Cyble – New Ransomware Strains Emerging From Leaked Conti’s Source Code  
Category

Putin Team Leaks Victim’s Details in Their Telegram Channel

Cyble Research and Intelligence Labs (CRIL) have spotted multiple ransomware strains created based on the source of other ransomware families. Recently, CRIL observed new ransomware families, such as Putin Team, ScareCrow, BlueSky Meow, etc., created from the leaked source code of Conti Ransomware.

Figure 1 Emerging Variants
Figure 1 – Emerging Variants

ScareCrow Ransomware:

ScareCrow is a new ransomware strain that is based on Conti ransomware. After execution, it encrypts the files and appends .CROW as an extension. This ransomware drops a ransom note named “readme.txt” which contains three Telegram handles to contact the Threat Actor (TA). The Figure below shows the ransom note of ScareCrow ransomware.

Figure 2 ScareCrow Ransom Note
Figure 2 – ScareCrow Ransom Note

BlueSky ransomware

BlueSky ransomware surfaced in the second half of 2022. This ransomware exhibits several similarities and overlaps with Conti and Babuk ransomware. The Source code of Babuk ransomware was also leaked in 2021. Upon execution, the BlueSky Ransomware encrypts files and adds .BLUESKY extension to them. The ransom note dropped by this ransomware is named, “# DECRYPT FILES BLUESKY #.txt” which contains instructions for decrypting the files. This ransomware group uses an onion site to interact with the victims.

Figure 3 BlueSkys Ransom Note
Figure 3 – BlueSky’s Ransom Note

Meow Ransomware

Meow Ransomware was discovered recently. This ransomware is based on Conti ransomware. It encrypts the victim’s files and append .MEOW as an extension. It drops a ransom note named “readme.txt” which contains four email addresses, and two Telegram handles that victims can use to interact with the TA. The figure below shows the ransom note of MEOW ransomware.

Figure 4 Meow Ransomware Ransom Note
Figure 4 – Meow Ransomware Ransom Note

Putin Ransomware

CRIL discovered a new ransomware group named Putin Team. We believe that the Putin Team might have altered the leaked source code of Conti ransomware to generate the ransomware binaries. This group pretends to be of Russian origin, but currently, there are no valid proofs to substantiate this. Putin Team uses a Telegram channel to disclose details of its victims. This group has posted details of two victims so far on their Telegram channel.

Figure 5 Putin Team Telegram Channel
Figure 5 – Putin Team Telegram Channel

Upon execution, this ransomware drops a ransom note named README.txt in each folder. The Ransom note contains Telegram links, the victim’s ID, and further instructions for decrypting the files. The figure below shows the ransom note.

Figure 6 Ransom Note
Figure 6 – Ransom Note

Technical Analysis

Upon executing the Putin Ransomware binary (SHA256: fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9), it resolves the module names dynamically and loads them for its execution. The ransomware resolves the module names, which includes Iphlpapi.dll, Netapi32.dll, Oleaut32.dll, Rstrtmgr.dll, Shell32.dll, Shlwapi.dll, ntdll.dll, Shell32.dll, Ole32.dll and Advapi32.dll.

After resolving the module names, the ransomware copies the hardcoded ransom note, as shown below.

Figure 7 Loads Ransom Note
Figure 7 – Copies Ransom Note

After this, the ransomware creates a Mutex named “hsfjuukjzloqu28oajh727190” to ensure one instance of malware is running in the victim’s machine, as shown in the image below.

Figure 8 Creates
Figure 8 – Creates Mutex

The ransomware now gets the list of drives in the victim’s machine using GetLogicalDriveStringsW() method. Then it enumerates folders/files which are present in the drives identified for further encryption, as shown below.

Figure 9 Get Logical Drives
Figure 9 – Calls GetLogicalDriveStringsW()

While enumerating the directories, the ransomware creates a ransom note named “readme.txt” and drops it in each folder that it encounters. Now ransomware creates multiple threads for faster encryption using APIs such as CreateIOCompletionPort(), PostQueuedCompletionStatus(), GetQueuedCompletionPort().

This ransomware uses ChaCha20 encryption algorithm for its encrypting files. ChaCha20 is a symmetric stream cipher and is highly adopted by ransomware groups because of its fast encryption process. After encrypting the files, it renames them by appending .PUTIN as an extension, as shown below.

Figure 10 Encrypted Files
Figure 10 – Encrypted Files

Conclusion

The TAs could use the source code and builders of various ransomware groups exposed on multiple platforms to develop a custom ransomware payload. In this case, the TAs have utilized the leaked Conti Ransomware Source code to start a new ransomware operation with minimal investment. CRIL research indicates we might witness a few more new ransomware families based on the Conti Source code in the future.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.  

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.  
  • Disconnect external storage devices if connected.  
  • Inspect system logs for suspicious events.  

Impact And Cruciality of Ransomware

  • Loss of valuable data.  
  • Loss of the organization’s reputation and integrity.  
  • Loss of the organization’s sensitive business information.  
  • Disruption in organization operation.  
  • Financial loss.  

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Execution  T1204    
T1129
User Execution  
Shared Modules
Defense Evasion  T1027 Obfuscated Files or Information
Discovery  T1082  
T1083  
System Information Discovery  
File and Directory Discovery  
Impact  T1486   Data Encrypted for Impact  

Indicators of Compromise

Indicators  Indicator type  Description 
4dd2b61e0ccf633e008359ad989de2ed
94a9da09da3151f306ab8a5b00f60a38b077d594 fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9
MD5  
SHA-1  
SHA256  
Putin Team  
Ransomware  
executable  
1d70020ddf6f29638b22887947dd5b9c
987ad5aa6aee86f474fb9313334e6c9718d68daf 7f624cfb74685effcb325206b428db2be8ac6cce7b72b3edebbe8e310a645099 
MD5  
SHA-1  
SHA256  
Putin Team 
Ransomware  
executable  
8f154ca4a8ee50dc448181afbc95cfd7
4f5d4e9d1e3b6a46f450ad1fb90340dfd718608b 5a936250411bf5709a888db54680c131e9c0f40ff4ff04db4aeda5443481922f
MD5  
SHA-1  
SHA256  
Putin Team 
Ransomware  
executable
3eff7826b6eea73b0206f11d08073a68
578b1b0f46491b9d39d21f2103cb437bc2d71cac 7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f
MD5  
SHA-1  
SHA256
ScareCrow Ransomware executable
033acf3b0f699a39becdc71d3e2dddcc
5949c404aee552fc8ce29e3bf77bd08e54d37c59 222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853
MD5  
SHA-1   SHA256
Meow Ransomware executable
0bbb9b0d573a9c6027ca7e0b1f5478bf
59e756e0da6a82a0f9046a3538d507c75eb95252 b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec
MD5  
SHA-1   SHA256
BlueSky Ransomware executable

Source: https://blog.cyble.com/2022/12/22/new-ransomware-strains-emerging-from-leaked-contis-source-code/