A new strain of ransomware, created from the leaked source of Conti Ransomware, has been doing the rounds, researchers spotted. The group calls itself Putin Team in an explicit attempt to appear Russian, but the indications point otherwise, reports the Cyble Research and Intelligence Labs (CRIL).
“We believe that the Putin Team might have altered the leaked source code of Conti ransomware to generate the ransomware binaries. This group pretends to be of Russian origin, but currently, there are no valid proofs to substantiate this,” said the CRIL report on the latest Conti variants.
Following the norm, the group uses a Telegram channel to list its victims. So far, the group has posted the details of two victims on the channel, CRIL researchers refrained from revealing the victim’s names.
Conti Ransomware: rise and fall
Conti, a name that popped up in cybersecurity news since 2020, has been one of the most prolific ransomware gangs. Believed to be distributed by a Russia-based group, the ransomware strain has hit all versions of Microsoft Windows.
So much was the scale and intensity of attack that the US government put out a bounty of $10 million for any leads on the group. However, the codes changed in March 2022 when a Ukrainian security researcher leaked the source code of Conti ransomware operation, in retaliation for the gang supporting Russia on the Ukraine invasion.
Latest Conti spin-offs
The Putin Team variant was discovered during a routine hunting exercise, said the researchers. The CRIL report lists the tactics of three other versions: ScareCrow, BlueSky, and Meow.
“BlueSky follows a different encryption scheme, but for rest of the ransomwares resembles to Conti ransomware,” noted a CRIL researcher.
ScareCrow encrypts the files and appends .CROW as an extension and drops a ransom note named “readme.txt”, which contains three Telegram handles to contact the threat actor. Meow ransomware follows the same path, but encrypts the victim’s files and append .MEOW as an extension.
“Upon execution, the BlueSky Ransomware encrypts files and adds .BLUESKY extension to them. The ransom note dropped by this ransomware is named, “# DECRYPT FILES BLUESKY #.txt” which contains instructions for decrypting the files. This ransomware group uses an onion site to interact with the victims,” said the CRIL report.
On suspecting an attack from any variant, users must immediately detach infected devices on the same network, disconnect external storage devices and Inspect system logs for suspicious events, the report recommended.