Ransomware Roundup: 05.20.22

Written by
Halcyon Team
Published on
May 20, 2022

Lawrence Abrams at BleepingComputer reports that the Conti group seems to have suspended operations and disbanded as a ransomware operator. Some public facing assets are still online, but “the Tor admin panels used by members to perform negotiations and publish ‘news’ on their data leak site are now offline,” according to Yelisey Boguslavskiy, the head of research at AdvIntel.

This news comes after a busy week during which Corin Faife at The Verge reported that the president of Costa Rica said that they were “at war” with Conti.

“The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti,” Chaves told reporters.  

Conti responded to Costa Rica’s efforts to recover from the attack without paying by calling for Costa Rican citizens to overthrow their nation’s government.  

"I appeal to every resident of Costa Rica, go to your government and organize rallies so that they would pay us as soon as possible," SC Media reporter Joe Uchill quoted from the Conti Group’s leaks site. "[I]f your current government cannot stabilize the situation? maybe it's worth changing it?"

However, these efforts seemed to have been a publicity ploy by Conti aimed at building a credible reason to disband and reform under new guises.

“AdvIntel’s unique adversarial visibility and intelligence findings led to, what was in fact, the opposite conclusion: The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” AdvIntel wrote in their report.

Rest assured that the bad actors behind Conti are not out of a day job as members of Conti have formed “alliances with BlackCat, AvosLocker, HIVE, HelloKitty/FiveHands, and a whole other cadre of ransomware groups. These pen-testers maintain personal loyalty to the people who created Conti but ultimately continued their work with other gangs in order to finally shed Conti’s name and image” according to the AdvIntel report.

In a strange tale of moonlighting, Moises Zagala, a Venezuelan doctor, taught himself to code and proceeded to build ransomware tools according to the United States Department of Justice. Luc Cohen, a reporter at Reuters, wrote that the tools created by Zagala were used by a “Iranian hacking group to attack Israeli companies.”

"We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users. However, many other malicious criminals are searching for businesses and organizations that haven't taken steps to protect their systems - which is an incredibly vital step in stopping the next ransomware attack," United States Federal Bureau of Investigation Assistant Director-in-Charge Michael Driscoll was quoted in a Department of Justice announcement.

If extradited and convicted, Zagala could face up to five years in a United States Federal Prison.

The Bank of Zambia recently fell victim to ransomware attack by the Hive group. They announced that their team was able to recover their systems without paying the ransom, but Lawrence Abrams at BleepingComputer reported that they went beyond a simple refusal and responded with a link to a photo depicting a specific apparatus of the male anatomy.  

"So we pretty much told them where to get off," BleepingComputer quoted the bank’s technical director, Greg Nsofu.

Subscribe to receive the latest blog posts to your inbox every week.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

See All Blog Posts

Ransomware Roundup: 05.22.23

This week in ransomware news: Ransomware Shutters Philadelphia Inquirer; Bl00dy PaperCut Vulnerability Exploit; US Sanctions Ransomware Operator...

Read the Blog

Ransomware Roundup: 05.15.23

This week in ransomware news: White House Weighs Ban on Ransom Payments; Novel Cactus Ransomware Abuses VPNs; Akira Emerges with Ransom Chat Channel...

Read the Blog

Ransomware Roundup: 05.08.23

This week in ransomware news: ALPHV Monitored IR Communications; Ransomware Operators Automate Exploits; AvosLocker Broadcasts to Victims...

Read the Blog

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.