conti (19)

10862220462?profile=RESIZE_400xRed Sky Alliance maintains a substantial dark web collections data set and we make this data available to our customers through our CTAC, RedXray, and API products.  This gives customers the opportunity to explore and perform analyses on dark web data without the need for establishing a safe infrastructure for navigating the Tor network.  To date we have collected over 1.4 million data points across 80 dark web sites.  The set of sites that we collect from on an ongoing basis will change with ne

10601683276?profile=RESIZE_400xThe Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the US, Canada, the UK, Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window.  "Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more," Cybereason said in a repo

10533083083?profile=RESIZE_400xCosta Rica is still reeling from the ransomware attacks deployed by the Conti group, and now the Hive ransomware group has joined in.  According to Bleeping Computer, the Hive ransomware group is behind the attack beginning 31 March 2022 targeting Costa Rica’s public health service.  

The Costa Rican government agency has publicly stated that an attack took place early Tuesday morning.  The targeted government entities included the Costa Rican Social Security Fund (CCSS).  The government also st

10527909680?profile=RESIZE_400xThe Conti Ransomware group has been in and out of the news for the majority of 2022.  Beginning the year with an attack on Kenyon Produce (KP) Snacks and conducting business as usual.  When the conflict between Russia and Ukraine boiled over, the group again made headlines for taking the side of Russia.  This led to widespread dissemination of the group's internal chat messages and eventually leaks of the ransomware source code.   

The group remains in the spotlight with news of an ongoing confl

10519225676?profile=RESIZE_400xActivity Summary - Week Ending on 27 May 2022:

  • Red Sky Alliance identified 39,820 connections from new IP’s checking in with our Sinkholes
  • “Comment dire aide”
  • Analysts identified 1,254 new IP addresses participating in various Botnets
  • Sality remains our top Malware Variant
  • Conti’s last Stand in Costa Rica
  • Onyx Ransomware
  • ZxxZ and Bitter
  • Ransom DDoS Attacks
  • Zola Ripped Off
  • Battelle for Kids

Link to full report: IR-22-147-001_weekly147.pdf

10464408487?profile=RESIZE_400xBlack Basta, a new ransomware group, has made their presence felt by claiming responsibility for twelve ransomware attacks in the month of April.   Black Basta, like many other ransomware operations, uses double-extortion tactics, stealing victim data before encrypting systems to leverage payment.  The group then uses their Tor site and slowly leaks victim data, applying pressure to victims to pay the ransom for the decryption key.  Notable targets from the first stretch of attacks include the A

10167514279?profile=RESIZE_400xAn army of volunteer hackers is rising up in cyberspace to defend Ukraine, though internet specialists are calling on geeks and other "hacktivists" to stay out of a potentially very dangerous computer war.  According to Livia Tibirna, an analyst at the European cyber security firm Sekoia www.sekoia.io, nearly 260,000 people have joined the "IT Army" of volunteer hackers, which was set up at the initiative of Ukraine's digital minister Mykhailo Fedorov.

The group, which can be accessed via the en

10167240466?profile=RESIZE_400xAs news continues to break about the ongoing crisis in Western Europe, Cyber Security professionals have been busy making sense of the role that presumably planned cyber-attacks have played in the conflict between Russia and Ukraine.  A number of Russian cyber-attacks have served as a prelude to a physical invasion of Ukraine.  There is a lot of information from the past two months to unpack and new events are continuing to be reported.

A quick review of the cyber events leading up to boots on t

10160746052?profile=RESIZE_400xA member of the Conti ransomware group, believed to be Ukrainian of origin, has leaked the gang’s internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site, on February 25th, in the aftermath of Russia’s invasion of Ukraine.  The message appears to have rubbed Conti’s Ukrainian members the wrong way, and one of them has hacked the gang’s internal Jabber/XMPP server. Internal logs were leaked earlier today via an email sent to multiple journalists an

10150931055?profile=RESIZE_400xCyber threat investigators believe the infamous TrickBot malware has reached its limits, but its development team appears to have been “acquired” by the Conti ransomware gang, which has been thriving amid recent crackdowns.  TrickBot has been around since 2016.  It was initially a banking trojan designed to steal financial data, but it evolved into a modular stealer that could target a wide range of information.  See:  https://redskyalliance.org/xindustry/trickbot-has-learned-more-tricks

TrickBo

10075659095?profile=RESIZE_400xThe Conti gang strikes again, disrupting the grocery store supply chain and threatening supermarket shelves that could stay empty for weeks.  KP Snacks, maker of the high-end Tyrrell’s and Popchips potato-chip brands, has suffered a ransomware attack that it said could affect deliveries to supermarkets through the end of March 2022 at the earliest.  For our US readers, Brits call potato chips, crisps.  You say potato; I say potaaato. 

