At a glance.
- Conti's ransomware attacks on national governments.
- Ransomware gang tries to excuse its crimes.
- Origins of the Chaos ransomware operation.
Conti's ransomware attacks on national governments.
Check Point looks at the Conti ransomware gang's attacks against the national governments of Costa Rica and Peru. In the case of Costa Rica, the researchers stated:
"This quickly escalating cyber event has evolved into a wide geopolitical event. It happened when on the one hand, Costa Rica asked for support from the US and the US state department then offered a $10,000,000 reward for information on Conti’s leaders. On the other hand, the rhetoric of the Conti group around the Costa Rican extortion started to involve the US and President Biden, and not just Costa Ricans.
"The event received a lot of positive attention in the Russian speaking underground and could potentially lead to further ransomware groups utilizing the same concepts against other countries and in different geopolitical circumstances. One of the most reputable members of the Russian Underground aggressively reacted to the US intervention, saying that Americans should pray that the events of May – June 2021 won’t happen again, alluding to the Colonial Pipeline ransomware attack."
Check Point adds that Conti is conducting a similar campaign in Peru, after attacking the country's Ministry of Finance and General Intelligence Directorate on May 7th. In that case, the researchers note, "Extortion against Peru is a developing incident which is in the early stages compared to the event against Costa Rica."
Ransomware gang tries to excuse its crimes.
Researchers at Cyberint describe a new extortion gang dubbed "RansomHouse" that exfiltrates victims' data and holds it for ransom. The group claims that their purpose is to motivate its victims to improve their security, comparing themselves to bug bounty hunters. In practice, however, the gang is running a typical data theft extortion racket:
"RansomHouse campaigns focus on data exfiltration only; they do not possess or develop any encryption modules. In their words: 'nothing to do with breaches and don’t produce or use any ransomware.'
"It seems that the group operates manually and focuses on one victim at a time. They keep their actions simple and precise as they invest all their resources in vulnerability research and data exfiltration, which makes their task much simpler than encrypting the victim’s assets.
"The position the group generally puts the victim in is to pay the ransom or being shamed in their blog for not 'caring enough' to pay the ransom to protect its customers’ valuable information, which could cast a negative light on the victim in front of its customers and shareholders."
Origins of the Chaos ransomware operation.
Researchers at BlackBerry have published a report outlining the genealogy of the Chaos ransomware family, detailing six versions of the malware that have been released since it first surfaced in June 2021. BlackBerry found that Chaos has ties to the Onyx and Yashma ransomware strains, although Chaos initially (and unsuccessfully) claimed to be an offshoot of Ryuk.