The Week in Ransomware – March 4th 2022

Conti

This week has been information overload when it comes to cybersecurity, leaks, and cyberattacks resulting from the invasion of Ukraine.

However, this week’s biggest story is the massive data leak from the Conti ransomware operation, including over 160,000 internal messages between members and source code for the ransomware and TrickBot operation.

In addition to the Conti Leaks, we also saw someone dox the TrickBot/Conti operation members, leaking private messages and their personal information.

These leaks are a treasure trove of information for security researchers and law enforcement who get a detailed look into the inner operations of an organized ransomware gang that runs their operation like a business.

This week’s other news is an attack on a Toyota supplier that disrupted production and an attack on insurance giant AON.

Finally, a decryptor was released for a ransomware decoy known as HermeticRansom that was used against Ukrainian entities.

It should be noted that over the past week, there has been a tremendous amount of information released by a lot of people around the Conti and TrickBot leaks, which makes it impossible to catalog it all. If we missed anyone, we apologize.

Contributors and those who share new ransomware information and stories this week include: @PolarToffee, @VK_Intel, @malwareforme, @BleepinComputer, @FourOctets, @serghei, @demonslay335, @fwosar, @malwrhunterteam, @Ionut_Ilascu, @struppigel, @jorntvdw, @LawrenceAbrams, @DanielGallagher, @billtoulas, @Seifreed, @darktracer_int, @AvastThreatLabs, @CrowdStrike, @ContiLeaks, @trickleaks, @BrettCallow, @MsftSecIntel, @ransomwarefiles, @briankrebs, @HoldSecurity, @radvadva, @ransomwhere_, @LadislavZezula, and @JGomes_EU.

February 27th 2022

Conti ransomware’s internal chats leaked after siding with Russia

A Ukrainian security researcher has leaked over 60,000 internal messages belonging to the Conti ransomware operation after the gang sided with Russia over the invasion of Ukraine.

February 28th 2022

Microsoft: Ukraine hit with FoxBlade malware hours before invasion

Microsoft said that Ukrainian networks were targeted with recently found malware several hours before Russia’s invasion of Ukraine on February 24th.

Toyota halts production after reported cyberattack on supplier

Japanese automaker Toyota Motors has announced that it stopped car production operations. The outage was forced by a system failure at one of its suppliers of vital parts, Kojima Industries, which reportedly suffered a cyberattack.

Insurance giant AON hit by a cyberattack over the weekend

Professional services and insurance giant AON has suffered a cyberattack that impacted a “limited” number of systems.

New Dharma Ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .xgpr extension.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .fgnh and .fgui extensions.

March 1st 2022

Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities

Analysis of the PartyTicket ransomware indicates it superficially encrypts files and does not properly initialize the encryption key, making the encrypted file with the associated .encryptedJB extension recoverable.

Conti Ransomware source code leaked by Ukrainian researcher

A Ukrainian researcher continues to deal devastating blows to the Conti ransomware operation, leaking further internal conversations, as well as the source for their ransomware, administrative panels, and more.

Stormous ransomware gang sides with Russia

STORMOUS ransomware gang has officially announced its support for the Russian governments.

Conti Ransomware Group Diaries, Part I: Evasion

The chat logs offer a fascinating glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also provide insight into how Conti has dealt with its own internal breaches and attacks from private security firms and foreign governments.

New STOP Ransomware variant

PCrisk found a new STOP ransomware variant that appends the .sdjm extension.

March 2nd 2022

In Part II of this series we’ll explore what it’s like to work for Conti, as described by the Conti employees themselves.

New Phobos Ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .DIKE extension.

MAPPING THE CONTI NETWORK

A network relationship map, showing the relationships between users, based on the leaked Conti chat logs.

March 3rd 2022

Free decryptor released for HermeticRansom victims in Ukraine

Avast has released a decryptor for the HermeticRansom ransomware strain used in targeted attacks against Ukrainian systems over the past ten days.

New STOP Ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .iiof extension.

March 4th 2022

New STOP Ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .vyia extension.

That’s it for this week! Hope everyone has a nice weekend!

Leave a Reply

Your email address will not be published.