#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

Conti Ransomware | Breaking Cybersecurity News | The Hacker News

Vice Society Ransomware Attackers Adopt Robust Encryption Methods

Vice Society Ransomware Attackers Adopt Robust Encryption Methods

Dec 23, 2022 Ransomware / Endpoint Security
The Vice Society ransomware actors have switched to yet another custom ransomware payload in their recent attacks aimed at a variety of sectors. "This ransomware variant, dubbed ' PolyVice ,' implements a robust encryption scheme, using  NTRUEncrypt  and  ChaCha20-Poly1305  algorithms," SentinelOne researcher Antonio Cocomazzi  said  in an analysis. Vice Society , which is tracked by Microsoft under the moniker DEV-0832, is an intrusion, exfiltration, and extortion hacking group that first appeared on the threat landscape in May 2021. Unlike other ransomware gangs, the cybercrime actor does not use file-encrypting malware developed in-house. Instead, it's known to deploy third-party lockers such as Hello Kitty, Zeppelin, and RedAlert ransomware in their attacks. Per SentinelOne, indications are that the threat actor behind the custom-branded ransomware is also selling similar payloads to other hacking crews based on PolyVice's extensive similarities to ra
Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks

Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks

Sep 07, 2022
Former members of the Conti cybercrime cartel have been implicated in five different campaigns targeting Ukraine from April to August 2022. The findings, which come from Google's Threat Analysis Group (TAG), builds upon a  prior report  published in July 2022 detailing the continued cyber activity aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war. "UAC-0098 is a threat actor that historically delivered the  IcedID banking trojan , leading to human-operated ransomware attacks," TAG researcher Pierre-Marc Bureau  said  in a report shared with The Hacker News. "The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations." UAC-0098 is believed to have functioned as an initial access broker for ransomware groups such as Quantum and  Conti  (aka FIN12, Gold Ulrick, or Wizard Spider), the former of which was subsumed by the latter in
U.S. Government Offers $10 Million Reward for Information on Conti Ransomware Gang

U.S. Government Offers $10 Million Reward for Information on Conti Ransomware Gang

Aug 12, 2022
The U.S. State Department on Thursday  announced  a $10 million reward for information related to five individuals associated with the Conti ransomware group. The reward offer is also notable for the fact that it marks the first time the face of a Conti associate, known as "Target," has been unmasked. The four other alleged members have been referred to as "Tramp," "Dandis," "Professor," and "Reshaev." The government, besides seeking information about the five operators that could lead to their identification or location, is also calling on people to share details about Conti and its affiliated groups  TrickBot  and  Wizard Spider . Since its rebrand from Ryuk to Conti in 2020, the transnational organized crime group has been linked to hundreds of ransomware incidents over the past two years. As of January 2022, the Russia-based ransomware-as-a-service (RaaS) operation is estimated to have hit over 1,000 entities, with victim payo
Conti Cybercrime Cartel Using 'BazarCall' Phishing Attacks as Initial Attack Vector

Conti Cybercrime Cartel Using 'BazarCall' Phishing Attacks as Initial Attack Vector

Aug 11, 2022
A trio of offshoots from the notorious Conti cybercrime cartel have resorted to the technique of call back phishing as an initial access vector to breach targeted networks. "Three autonomous threat groups have since adopted and independently developed their own targeted phishing tactics derived from the call back phishing methodology," cybersecurity firm AdvIntel  said  in a Wednesday report. These targeted campaigns "substantially increased" attacks against entities in finance, technology, legal, and insurance sectors, the company added. The actors in question include Silent Ransom, Quantum, and Roy/Zeon, all of which split from Conti after the ransomware-as-a-service (RaaS) cartel  orchestrated its shutdown  in May 2022 following its public support for Russia in the ongoing Russo-Ukrainian conflict. The advanced social engineering tactic, also called  BazaCall  (aka BazarCall), came under the spotlight in 2020/2021 when it was put to use by operators of the
Conti Leaks Reveal Ransomware Gang's Interest in Firmware-based Attacks

Conti Leaks Reveal Ransomware Gang's Interest in Firmware-based Attacks

Jun 02, 2022
An analysis of  leaked chats  from the notorious  Conti ransomware group  earlier this year has revealed that the syndicate has been working on a set of firmware attack techniques that could offer a path to accessing privileged code on compromised devices. "Control over firmware gives attackers virtually unmatched powers both to directly cause damage and to enable other long-term strategic goals," firmware and hardware security firm Eclypsium  said  in a report shared with The Hacker News. "Such level of access would allow an adversary to cause irreparable damage to a system or to establish ongoing persistence that is virtually invisible to the operating system." Specifically, this includes attacks aimed at embedded microcontrollers such as the Intel  Management Engine  ( ME ), a privileged component that's part of the company's processor chipsets and which can completely bypass the operating system. It's worth noting that the reason for this evolv
U.S. Offering $10 Million Reward for Information on Conti Ransomware Hackers

U.S. Offering $10 Million Reward for Information on Conti Ransomware Hackers

May 09, 2022
The U.S. State Department has  announced  rewards of up to $10 million for any information leading to the identification of key individuals who are part of the infamous Conti cybercrime gang. Additionally, it's offering another $5 million for intelligence information that could help arrest or convict individuals who are conspiring or attempting to affiliate with the group in a ransomware attack. The department called the Conti variant the "costliest strain of ransomware ever documented." Conti , the work of a Russia-based transnational organized crime group dubbed Gold Ulrick, is one most prolific ransomware cartels that has continued to strike entities globally while simultaneously  expanding its empire  by absorbing TrickBot and running side hustles that involve data extortion. After the syndicate expressed public support for Russia's invasion of Ukraine in February, it  suffered a major breach  of its own after its source code and internal chats were released
Experts Analyze Conti and Hive Ransomware Gangs' Chats With Their Victims

