Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Conti. Show all posts
TrickBot
Conti Cyber Crime Dark Web FBI ID Leak Internet Ransomware TrickBot

Mysterious Entity ExposedGang Exposes Cyber Criminals


An anonymous leaker is exposing the identities of the world’s most wanted cybercriminals. 

Recently, a mysterious leaker exposed leaders behind Trickbot and Conti ransomware, hacking groups that are known for some of the biggest extortions in recent times. 

Recently, The Register contacted an anonymous individual known by the alias GangExposed, who is on a personal mission to “fight against an organized society of criminals known worldwide”. GangExposed takes pleasure in thinking he can rid society of at least some of the cybercriminals. "I simply enjoy solving the most complex cases,” he said. 

Stern doxxed

One of the criminals doxxed is Stern, the mastermind of Conti ransomware operations and TrickBot. GangExposed claims Stern is Vitaly Nikolaevich, CySecurity reported about this case recently.

After the doxxing of Stern, GangExposed went after another important criminal, AKA professor, who is a 39-year-old Russian called Vladimir Viktorovich Kvitko. He is living in Dubai. Apart from exposing important individuals, GangExposed also leaked videos, ransom negotiations, and chat logs. 

About GangExposed

The leaker said it was not an “IT guy,” it just observed patterns that other people missed. 

"My toolkit includes classical intelligence analysis, logic, factual research, OSINT methodology, stylometry (I am a linguist and philologist), human psychology, and the ability to piece together puzzles that others don't even notice," the leaker said. 

"I am a cosmopolitan with many homes but no permanent base — I move between countries as needed. My privacy standards are often stricter than most of my investigations' subjects."

Leaked bought info to expose IDs

To expose the IDs of infamous threat actors, GangExposed used information received via “semi-closed databases, darknet services,” and through purchases. It has “access to the leaked FSB border control database.” GangExposed claims it purchased the database from the dark web for $250,000. 

GangExposed could have gotten at least $10 million in bounty from the FBI if it wanted to, but it has decided not to demand money.  This suggests the leakers may be resentful of former members looking for revenge, while some experts think taking the bounty would make them criminal as well. 

CySecurity had earlier reported on this incident, you can read the full story about the international crackdown on cybercrime gangs here

Read more »
US Government
Conti Conti Ransomware CrowdStrike outage Cyber Attacks healthcare sectors OFAC ransomware attacks US Government

U.S. Government Escalates Sanctions to Combat Rising Cybersecurity Threats

 

In a significant move to combat rising cyber threats, the U.S. government has intensified its use of sanctions against cybercriminals. This escalation comes in response to an increasing number of ransomware attacks and other cybercrimes targeting American infrastructure, businesses, and individuals. The latest sanctions target hackers and cyber groups responsible for some of the most severe breaches in recent history. 

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has spearheaded these efforts. By freezing assets and prohibiting transactions with designated individuals and entities, OFAC aims to disrupt the financial networks that support these cybercriminal operations. This strategy seeks not only to punish those directly involved in cyber attacks but also to deter future incidents by raising the financial and operational costs for would-be hackers. 

One of the key targets of these sanctions is the notorious ransomware group, Conti. This group has been linked to numerous high-profile attacks, including the devastating breach of Ireland’s Health Service Executive in 2021, which disrupted healthcare services nationwide. By imposing sanctions on Conti and associated individuals, the U.S. government aims to dismantle the group’s operational capabilities and limit its reach. 

In addition to Conti, the sanctions list includes individuals connected to Evil Corp, a cybercrime syndicate known for deploying Dridex malware. This malware has been used to steal financial information and execute large-scale ransomware attacks. The sanctions against Evil Corp reflect a broader strategy to target the infrastructure and personnel behind such sophisticated cyber threats. The increase in sanctions also aligns with international efforts to tackle cybercrime. The U.S. has collaborated with allies to coordinate sanctions and share intelligence, creating a united front against global cyber threats. 

This cooperation underscores the recognition that cybercrime is a transnational issue requiring a collective response. Despite these aggressive measures, the fight against cybercrime is far from over. Cybercriminals continually evolve their tactics, finding new ways to bypass security measures and exploit vulnerabilities. The U.S. government’s approach highlights the need for ongoing vigilance, robust cybersecurity practices, and international collaboration to effectively combat these threats. 

