Ransomware Roundup: 05.20.22

Lawrence Abrams at BleepingComputer reports that the Conti group seems to have suspended operations and disbanded as a ransomware operator. Some public facing assets are still online, but “the Tor admin panels used by members to perform negotiations and publish ‘news’ on their data leak site are now offline,” according to Yelisey Boguslavskiy, the head of research at AdvIntel.

‍

This news comes after a busy week during which Corin Faife at The Verge reported that the president of Costa Rica said that they were “at war” with Conti.

‍

“The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti,” Chaves told reporters.  

‍

Conti responded to Costa Rica’s efforts to recover from the attack without paying by calling for Costa Rican citizens to overthrow their nation’s government.  

‍

"I appeal to every resident of Costa Rica, go to your government and organize rallies so that they would pay us as soon as possible," SC Media reporter Joe Uchill quoted from the Conti Group’s leaks site. "[I]f your current government cannot stabilize the situation? maybe it's worth changing it?"

‍

However, these efforts seemed to have been a publicity ploy by Conti aimed at building a credible reason to disband and reform under new guises.

‍

“AdvIntel’s unique adversarial visibility and intelligence findings led to, what was in fact, the opposite conclusion: The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” AdvIntel wrote in their report.

‍

Rest assured that the bad actors behind Conti are not out of a day job as members of Conti have formed “alliances with BlackCat, AvosLocker, HIVE, HelloKitty/FiveHands, and a whole other cadre of ransomware groups. These pen-testers maintain personal loyalty to the people who created Conti but ultimately continued their work with other gangs in order to finally shed Conti’s name and image” according to the AdvIntel report.

‍

In a strange tale of moonlighting, Moises Zagala, a Venezuelan doctor, taught himself to code and proceeded to build ransomware tools according to the United States Department of Justice. Luc Cohen, a reporter at Reuters, wrote that the tools created by Zagala were used by a “Iranian hacking group to attack Israeli companies.”

‍

"We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users. However, many other malicious criminals are searching for businesses and organizations that haven't taken steps to protect their systems - which is an incredibly vital step in stopping the next ransomware attack," United States Federal Bureau of Investigation Assistant Director-in-Charge Michael Driscoll was quoted in a Department of Justice announcement.

‍

If extradited and convicted, Zagala could face up to five years in a United States Federal Prison.

‍

The Bank of Zambia recently fell victim to ransomware attack by the Hive group. They announced that their team was able to recover their systems without paying the ransom, but Lawrence Abrams at BleepingComputer reported that they went beyond a simple refusal and responded with a link to a photo depicting a specific apparatus of the male anatomy.  

‍

"So we pretty much told them where to get off," BleepingComputer quoted the bank’s technical director, Greg Nsofu.

‍