Conti, a notorious Russian ransomware gang responsible for the attack on Irish medical institutions last year, is believed to be disbanded after the internal correspondence of the gang members got into the possession of journalists. Later on (in March,) the source code of the ransomware used by the group also got leaked. Conti, originating in Russia, previously declared its support of the Russian government regarding the invasion of Ukraine. The group’s Jabber-servers were hacked, and chats were published after that. Later, two websites used by the group to communicate with victims and leak data ceased working.

However, specialists don’t expect the group to disappear. Many former Conti members founded new groups or joined the existing ones even before the gang stopped working. The known ransomware crews where Conti gangsters found their places include BlackCat, Hive, AvosLocker, HelloKitty, Quantum, and others. There are also non-encoding extortion businesses founded by other Conty participants: Karakurt, BlackByte, and Bazarcall Collective. Thus, only brand is gone, but the malefactors will hardly change their ways.

Statistics

May showed an 18% decrease in ransomware activity compared to April. As before, the most attacked sectors were the industrial sector, consumer cyclicals, and technology (31%, 22%, and 10% of attacks, respectively.) Lockbit 2.0 remained the most raging ransomware actor in May, with not less than 95 victims on its account (40% of cases.) The mentioned Conti was also active alongside Hive and recently emerged Black Basta (17 cases, 7%.) The total number of ransomware attacks in May amounted to 236 (against April’s 289.)

NCC Group is a British information security advisor company based in Manchester. With over 15 thousand clients worldwide, NCC Group is presented on the London Stock Exchange and is one of the constituents of the FTSE 250 Index. Every months, the company issues a “Threat Pulse” – a comprehensive report on the world’s cyber threat landscape.

The post NCC Group’s May 2022 Threat Report Reflects Conti’s End appeared first on Gridinsoft Blog.

The crooks’ weapon struck them back

The YouTube user Malvuln published a chain of videos regarding the exploitation of the breach in popular ransomware. This exploitation is based on how ransomware launches its executable files with high privileges. Exactly, this is the exploit inside of the other exploit. Let’s check out how that works.

Originally, when crooks launch the ransomware in the infected system, they palm off the malicious DLL to a legit program. Any application requires dynamic-link libraries to function, and if the used DLLs are not checked diligently, it is easy to substitute the original one with the library you need. Cybercriminals know about that breach and know which apps are vulnerable. Giving the malicious DLL to the legit program allows the ransomware to be launched with increased privileges.

However, ransomware itself is not ideal. As the researcher mentioned above figured out, it is also vulnerable to DLL interception. However, the exact method is different compared to how cybercriminals use it. That vulnerability lies in the way of naming the libraries used by ransomware to run the ciphering process. A specially compiled DLL named the one used by ransomware ends the encryption process right after its beginning.

How can that be used?

As Malvuln showed in his videos, ransomware of 6 popular cybercrime gangs is vulnerable to that security breach. Those are AvosLocker, LokiLocker, Black Basta, REvil, Conti, and LockBit. All of them are well-known, and each of them attacks hundreds of companies each month. Some of them may ask for up to $1M ransoms. Using such a vulnerability, companies may easily protect themselves from having their files encrypted. Still, spyware those groups usually inject together with ransomware is still able to extract a lot of valuable data.

Adding a small DLL file on each computer in the network is pretty easy, and hard to detect for threat actors. In contrast to security solutions that are running in the network, DLL is not active and cannot be detected. Hence, crooks may get a very unpleasant surprise. Nonetheless, that does not mean that you can throw away your security solutions. EDR systems may be very effective against spyware, at least with data extraction. Keep in mind that you will likely pay a much bigger sum of money as a ransom than you will spend on an endpoint protection solution.

Thoughts on ransomware vulnerability

Cybercriminals like ones that belong to the named gangs love their brainchildren. And having such a vulnerability, they will not delay fixing it. That is their bread and butter, and they depend on that money flow. Hence, deploying the DLL as I have offered above is not a panacea. Sooner or later (likely sooner) that breach will be fixed, as it was to all other vulnerabilities that leaked to the public. And still – no one names a way to stop the complementary spyware.

This or another way, having the chance to stop the ransomware and prevent disruptions is better than not having it.

The post Vulnerabilities Allow Hijacking of Most Ransomware to Prevent File Encryption appeared first on Gridinsoft Blog.