In addition to sanctions, the U.S. government is investing in enhancing its cyber defenses. This includes increasing funding for cybersecurity initiatives, promoting public-private partnerships, and encouraging the adoption of best practices across critical sectors. These efforts aim to build resilience against cyber attacks and ensure that the country can swiftly respond to and recover from incidents when they occur. The impact of these sanctions is already being felt within the cybercriminal community. Reports indicate that some groups are experiencing difficulties in accessing funds and recruiting new members due to the increased scrutiny and financial restrictions. 

While it is too early to declare victory, these sanctions represent a significant step in disrupting the operations of major cyber threats. In conclusion, the U.S. government’s use of sanctions against cybercriminals marks a critical development in the fight against cyber threats. By targeting the financial networks that sustain these operations, the government aims to weaken and deter cybercriminals. However, the dynamic nature of cybercrime necessitates continuous adaptation and international cooperation to protect against evolving threats. 
Read more »
threat analysis
3AM Conti Cyber Security cybercrime gangs Data Leaks intrusion tactics malware ranso Ransomware Royal Security Researchers threat analysis

Security Researchers Establish Connections Between 3AM Ransomware and Conti, Royal Cybercriminal Groups

 

Security researchers examining the operations of the recently surfaced 3AM ransomware group have unveiled strong connections with notorious entities like the Conti syndicate and the Royal ransomware gang.

The 3AM ransomware, also known as ThreeAM, has adopted a novel extortion strategy: publicly revealing data leaks to victims' social media followers and utilizing bots to respond to influential accounts on X (formerly Twitter), directing them to the compromised data.

Initially observed by Symantec's Threat Hunter Team in mid-September, 3AM gained attention after threat actors shifted from deploying LockBit malware. According to French cybersecurity firm Intrinsec, ThreeAM is likely affiliated with the Royal ransomware group, now rebranded as Blacksuit, consisting of former members of Team 2 within the Conti syndicate.

As Intrinsec delved into their investigation, they found substantial overlap in communication channels, infrastructure, and tactics between 3AM and the Conti syndicate. Notably, an IP address listed by Symantec as a network indicator of compromise led researchers to a PowerShell script for dropping Cobalt Strike on VirusTotal.

Further investigation uncovered a SOCKS4 proxy on TCP port 8000, a TLS certificate associated with an RDP service, and HTML content from 3AM's data leak site indexed by the Shodan platform. The servers involved were traced back to the Lithuanian hosting company, Cherry Servers, known for hosting malware despite having a low fraud risk.

Intrinsec's findings aligned with a report from Bridewell, connecting the IP subnet to the ALPHV/BlackCat ransomware operation. This group, not part of the Conti syndicate but allied, was identified as having ties to IcedID malware used in Conti attacks.

In addition to technical details, Intrinsec uncovered 3AM's experiment with a new extortion technique. The gang set up a Twitter account in August, using it to reply to tweets from victims and high-profile accounts, linking to the data leak site on the Tor network. Intrinsec suspected the use of a Twitter bot for a name-and-shame campaign, noting an unusually high volume of automated replies.

Despite 3AM's perceived lack of sophistication compared to Royal, the researchers cautioned against underestimating its potential for deploying numerous attacks. The article concludes with a broader context on the Conti syndicate, its dissolution, and the emergence of affiliated groups like Royal ransomware.
Read more »
TrendMicro
Bitcoin Canti Conti CorvusInsurance Cyber Crime Cybersecurity Darkweb DigitalCurrency Elliptic Extortion Garantex Hackers Laundering Ransomware TrendMicro

Researchers: 'Black Basta' Group Rakes in Over $100 Million

 

A cyber extortion group believed to be an offshoot of the infamous Russian Conti hacker organization has reportedly amassed over $100 million since its emergence last year, according to a report published on Wednesday by digital currency tracking service Elliptic and Corvus Insurance.

The group, known as "Black Basta," has allegedly extorted at least $107 million in bitcoin, with a significant portion of the laundered ransom payments flowing to the sanctioned Russian cryptocurrency exchange Garantex, as revealed in the joint report. Attempts to contact Black Basta through its dark web site were unsuccessful. Garantex, which faced U.S. Treasury sanctions in April of the previous year, expressed support for global initiatives combatting cybercrime and urged information-sharing regarding the hackers' finances, pledging to block suspicious funds.

Elliptic co-founder Tom Robinson characterized Black Basta's substantial earnings as making it "one of the most profitable ransomware strains of all time." The researchers arrived at this figure by identifying known ransom payments linked to the group, tracing the laundering of digital currency, and discovering additional payments.

