Former Conti ransomware gang members helped target Ukraine, Google says

A cybercriminal group containing former members of the notorious Conti ransomware gang is targeting the Ukrainian government and European NGOs in the region, Google says.

The details come from a new blog post from the Threat Analysis Group (TAG), a team within Google dedicated to tracking state-sponsored cyber activity.

With the war in Ukraine having lasted more than half a year, cyber activity including hacktivism and electronic warfare has been a constant presence in the background. Now, TAG says that profit-seeking cybercriminals are becoming active in the area in greater numbers.

From April through August 2022, TAG has been following “an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers,” writes TAG’s Pierre-Marc Bureau. One of these state-backed actors has already been designated by CERT — Ukraine’s national Computer Emergency Response Team — as UAC-0098. But new analysis from TAG links it to Conti: a prolific global ransomware gang that shut down the Costa Rican government with a cyberattack in May.

“Based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine,” Bureau writes.

The group known as UAC-0098 has previously used a banking Trojan known as IcedID to carry out ransomware attacks, but Google’s security researchers say it is now shifting to campaigns that are “both politically and financially motivated.” According to TAG’s analysis, the members of this group are using their expertise to act as initial access brokers — the hackers who first compromise a computer system and then sell off access to other actors who are interested in exploiting the target.

Recent campaigns saw the group send phishing emails to a number of organizations in the Ukrainian hospitality industry purporting to be the Cyber Police of Ukraine or, in another instance, targeting humanitarian NGOs in Italy with phishing emails sent from the hacked email account of an Indian hotel chain.

Other phishing campaigns impersonated representatives of Starlink, the satellite internet system operated by Elon Musk’s SpaceX. These emails delivered links to malware installers disguised as software required to connect to the internet through Starlink’s systems.

The Conti-linked group also exploited the Follina vulnerability in Windows systems shortly after it was first publicized in late May of this year. In this and other attacks, it is not known exactly what actions UAC-0098 has taken after systems have been compromised, TAG says.

Overall, the Google researchers point to “blurring lines between financially motivated and government backed groups in Eastern Europe,” an indicator of the way cyber threat actors often adapt their activities to align with the geopolitical interests in a given region.

But it’s not always a strategy guaranteed to win. At the start of the Ukraine invasion, Conti paid the price for openly declaring support for Russia when an anonymous individual leaked access to over a year’s worth of the group’s internal chat logs.

Repost: Original Source and Author Link


A small Canadian town is being extorted by a global ransomware gang

The Canadian town of St. Marys, Ontario, has been hit by a ransomware attack that has locked staff out of internal systems and encrypted data.

The small town of around 7,500 residents seems to be the latest target of the notorious LockBit ransomware group. On July 22nd, a post on LockBit’s dark web site listed as a victim of the ransomware and previewed files that had been stolen and encrypted.

Screenshot taken from a ransomware group’s website. Text reads: “The Town of St. Marys is located at the junction of the Thames River and Trout Creek, southwest of Stratford in southwestern Ontario. Rich in natural resources, namely the Thames River, the land that now makes up St. Marys was traditionally used as hunting grounds by First Nations peoples. European settlers arrived in the early 1840s. Stolen data (67GB): financial documents, plans, department, confidential data”

LockBit ransom listing for the Town of St. Marys

In a phone call, St. Marys Mayor Al Strathdee told The Verge that the town was responding to the attack with the help of a team of experts.

“To be honest, we’re in somewhat of a state of shock,” Strathdee said. “It’s not a good feeling to be targeted, but the experts we’ve hired have identified what the threat is and are walking us through how to respond. Police are interested and have dedicated resources to the case … there are people here working on it 24/7.”

Strathdee said that after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date. In general, the Canadian government’s cybersecurity guidance discouraged the paying of ransoms, Strathdee said, but the town would follow the incident team’s advice on how to engage further.

Screenshots shared on the LockBit site show the file structure of a Windows operating system, containing directories corresponding to municipal operations like finance, health and safety, sewage treatment, property files, and public works. Per LockBit’s standard operating methods, the town was given a deadline by which to pay to have their systems unlocked or else see the data published online.

Brett O’Reilly, communications manager for the town of St. Marys, directed The Verge to a press statement issued by St. Marys in which the town gave further details. Per the statement, essential municipal services like transit and water systems have been unaffected by the incident, and the town is attempting to unlock IT systems and restore backup data.

