Review of incidents involving ransomware for the period from March 28 to May 4, 2022


One of the most interesting news over the past week was an interview with CNN with a Ukrainian researcher using the pseudonym Conti Leaks. The researcher had access to the internal servers of a large extortionate Conti group for years.

After Conti operators sided with Russia during the military conflict on the territory of Ukraine, the researcher rebuffed the group and published internal correspondence and the source code of extortionate software, providing information security experts and law enforcement agencies with important information.

The SunCrypt ransomware program, operating under the “extortionate-as-a-service” (RaaS) business model, gained fame back in mid-2020, but is still active. Malware operators continue to work on expanding their capabilities.

A cybersecurity researcher using the pseudonym Amigo-A, found a new ransomware program that leaves a ransom note called Hello.txt .

A team of Nautilus researchers has discovered a Python-based ransomware attack targeting Jupyter Notebook, a popular open-source web application used by data specialists. The attackers gained initial access through incorrectly configured environments, and then launched a ransomware script that encrypts each file along a specified path on the server and deletes itself after execution. Because Jupyter Notebooks are used to analyze data and build data models, an attack can cause significant damage to organizations if environments are not properly backed up.

A cybersecurity researcher using the pseudonym PCrisk has discovered a new version of a ransomware program Dharma with the .snwd extension, and new versions of the STOP ransomware that add extensions.voom, .mpag, .gtys or .udla.

The extortionate Hive group stole 850 thousand personal records from the American medical organization Partnership HealthPlan (PHP). According to experts from the Sentinel Labs information security firm, the extortionists used a new technique called IPfuscation, masking their payload under a harmless series of legitimate IP addresses.

Customer relationship management (CRM) service provider Atento has published its financial statements for 2021, which show a huge damage of $42.1 million due to the LockBit ransomware attack last October. The failure caused by the cyberattack affected the company’s operations in Brazil, resulting in a loss of revenue of $34.8 million and additional costs of $7.3 million related to mitigating the consequences of the incident.

Start a discussion …