Robert McArdle, a cybercrime expert from security firm TrendMicro not involved in the report, deemed the reported Black Basta figure "certainly in a believable range for their operations."

The Elliptic-Corvus report also presented evidence linking Black Basta to the now-defunct Russian group "Canti." Conti, formerly a prominent ransomware gang, gained notoriety for coercing victims through data encryption, ransom demands, and threats to publish stolen information. 

The report suggests that individuals from Conti, following the dismantling of its leak site after Russia's invasion of Ukraine and the subsequent posting of U.S. bounties on its leadership, may have reorganized and rebranded, with Black Basta potentially being a manifestation of this restructuring.

"Conti was perhaps the most successful ransomware gang we've seen," remarked Robinson. The recent findings indicate that some individuals responsible for Conti's success might be replicating it with the Black Basta ransomware, he added.
Read more »
RaaS
Bug Bounty Conti Crypto Currency LockBit 2.0 ransomware malware NCC Group RaaS

LockBit 3.0: Launch of Ransomware Bug Bounty Program

 

The "LockBit 3.0" ransomware update from the LockBit ransomware organization features the first spyware bug bounty program, new extortion methods, and Zcash cryptocurrency payment choices. After two months of beta testing, the notorious gang's ransomware-as-a-service (RaaS) operation, which has been operational since 2019, recently underwent an alteration. It appears that hackers have already employed LockBit 3.0.

Bug bounty plan for LockBit 3.0 

With the launch of LockBit 3.0, the organization launched the first bug bounty program provided by a ransomware gang, which asks security researchers to disclose bugs in exchange for incentives that can go as high as $1 million. In addition to providing bounties for vulnerabilities, LockBit also pays rewards for "great ideas" to enhance the ransomware activity and for doxing the operator of the affiliate program, identified as LockBitSupp, which had previously posted a bounty plan in April on the XSS hacking site.

"We open our bug bounty program to any security researchers, ethical and unethical hackers worldwide. The compensation ranges from $1,000 to $1,000,000," reads the page for the LockBit 3.0 bug reward. The notion of initiating the criminal operation would be against the law in many nations, however, makes this bug reward scheme a little different from those frequently utilized by respectable businesses.

LeMagIT claims that version 3.0 of LockBit includes several other improvements, such as new methods for data recovery and monetization, as well as the option for victims to choose to have their data destroyed, and the ability for victims to make payments using the Zcash cryptocurrency in addition to Bitcoin and Monero. 

LockBit is producing outcomes. In May, LockBit 2.0 succeeded Conti as the leading provider of ransomware as a service. The gang's previous ransomware, LockBit 2.0, was to be blamed for 40% of the attacks that NCC Group observed in the preceding month. Moreover, according to Matt Hull, worldwide lead for strategic threat intelligence at NCC, The most prolific threat actor of 2022 is Lockbit 2.0,  In times like these, it's imperative that businesses become familiar with their strategies, methods, and processes.

It is unclear how this new extortion technique will operate or even whether it is activated because the LockBit 3.0 data leak site currently does not have any victims. With its public-facing manager actively interacting with other malicious actors and the cybersecurity community, LockBit is one of the most prolific ransomware campaigns.
Read more »
User Privacy
Botnet Conti Emotet Google Chrome malware Ransom Ransomware TrickBot Trojan User Data User Privacy

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to capture credit card information from Google Chrome user accounts. 

After obtaining credit card information (such as name, expiration month and year, and card numbers), the malware will transfer it to command-and-control (C2) servers that are not the same as those used by the Emotet card stealer module. 

The Proofpoint Threat Insights team said, "On June 6th, Proofpoint observed a new Emotet module being dropped by the E4 botnet. To our surprise, it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader." 

This shift in behaviour follows an increase in activity in April and a move to 64-bit modules, as discovered by the Cryptolaemus security research group. One week later, Emotet began using Windows shortcut files (.LNK) to run PowerShell instructions on victims' devices, abandoning Microsoft Office macros, which were disabled by default beginning in early April 2022. 

The re-emergence of Emotet malware:

In 2014, the Emotet malware was created and used in assaults as a banking trojan. It has developed into a botnet used by the TA542 threat group (also known as Mummy Spider) to deliver second-stage payloads. 