According to an analysis by Recorded Future, the LockBit group alone took credit for 50 ransomware incidents in June 2022, making it the most prolific global ransomware group. In fact, St. Marys is the second small town to be targeted by LockBit in the space of just over a week: on July 14th, LockBit listed data from the town of Frederick, Colorado (population 15,000) as having been hacked, a claim that is currently under investigation by town officials. The LockBit listing for Frederick currently demands a ransom of $200,000 not to publish the data.

Increasingly, smaller municipalities are finding themselves the targets of sophisticated global ransomware groups with extensive technical knowledge and resources. In March, the FBI cyber division published a notification to private industry partners of government agencies, noting that ransomware attacks were “straining local US governments and public services.”

Repost: Original Source and Author Link


Notorious ransomware gang Conti shuts down, but not for good

The ransomware group known as Conti has officially shut down, with all of its infrastructures now offline.

Although this might seem like good news, it’s only good on the surface — Conti is not over, it has simply split into smaller operations.

Advanced Intel

Conti was launched in the summer of 2020 as a successor to the Ryuk ransomware. It relied on partnerships with other malware infections in order to distribute. Malware such as TrickBot and BazarLoader was the initial point of entry for Conti, which then proceeded with the attack. Conti proved to be so successful that it eventually evolved into a cybercrime syndicate that took over TrickBot, BazarLoader, and Emotet.

During the past two years, Conti carried out a number of high-profile attacks, targeting the City of Tulsa, Advantech, and Broward County Public Schools. Conti also held the IT systems of Ireland’s Health Service Executive and Department of Health ransom for weeks and only let go when they were facing serious trouble from law enforcement around the world. However, this attack gave Conti a lot of attention from the global media.

Most recently, it targeted the country of Costa Rica, but according to Yelisey Bogslavskiy of Advanced Intel, the attack was just a cover-up for the fact that Conti was disbanding the whole operation. Boguslavskiy told Bleeping Computer that the attack on Costa Rica was made so public in order to give the members of Conti time to migrate to different ransomware operations.

“The agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom was declared internally by the Conti leadership. Internal communications between group members suggested that the requested ransom payment was far below $1 million (despite unverified claims of the ransom being $10 million, followed by Conti’s own claims that the sum was $20 million),” says a yet-to-be-published report from Advanced Intel, shared ahead of time by Bleeping Computer.

Conti ransomware group logo.

The ultimate end to Conti was brought on by the group’s open approval of Russia and its invasion of Ukraine. On official channels, Conti went as far as to say that it will pool all of its resources into defending Russia from possible cyberattacks. Following that, a Ukrainian security researcher leaked over 170,000 internal chat messages between the members of the Conti group, and ultimately also leaked the source code for the gang’s ransomware encryptor. This encryptor was later used to attack Russian entities.

As things stand now, all of Conti’s infrastructure has been taken offline, and the leaders of the group said that the brand is over. However, this doesn’t mean that Conti members will no longer pursue cybercrime. According to Boguslavskiy, the leadership of Conti decided to split up and team up with smaller ransomware gangs, such as AvosLocker, HelloKitty, Hive, BlackCat, and BlackByte.

Members of the previous Conti ransomware gang, including intel analysts, pentesters, devs, and negotiators, are spread throughout various cybercrime operations, but they are still part of the Conti syndicate and fall under the same leadership. This helps them avoid law enforcement while still carrying out the same cyberattacks as they did under the Conti brand.

Conti was considered one of the most expensive and dangerous types of ransomware ever created, with over $150 million of ransom payments collected during its two-year stint. The U.S. government offers a substantial reward of up to $15 million for help in identifying the individuals involved with Conti, especially those in leadership roles.

Editors’ Choice

Repost: Original Source and Author Link


Lapsus$ gang claims new hack with data from Apple Health partner

After a short “vacation,” the Lapsus$ hacking gang is back. In a post shared through the group’s Telegram channel on Wednesday, Lapsus$ claimed to have stolen 70GB of data from Globant — an international software development firm headquartered in Luxembourg, which boasts some of the world’s largest companies as clients.

Screenshots of the hacked data, originally posted by Lapsus$ and shared on Twitter by security researcher Dominic Alvieri, appeared to show folders bearing the names of a range of global businesses: among them were delivery and logistics company DHL, US cable network C-Span, and French bank BNP Paribas.

