The infamous malware loader and initial access broker known as Bumblebee has resurfaced after a four-month absence as part of a new phishing campaign observed in February 2024. The enterprise security firm Proofpoint reported that the activity targets organizations in the US with voicemail-themed lures containing links to OneDrive URLs. "The URLs led to a Word file with names such as "ReleaseEvans#96.docm" (the digits before the file extension varied)," the company said in a recent report. "Th
conti (24)
Black Basta ransomware has made headlines for allegedly compromising high-profile European and North American organizations across a variety of industries, such as outsourcing, technology, and manufacturing. The history of Black Basta ransomware dates to at least April 2022, with a professional organizations company in the United States being one of its first victims. Since then, Black Basta has slowly expanded their operations, with the group allegedly compromising and stealing data from a US
Red Sky Alliance would like to share a technical report through a recent joint Cybersecurity Advisory (CSA) as part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.
Visit stopransomware.gov t
FortiGard has shared a great technical report on Monti, BlackHunt and Putin Ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files and demands ransom for file decryption
Severity level: High
Monti Ransomware: Monti is a relatively new ransomware designed to encrypt files on Linux systems. Files encrypted by Monti ransomware have a ".puuuk” file extension. We are also aware of reports of potential Monti vari
The popular Royal ransomware is being used by skilled bad actors who used to be part of Conti Team One. Between September and December 2022, Royal ransomware was used in numerous cyberattacks, which earlier this month prompted the US Department of Health and Human Services (HHS) cyber analysts to warn healthcare organizations of the risks associated with this threat. Royal is the rebranded version of Zeon ransomware, which emerged earlier this year and was associated in August 2022 with Conti
Red Sky Alliance maintains a substantial dark web collections data set and we make this data available to our customers through our CTAC, RedXray, and API products. This gives customers the opportunity to explore and perform analyses on dark web data without the need for establishing a safe infrastructure for navigating the Tor network. To date we have collected over 1.4 million data points across 80 dark web sites. The set of sites that we collect from on an ongoing basis will change with ne
The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the US, Canada, the UK, Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window. "Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more," Cybereason said in a repo
Costa Rica is still reeling from the ransomware attacks deployed by the Conti group, and now the Hive ransomware group has joined in. According to Bleeping Computer, the Hive ransomware group is behind the attack beginning 31 March 2022 targeting Costa Rica’s public health service.
The Costa Rican government agency has publicly stated that an attack took place early Tuesday morning. The targeted government entities included the Costa Rican Social Security Fund (CCSS). The government also st
The Conti Ransomware group has been in and out of the news for the majority of 2022. Beginning the year with an attack on Kenyon Produce (KP) Snacks and conducting business as usual. When the conflict between Russia and Ukraine boiled over, the group again made headlines for taking the side of Russia. This led to widespread dissemination of the group's internal chat messages and eventually leaks of the ransomware source code.
The group remains in the spotlight with news of an ongoing confl
Activity Summary - Week Ending on 27 May 2022:
- Red Sky Alliance identified 39,820 connections from new IP’s checking in with our Sinkholes
- “Comment dire aide”
- Analysts identified 1,254 new IP addresses participating in various Botnets
- Sality remains our top Malware Variant
- Conti’s last Stand in Costa Rica
- Onyx Ransomware
- ZxxZ and Bitter
- Ransom DDoS Attacks
- Zola Ripped Off
- Battelle for Kids
Link to full report: IR-22-147-001_weekly147.pdf
Black Basta, a new ransomware group, has made their presence felt by claiming responsibility for twelve ransomware attacks in the month of April. Black Basta, like many other ransomware operations, uses double-extortion tactics, stealing victim data before encrypting systems to leverage payment. The group then uses their Tor site and slowly leaks victim data, applying pressure to victims to pay the ransom for the decryption key. Notable targets from the first stretch of attacks include the A
An army of volunteer hackers is rising up in cyberspace to defend Ukraine, though internet specialists are calling on geeks and other "hacktivists" to stay out of a potentially very dangerous computer war. According to Livia Tibirna, an analyst at the European cyber security firm Sekoia www.sekoia.io, nearly 260,000 people have joined the "IT Army" of volunteer hackers, which was set up at the initiative of Ukraine's digital minister Mykhailo Fedorov.
The group, which can be accessed via the en
As news continues to break about the ongoing crisis in Western Europe, Cyber Security professionals have been busy making sense of the role that presumably planned cyber-attacks have played in the conflict between Russia and Ukraine. A number of Russian cyber-attacks have served as a prelude to a physical invasion of Ukraine. There is a lot of information from the past two months to unpack and new events are continuing to be reported.
A quick review of the cyber events leading up to boots on t
A member of the Conti ransomware group, believed to be Ukrainian of origin, has leaked the gang’s internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site, on February 25th, in the aftermath of Russia’s invasion of Ukraine. The message appears to have rubbed Conti’s Ukrainian members the wrong way, and one of them has hacked the gang’s internal Jabber/XMPP server. Internal logs were leaked earlier today via an email sent to multiple journalists an
Cyber threat investigators believe the infamous TrickBot malware has reached its limits, but its development team appears to have been “acquired” by the Conti ransomware gang, which has been thriving amid recent crackdowns. TrickBot has been around since 2016. It was initially a banking trojan designed to steal financial data, but it evolved into a modular stealer that could target a wide range of information. See: https://redskyalliance.org/xindustry/trickbot-has-learned-more-tricks
TrickBo
The Conti gang strikes again, disrupting the grocery store supply chain and threatening supermarket shelves that could stay empty for weeks. KP Snacks, maker of the high-end Tyrrell’s and Popchips potato-chip brands, has suffered a ransomware attack that it said could affect deliveries to supermarkets through the end of March 2022 at the earliest. For our US readers, Brits call potato chips, crisps. You say potato; I say potaaato.
The British company said that the Conti gang was behind the s
Conti ransomware was first discovered in December of 2019 and has become one of the most prominent ransomware platforms to date. The Conti Ransomware as a Service (RaaS) platform gained international attention in May of 2021 when it was used to shutdown Ireland’s Health Service Executive (HSE). The group has shown no signs of slowing down with notable attacks reported in the United States, Australia, United Kingdom, Taiwan, and Indonesia in the past two and a half months.
The most recent attack
The US Department of Justice (DOJ) authorities first became aware of Diavol ransomware in October 2021. Diavol is allegedly associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan. Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. While ransom demands have ranged from $10,000 to $500,000, Diavol actors have
Activity Summary - Week Ending 13 August 2021:
- Red Sky Alliance identified 38,261 connections from new unique IP addresses
- Analysts observed 39 unique email accounts compromised with Keyloggers
- Researchers identified 3,451 new IP addresses participating in various Botnets
- Conti Exposed by m1Geelka
- RATs – more Remote Access Trojans
- Bandook Malware
- Poly Network Hit
- Ransomware Directly affecting Public Safety
- China & Israel
- New AdLoad Malware
- Perfume and Cyber
Link to full report: IR-21-225-001_w
On 5 August 2021 a threat actor using the handle m1Geelka, made a post on the Russian XSS cybercriminal forum. In the post, they claim to have leaked the manuals and instructions used by the Conti ransomware group whom with they were previously associated. These posts provide valuable insight into Conti operations. While the group is highly likely to change its exposed infrastructure and their tactics, techniques, and procedures (TTP’s), network defenders are now able to research this informa
