The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the US, Canada, the UK, Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window. "Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more," Cybereason said in a repo
Costa Rica is still reeling from the ransomware attacks deployed by the Conti group, and now the Hive ransomware group has joined in. According to Bleeping Computer, the Hive ransomware group is behind the attack beginning 31 March 2022 targeting Costa Rica’s public health service.
The Costa Rican government agency has publicly stated that an attack took place early Tuesday morning. The targeted government entities included the Costa Rican Social Security Fund (CCSS). The government also st
The Conti Ransomware group has been in and out of the news for the majority of 2022. Beginning the year with an attack on Kenyon Produce (KP) Snacks and conducting business as usual. When the conflict between Russia and Ukraine boiled over, the group again made headlines for taking the side of Russia. This led to widespread dissemination of the group's internal chat messages and eventually leaks of the ransomware source code.
The group remains in the spotlight with news of an ongoing confl
- Red Sky Alliance identified 39,820 connections from new IP’s checking in with our Sinkholes
- “Comment dire aide”
- Analysts identified 1,254 new IP addresses participating in various Botnets
- Sality remains our top Malware Variant
- Conti’s last Stand in Costa Rica
- Onyx Ransomware
- ZxxZ and Bitter
- Ransom DDoS Attacks
- Zola Ripped Off
- Battelle for Kids
Link to full report: IR-22-147-001_weekly147.pdf
Black Basta, a new ransomware group, has made their presence felt by claiming responsibility for twelve ransomware attacks in the month of April. Black Basta, like many other ransomware operations, uses double-extortion tactics, stealing victim data before encrypting systems to leverage payment. The group then uses their Tor site and slowly leaks victim data, applying pressure to victims to pay the ransom for the decryption key. Notable targets from the first stretch of attacks include the A
An army of volunteer hackers is rising up in cyberspace to defend Ukraine, though internet specialists are calling on geeks and other "hacktivists" to stay out of a potentially very dangerous computer war. According to Livia Tibirna, an analyst at the European cyber security firm Sekoia www.sekoia.io, nearly 260,000 people have joined the "IT Army" of volunteer hackers, which was set up at the initiative of Ukraine's digital minister Mykhailo Fedorov.
The group, which can be accessed via the en
As news continues to break about the ongoing crisis in Western Europe, Cyber Security professionals have been busy making sense of the role that presumably planned cyber-attacks have played in the conflict between Russia and Ukraine. A number of Russian cyber-attacks have served as a prelude to a physical invasion of Ukraine. There is a lot of information from the past two months to unpack and new events are continuing to be reported.
A quick review of the cyber events leading up to boots on t
A member of the Conti ransomware group, believed to be Ukrainian of origin, has leaked the gang’s internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site, on February 25th, in the aftermath of Russia’s invasion of Ukraine. The message appears to have rubbed Conti’s Ukrainian members the wrong way, and one of them has hacked the gang’s internal Jabber/XMPP server. Internal logs were leaked earlier today via an email sent to multiple journalists an
Cyber threat investigators believe the infamous TrickBot malware has reached its limits, but its development team appears to have been “acquired” by the Conti ransomware gang, which has been thriving amid recent crackdowns. TrickBot has been around since 2016. It was initially a banking trojan designed to steal financial data, but it evolved into a modular stealer that could target a wide range of information. See: https://redskyalliance.org/xindustry/trickbot-has-learned-more-tricks
The Conti gang strikes again, disrupting the grocery store supply chain and threatening supermarket shelves that could stay empty for weeks. KP Snacks, maker of the high-end Tyrrell’s and Popchips potato-chip brands, has suffered a ransomware attack that it said could affect deliveries to supermarkets through the end of March 2022 at the earliest. For our US readers, Brits call potato chips, crisps. You say potato; I say potaaato.
The British company said that the Conti gang was behind the s
Conti ransomware was first discovered in December of 2019 and has become one of the most prominent ransomware platforms to date. The Conti Ransomware as a Service (RaaS) platform gained international attention in May of 2021 when it was used to shutdown Ireland’s Health Service Executive (HSE). The group has shown no signs of slowing down with notable attacks reported in the United States, Australia, United Kingdom, Taiwan, and Indonesia in the past two and a half months.
The most recent attack
The US Department of Justice (DOJ) authorities first became aware of Diavol ransomware in October 2021. Diavol is allegedly associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan. Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. While ransom demands have ranged from $10,000 to $500,000, Diavol actors have
- Red Sky Alliance identified 38,261 connections from new unique IP addresses
- Analysts observed 39 unique email accounts compromised with Keyloggers
- Researchers identified 3,451 new IP addresses participating in various Botnets
- Conti Exposed by m1Geelka
- RATs – more Remote Access Trojans
- Bandook Malware
- Poly Network Hit
- Ransomware Directly affecting Public Safety
- China & Israel
- New AdLoad Malware
- Perfume and Cyber
Link to full report: IR-21-225-001_w
On 5 August 2021 a threat actor using the handle m1Geelka, made a post on the Russian XSS cybercriminal forum. In the post, they claim to have leaked the manuals and instructions used by the Conti ransomware group whom with they were previously associated. These posts provide valuable insight into Conti operations. While the group is highly likely to change its exposed infrastructure and their tactics, techniques, and procedures (TTP’s), network defenders are now able to research this informa
- Red Sky Alliance identified 19,270 connections from new unique IP addresses
- Analysts identified 2,543 new IP addresses participating in various Botnets
- 13 unique email accounts compromised with keyloggers were Observed
- PJobRAT Spyware
- Mirai Knockoffs
- Salvation Army Hit
- Conti & Canada
- DragonForce / Israeli Banking
- Fancy Lazarus attempts an attack on German Banks - Denied
Link to full report: IR-21-183-001_weekly_183_FINAL.pdf
In the US, the Federal Bureau of Investigation (FBI) issued an alert on 20 May regarding “Conti,” a highly disruptive ransomware variant. Cyber-attacks associated with Conti and the previously published Darkside ransomware variant are believed to be emanating from criminal networks operating from a non-cooperative foreign jurisdiction. The FBI says it identified at least 16 Conti ransomware attacks targeting US health care and first responder networks, including law enforcement agencies, emerg
For ransomware actors, innovation is a key to success, as crime gangs look for new ways to dupe people and make crypto-locking malware even more lucrative. Some hacking groups have started cold-calling victims to inform them that their systems have been hit by ransomware and request a ransom to resolve the situation. An old, yet tried and true use of chicanery. Sometime old schemes become new schemes. This is just the latest in a long line of shakedown tactics, which include not just using c
The past few months have seen a new ransomware variant emerge that is being distributed by the TrickBot malware. The appearance of this new ransomware, named Conti, corresponded with an observed decrease in Ryuk deployments. This suggested that Conti is the “successor” of Ryuk. Some media outlets have also reported that Conti was an evolved version of Ryuk, suggesting that it has evolved from the RYUK source code. While this may have been true for very early samples, a Red Sky analysis of recent
Note: this page contains paid content.
Please, subscribe to get an access.