Also in the list were tech giants Facebook and Apple, with the latter referred to in a folder titled “apple-health-app.” The data appears to be development material for Globant’s BeHealthy app, described in a prior press release as software developed in partnership with Apple to track employee health behaviors using features of the Apple Watch. Apple did not a request for comment at time of publication.

Globant acknowledged the hack in a press release later the same day. “According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients,” the company said. “To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected.”

On Telegram, Lapsus$ shared a torrent link to the allegedly stolen data with a message announcing, “We are officially back from a vacation.”

If confirmed, the leak would show a swift return to activity after seven suspected members of Lapsus$ were arrested by British police less than a week ago.

The arrests, first reported on March 24th by BBC News, were carried out by City of London Police after a yearlong investigation into the alleged ringleader of the gang, who is believed to be a teenager living with his parents in Oxford. On the other side of the Atlantic, the FBI is also seeking information on Lapsus$ related to the breach of US companies.

The Lapsus$ gang has been remarkably prolific in the range and scale of companies it has breached, having previously extracted data from a number of well-known technology companies, including Nvidia, Samsung, Microsoft, and Vodafone.

Most recently, Lapsus$ was in the spotlight for a hack affecting the authentication platform Okta, which put thousands of businesses on high alert against subsequent breaches. The latter hack has been an embarrassment for a company that provides security services to other businesses and led to criticism of Okta for a slow disclosure.

Correction, 1:38PM ET: A previous version of this post overstated the connection between the breached data and Apple. The data labelled as “apple-health” was not data from Apple itself, but from an app developed in partnership with Apple. The Verge regrets the error.

Update 5:25 PM ET: Added statement from Globant.

Repost: Original Source and Author Link


An alleged member of the REvil ransomware gang was arrested in Poland

The Justice Department has announced the arrest and indictment of an alleged member of the REvil hacking group, linked to ransomware attacks on IT firm Kaseya, an Apple supplier, and more. According to the department, Ukrainian national Yaroslav Vasinskyi is facing extradition to the US after Polish authorities detained him in October and after the US indicted him for cybercrimes in August, as revealed by a now-unsealed court document. The arrest, along with the government seizing assets it says are linked to REvil’s operations, is another step in the fight against ransomware, which has been a growing issue for US-based companies.

The DOJ also says it has seized $6.1 million in assets from the FTX crypto trading exchange, allegedly linked to REvil ransomware. The money belonged to Russian national Yevgeniy Polyanin, who has also been indicted for allegedly working with REvil to attack corporate and government targets. Polyanin was also indicted in August, though CNN and the DOJ report he hasn’t been caught yet.

You can read both indictments below, which detail REvil’s alleged process of breaking into computer networks, gaining control over them, and then stealing companies’ data, locking the rightful owners out by encrypting data and deleting any backups. Companies would, however, be able to gain access back to the data if they paid a ransom — otherwise, their data could be sold or posted to the web. This happened to Apple supplier Quanta, whose documents detailing Apple’s new MacBooks were posted to REvil’s blog well before any official information was released.

The indictments don’t explicitly say what roles Vasinskyi and Polyanin allegedly played in the attacks, only accusing them of being involved and working with other team members to carry out attacks. The Department of Justice says that Vasinskyi and Polyanin could each face over 100 years in prison if convicted on all counts levied against them. Two other people involved with REvil were also arrested. The government is also willing to spend big on catching more alleged members — it’s offering an up to $10 million reward for info that leads to the arrest of REvil leadership and up to $5 million for info about people trying to work for the group.

The arrest and hunt for REvil operators is just part of the government’s work against the ransomware outfit — reports started surfacing in October that the FBI, Secret Service, Cyber Command had taken REvil’s website offline using some of the group’s own tactics against it. The Treasury Department named it in a report as one of the biggest ransomware groups when measuring by payout size.

As ransomware attacks have hit major targets in the US over the past few years, they’ve loomed larger on the US government’s radar — it’s created a ransomware task force and set up a team to investigate crimes relating to cryptocurrencies. President Joe Biden said in a statement that the government is using its “full strength” to “disrupt malicious cyber activity and actors” and that the arrests and financial seizures were part of its efforts to “hold accountable those that threaten our security.” Acting US Attorney Chad E. Meacham said that the Justice Department “will delve into the darkest corners of the internet and the furthest reaches of the globe to track down cyber criminals.”

Unsealed Vasinskyi Indictment:

Unsealed Polyanin Indictment:

Repost: Original Source and Author Link