It also enables its operators to steal user data, conduct reconnaissance on compromised networks, and migrate laterally to susceptible devices. Emotet is renowned for deploying Qbot and Trickbot malware trojan payloads on infected PCs, which are then used to spread more malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti. Emotet's infrastructure was destroyed in early 2021 as part of an international law enforcement operation that also resulted in the arrest of two people.

When Emotet research organisation Cryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel all spotted the TrickBot malware being used to deliver an Emotet loader in November 2021, the botnet returned utilising TrickBot's previously established infrastructure.

According to ESET, Emotet's activity has increased more than 100-fold since the beginning of the year, with its activity rising more than 100-fold against T3 2021.
Read more »
Security
Conti Hacking malware Ransomware Safety Security

Conti Ransomware Shuts Down and Rebrands Itself

 

The Conti ransomware group has effectively put a stop to their operation by shutting down its infrastructure and informing its team leaders that the brand no longer exists. Advanced Intel's Yelisey Boguslavskiy tweeted that the gang's internal infrastructure had been shut down.

The Tor admin panels that members used to conduct negotiations and post "news" on their data leak site are currently down, according to BleepingComputer. Despite the fact that the public-facing 'Conti News' data dump and the ransom negotiation website are still available. 

As per Bleeping Computer, "The agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom was declared internally by the Conti leadership. Internal communications between group members suggested that the requested ransom payment was far below $1 million USD (despite unverified claims of the ransom being $10 million USD, followed by Conti’s own claims that the sum was $20 million USD)". 

Despite the fact that the Conti ransomware brand has been retired, the cybercrime organisation will continue to play a significant role in the ransomware industry for some time. Rather than rebranding as another large ransomware organisation, Conti leadership has collaborated with other minor ransomware gangs to carry out attacks. 

Smaller ransomware gangs profit from this alliance because they have access to professional Conti pentesters, negotiators, and operators. The Conti cybercrime syndicate is able to expand its mobility and ability to dodge law enforcement more effectively by subdividing into smaller "cells" that are all monitored by the central leadership.

Conti has worked with a wide range of well-known ransomware operations, according to a study published by Advanced Intel. Conti's current members, which include negotiators, intelligence analysts, pentesters, and coders, are scattered throughout several ransomware operations. Despite the fact that they will now employ the same encryptors and negotiation sites as the other ransomware operation, they remain part of the larger Conti criminal group.
Read more »
Ransomware attack
Conti Conti Ransomware Cyber Attacks Extortion Group Ransomware attack

Karakurt Hacking Group Linked to Conti and Diavol Ransomware Crew

 

Cybersecurity researchers from Arctic Wolf Networks published a blog post on Friday claiming that the cyber extortion group Karakurt is operationally associated with both the Conti and Diavol ransomware groups, operating as an exfiltration arm of the ransomware organizations. 

In a blog post, researchers said since its first attacks in August 2021, Karakurt hacking group has targeted more than 40 organizations in a number of industries in at least eight nations.

In conducting the in-depth research Tetra Defense, an Arctic Wolf firm, collaborated with Chainalysis and Northwave to examine the cryptocurrency wallets tied to the Karakurt hacker group, combined with their specific technique for data theft. The analysis confirmed that the group's membership overlaps with the Conti and Diavol ransomware crews. 

Tetra's report reveals the experience of a client firm that was targeted by the Conti group, and subsequently targeted again by a data theft perpetrated by the Karakurt hacking group. The analysis confirmed that the Karakurt attack employed an identical backdoor to exploit the client's systems as the earlier Conti assault. These associations debunk the Conti group’s assurance to victims that paying the ransom will shield them from future assaults.

"Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure," Tetra explained in its report. 

It is essential to distinguish the several types of cyber assault described right here, according to Tetra. In a ransomware attack, critical information is encrypted and the ransom is paid in exchange for a decryption key so that the victim can recover its data and resume operating. In a data theft, which has been the sole type of attack orchestrated by the Karakurt group, threat actors steal sensitive corporate data and demand money in exchange for not releasing it. 

The Karakurt attacks of this type — there have been more than a dozen to date, according to Tetra — also employed cryptocurrency wallets associated with Conti victim payment addresses, further strengthening the argument that the two groups' membership may overlap significantly. 

“Traditionally, we have seen the criminals honor their offers,” Nathan Little, senior vice chairman of digital forensics and incident response at Tetra stated. “Early on, when these [data theft attacks] began in 2019, it was widespread that corporations had been frightened sufficient that they’d pay, to not cover the incident, however to keep away from the results.”
Read more »
Subscribe to: Posts (Atom)