Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Emsisoft. Show all posts

Ukrainian Researcher Released  Software for Conti Ransomware

 

Conti, the notorious ransomware gang, is now the subject of cyberattacks following its proclamation early last week, it wholeheartedly supports Russia's continuing invasion of neighboring Ukraine, with the most recent blow being the public release of its source code. 

This comes only days after an archive comprising well over a year's worth of instant conversations between members of Conti, believed to be based in Russia, was leaked: speaking 400 files and tens of thousands of lines of Russian-language internal chat logs. Messages from January 2021 to February 27 of such a year can be found in the internal communication files.

Its analysis cited a cybersecurity bulletin issued jointly by the Cybercrime and Infrastructure Agency (CISA) and the FBI over the weekend, which warned Russia's attack on Ukraine – which also included cyberattacks on the Ukrainian government and key infrastructure organizations – could spill over Ukraine's borders, especially in the wake of US and allied sanctions. 

Throughout the night, ContiLeaks began publishing more information, including the source code for the gang's administration panel, the BazarBackdoor API, storage server screenshots, and more. A password-protected folder including the source code for the Conti ransomware encryptor, decryptor, and function Object() { [native code] } was one component of the release to get people interested.While the leaker did not reveal the password publicly, another researcher cracked it soon after, giving everyone access to the Conti ransomware malware files' source code. 

The code may not provide more information if you are a reverse engineer. For those who can program in C but not reverse engineer, the source code contains a wealth of information about how the malware operates. While this is beneficial for security research, having this code available to the public has its pitfalls. Threat actors immediately coopt the code to establish their own operations, as we observed when the HiddenTear (for "educational purposes") and Babuk malware source code was leaked. 

In May, the FBI issued a five-page [PDF] warning to American firms about Conti ransomware assaults on healthcare and first-responder networks, citing at least 16 such attacks by Conti in the previous year and ransom demands as high as $25 million. 

"As a result of Russia's invasion, cybercrime organizations such as Conti have taken sides, with the assumption that many of these organizations are linked to Russia and perhaps to Russian intelligence", Brett Callow, a vulnerability analyst at Emsisoft, a cybersecurity firm based in New Zealand, stated.

Maze Ransomware: Exfiltration and Extortion

 

New research by New Zealand organization Emsisoft has discovered that a cyber-blackmail tactic initially debuted by ransomware gang MAZE has been adopted by over a dozen other criminal cyber gangs. Initially observed in May of 2019, the maze was a prominent part of consistent, yet unremarkable, extortion campaigns. However, as of late a sizable uptick have been seen in Maze campaigns, including numerous prominent, high-profile attacks. The attackers behind Maze have previously claimed credit for assaults on both Allied Financial just as well as the City of Pensacola Florida. 

The globally renowned security software organization, Emsisoft declared a ransomware crisis in the last month of 2019. Their most recent ransomware report shows that this specific sort of malware has hugely affected the United States in 2020. Emsisoft threat analyst Brett Callow described the numbers in "The State of Ransomware in the US: Report and Statistics 2020" as "pretty grim." 

At least 2,354 US governments, medical services offices, and schools were affected by ransomware last year, including 113 federal, state, and municipal governments and agencies, 560 healthcare facilities, and 1,681 schools, universities, and colleges. Researchers noticed that the assaults caused huge, and in some cases perilous, disturbance: ambulances carrying emergency patients had to be redirected, cancer treatments were deferred, lab test results were difficult to reach, clinic workers were furloughed and 911 services were interfered with. 

In 2020, MAZE turned into the first ransomware group to be observed exfiltrating information from its victims and utilizing the threat of publication as extra leverage to coerce payment. As per a November report by Coveware, some ransomware gangs that exfiltrate information don't erase it, even in the wake of accepting a ransom from their victims. Coveware noticed REvil (Sodinokibi) requesting a second ransom payment for stolen information it had just been paid to delete.

Maze ransomware doesn't simply demand payment for a decryptor however exfiltrates victim information and threatens to leak it publicly if the target doesn’t pay up. This “double whammy” heaps on yet more strain to persuade the victim to cave into the cybercriminals' demand. The onus presently is on organizations to ensure they have a trusted security arrangement demonstrated to forestall ransomware from executing in the first place, as restoration of data from a backup won't save them.