware.
With this adoption, the Conti ransomware group is expected to focus on developing further stealthy malware such as BazarBackdoor. Meanwhile, the TrickBot malware will gradually fade away as it is easily detected by antivirus software.
With this merger, Conti has evolved into a real cybercrime syndicate with different groups focused on developing malware for each stage of a ransomware attack (from initial access to encryption).
In other news, the FBI has disclosed a breach of US critical infrastructure by BlackByte, and a new report from Chainalysis sheds more light on the ransomware payments ecosystem.
New ransomware attacks uncovered this week, including BlackByte’s attack on the San Francisco 49ers, Mizuno’s ransomware damage, and BlackCat’s confirmation that it was behind the attack on Swissport.
February 13, 2022
NFL’s San Francisco 49ers suffer Blackbyte ransomware attack
The NFL’s San Francisco 49ers team is recovering from a cyberattack by BlackByte, a ransomware gang that claims to have stolen data from the American football organization.
Outbreak of a new STOP ransomware variant
Jakub Kroustek has discovered a new STOP ransomware variant that adds the extensions .qnty and .iips.
New Dharma ransomware variant outbreak
Jakub Kroustek has discovered a new Dharma ransomware variant that appends a .kl extension.
New Sojusz ransomware outbreak
Amigo-A has discovered a new ransomware called Sojusz that appends the .sojusz extension.
February 14, 2022
Sports brand Mizuno hit by ransomware attack, orders delayed
Mizuno, a brand of sporting goods and sportswear, has been affected by a ransomware attack, resulting in dropped calls and delayed orders.
FBI Announces Ransomware “BlackByte” Is Infiltrating Critical U.S. Infrastructure
The U.S. Federal Bureau of Investigation (FBI) has revealed that the BlackByte ransomware group has infiltrated the networks of at least three organizations in the U.S. critical infrastructure sector over the past three months.
Russian cybercriminals heavily promote ransomware and cryptocurrency-based money laundering activities
This article delves into two intertwined areas of the Russian crypto-crime ecosystem that have serious implications for cybersecurity, compliance, and national security: ransomware and money laundering.
Wazawaka ran Babuk, a ransomware affiliate program, and later became “Orange”, the founder of RAMP, a dark web forum dedicated to ransomware.
Outbreak of new ransomware “D3adCrypt”
Amigo-A has discovered a new ransomware named D3adCrypt that adds the extension .d3ad and drops ransom notes named d3ad_Help.txt and d3ad_Help.hta.
February 15, 2022
BlackCat (ALPHV) claims Swissport ransomware attack – leaks data
BlackCat ransomware group, aka ALPHV, announces the success of a recent cyber attack on Swissport that caused flight delays and service disruptions
New variant of ransomware “LockDown”
Karsten Hahn has discovered a new variant of the LockDown ransomware that adds the extension .cantopen.
February 16, 2022
Chainalysis 2022 crypto crime report
Throughout 2021, the amount of ransomware damage has been updated several times and new payment methods have been used that were not previously identified. This is nearly double the amount we initially identified when we wrote our report last year.
February 17, 2022
SugarLocker ransomware and operator tracking
After investigating the SugarLocker ransomware, we estimate that the operator has been producing the SugarLocker ransomware since at least early 2021. It seems that the ransomware has actually been distributed since the second half of last year, but so far no attack cases have been confirmed. It does not operate a data breach site, and the ransomware seems to have been renamed recently, so it is not yet active.
New STOP ransomware variants
PCrisk has discovered a new STOP ransomware variant that appends the .ckae and .eucy extensions.
How to Decrypt Data Infected by Hive Ransomware
Among the many types of malicious code, ransomware is a major threat. Ransomware encrypts data and demands a ransom in exchange for decryption. Without the encryption key, it is impossible to recover the data, so some companies pay huge sums of money or lose important data, which can be very damaging.
Hive Ransomware has caused so much damage that the FBI has issued an alert; to minimize the damage caused by Hive Ransomware and to help victims recover their files, an analysis of Hive Ransomware and recovery methods was conducted.
By analyzing the encryption process of the Hive ransomware, we have confirmed the existence of a vulnerability due to a proprietary encryption algorithm. The attacker’s RSA private key was recovered. Without using the attacker’s RSA private key, we recovered 95% of the master key and actually decrypted the infected data.
This is the first successful attempt to decrypt the Hive ransomware. It is hoped that this method can be used to mitigate the damage caused by the Hive ransomware.
Very interesting stuff on ransomware decryption, but Michael Gillespie says it may not be a practical way to decrypt files encrypted by Hive.
February 18, 2022
Ransomware “Conti” takes over the operation of malware “TrickBot”
After four years of activity and multiple takedown attempts, TrickBot has been terminated, and the top members of TrickBot have been moved to the Conti ransomware syndicate, which plans to replace it with the more stealthy BazarBackdoor malware. Conti, a ransomware syndicate that plans to replace it with the more stealthy BazarBackdoor malware.
New ransomware “MonaLisa”
Amigo-A has discovered a new ransomware called “MonaLisa”. This ransomware has a “.barrel” or “.nekochan” extension and attaches a ransom note named “info.txt” or “info.hta”.