The British company said that the Conti gang was behind the s

10066089458?profile=RESIZE_400xConti ransomware was first discovered in December of 2019 and has become one of the most prominent ransomware platforms to date. The Conti Ransomware as a Service (RaaS) platform gained international attention in May of 2021 when it was used to shutdown Ireland’s Health Service Executive (HSE).  The group has shown no signs of slowing down with notable attacks reported in the United States, Australia, United Kingdom, Taiwan, and Indonesia in the past two and a half months.

The most recent attack

10029452898?profile=RESIZE_400xThe US Department of Justice (DOJ) authorities first became aware of Diavol ransomware in October 2021.  Diavol is allegedly associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan.  Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker.  While ransom demands have ranged from $10,000 to $500,000, Diavol actors have

9421881897?profile=RESIZE_400xActivity Summary - Week Ending 13 August 2021:

  • Red Sky Alliance identified 38,261 connections from new unique IP addresses
  • Analysts observed 39 unique email accounts compromised with Keyloggers
  • Researchers identified 3,451 new IP addresses participating in various Botnets
  • Conti Exposed by m1Geelka
  • RATs – more Remote Access Trojans
  • Bandook Malware
  • Poly Network Hit
  • Ransomware Directly affecting Public Safety
  • China & Israel
  • New AdLoad Malware
  • Perfume and Cyber

Link to full report: IR-21-225-001_w

9408552270?profile=RESIZE_400xOn 5 August 2021 a threat actor using the handle m1Geelka, made a post on the Russian XSS cybercriminal forum.  In the post, they claim to have leaked the manuals and instructions used by the Conti ransomware group whom with they were previously associated.  These posts provide valuable insight into Conti operations.  While the group is highly likely to change its exposed infrastructure and their tactics, techniques, and procedures (TTP’s), network defenders are now able to research this informa

9193850468?profile=RESIZE_400xActivity Summary - Week Ending 2 July 2021:

  • Red Sky Alliance identified 19,270 connections from new unique IP addresses
  • Analysts identified 2,543 new IP addresses participating in various Botnets
  • 13 unique email accounts compromised with keyloggers were Observed
  • Netfilter
  • PJobRAT Spyware
  • Mirai Knockoffs
  • Salvation Army Hit
  • Conti & Canada
  • DragonForce / Israeli Banking
  • Fancy Lazarus attempts an attack on German Banks - Denied

Link to full report: IR-21-183-001_weekly_183_FINAL.pdf

 

8963279294?profile=RESIZE_400xIn the US, the Federal Bureau of Investigation (FBI) issued an alert on 20 May regarding “Conti,” a highly disruptive ransomware variant.  Cyber-attacks associated with Conti and the previously published Darkside ransomware variant are believed to be emanating from criminal networks operating from a non-cooperative foreign jurisdiction.  The FBI says it identified at least 16 Conti ransomware attacks targeting US health care and first responder networks, including law enforcement agencies, emerg

8270285688?profile=RESIZE_400xFor ransomware actors, innovation is a key to success, as crime gangs look for new ways to dupe people and make crypto-locking malware even more lucrative.  Some hacking groups have started cold-calling victims to inform them that their systems have been hit by ransomware and request a ransom to resolve the situation.  An old, yet tried and true use of chicanery.  Sometime old schemes become new schemes.  This is just the latest in a long line of shakedown tactics, which include not just using c

8153178663?profile=RESIZE_400xThe past few months have seen a new ransomware variant emerge that is being distributed by the TrickBot malware. The appearance of this new ransomware, named Conti, corresponded with an observed decrease in Ryuk deployments. This suggested that Conti is the “successor” of Ryuk. Some media outlets have also reported that Conti was an evolved version of Ryuk, suggesting that it has evolved from the RYUK source code. While this may have been true for very early samples, a Red Sky analysis of recent