Experts Analyze Conti and Hive Ransomware Gangs' Chats With Their Victims

May 03, 2022
An analysis of four months of chat logs spanning more than 40 conversations between the operators of Conti and Hive ransomware and their victims has offered an insight into the groups' inner workings and their negotiation techniques. In one exchange, the Conti Team is said to have significantly reduced the ransom demand from a staggering $50 million to $1 million, a 98% drop, suggesting a willingness to settle for a far lower amount. "Both Conti and Hive are quick to lower ransom demands, routinely offering substantial reductions multiple times throughout negotiations," Cisco Talos  said  in a report shared with The Hacker News. "This signals that despite popular belief, victims of a ransomware attack actually have significant negotiating power." Conti  and  Hive  are among the most prevalent ransomware strains in the threat landscape, cumulatively accounting for  29.1% of attacks  detected during the three-month-period between October and December 2021. A
Gold Ulrick Hackers Still in Action Despite Massive Conti Ransomware Leak

Gold Ulrick Hackers Still in Action Despite Massive Conti Ransomware Leak

Apr 26, 2022
The infamous ransomware group known as Conti has  continued  its onslaught against entities despite suffering a massive data leak of its own earlier this year, according to new research. Conti, attributed to a Russia-based threat actor known as Gold Ulrick , is the second most prevalent malware strain in the ransomware landscape, accounting for  19% of all attacks  during the three-month-period between October and December 2021. One of the most prolific ransomware groups of the last year along the likes of LockBit 2.0, PYSA, and Hive, Conti has locked the networks of hospitals, businesses, and government agencies, while receiving a ransom payment in exchange for sharing the decryption key as part of its name-and-shame scheme. But after the cybercriminal cartel came out in support of Russia over its invasion of Ukraine in February, an anonymous Ukrainian security researcher under the Twitter handle  ContiLeaks  began leaking the source code as well as private conversations between i
Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang

Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang

Mar 18, 2022
Google's Threat Analysis Group (TAG) took the wraps off a new  initial access broker  that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations. Dubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform ( CVE-2021-40444 ) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally. "Initial access brokers are the opportunistic locksmiths of the security world, and it's a full-time job," TAG researchers Vlad Stolyarov and Benoit Sevens  said . "These groups specialize in breaching a target in order to open the doors — or the Windows — to the malicious actor with the highest bid." Exotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of the
Conti Ransomware Gang's Internal Chats Leaked Online After Siding With Russia

Conti Ransomware Gang's Internal Chats Leaked Online After Siding With Russia

Mar 01, 2022
Days after the Conti ransomware group broadcasted a pro-Russian message pledging its allegiance to Vladimir Putin's ongoing invasion of Ukraine, an anonymous security researcher using the Twitter handle @ContiLeaks has leaked the syndicate's internal chats. The file dump, published by malware research group  VX-Underground , is said to contain 13 months of chat logs between affiliates and administrators of the Russia-affiliated ransomware group from June 2020 to February 2022, in a move that's expected to offer  unprecedented   insight  into the criminal enterprise's inner workings. "Glory to Ukraine," the leaker said in their message. The shared conversations show that Conti used fake front companies to attempt to schedule product demos with security firms like CarbonBlack and Sophos to obtain code signing certificates, with the operators working in scrum sprints to complete the software development tasks. Additionally, the messages  confirm  the  shu
Experts Expose Secrets of Conti Ransomware Group That Made 25 Million from Victims

Experts Expose Secrets of Conti Ransomware Group That Made 25 Million from Victims

Nov 19, 2021
The clearnet and dark web payment portals operated by the  Conti  ransomware group have gone down in what appears to be an attempt to shift to new infrastructure after details about the gang's inner workings and its members were made public. According to  MalwareHunterTeam , "while both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their clearweb and Tor domains for the payment site (which is obviously more important than the leak) is down." It's not clear what prompted the shutdown, but the development comes as Swiss cybersecurity firm PRODAFT  offered  an unprecedented look into the group's ransomware-as-a-service (RaaS) model, wherein the developers sell or lease their ransomware technology to affiliates hired from darknet forums, who then carry out attacks on their behalf while also netting about 70% of each ransom payment extorted from the victims. The result? Three members of the Conti team have b
FBI Warns Conti Ransomware Hit 16 U.S. Health and Emergency Services

FBI Warns Conti Ransomware Hit 16 U.S. Health and Emergency Services

May 22, 2021
The adversary behind Conti ransomware targeted no fewer than 16 healthcare and first responder networks in the U.S. within the past year, totally victimizing over 400 organizations worldwide, 290 of which are situated in the country. That's according to a new  flash alert  issued by the U.S. Federal Bureau of Investigation (FBI) on Thursday. "The FBI identified at least 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year," the agency said. Ransomware attacks have worsened over the years, with recent targets as varied as state and local governments, hospitals, police departments, and critical infrastructure.  Conti  is one of many ransomware strains that have capitulated on that trend, commencing its operations in July 2020 as a private Ransomware-as-a-Service (RaaS), in addition to jumping on the double extort
More Resources