Gold Ulrick Hackers Still in Action Despite Massive Conti Ransomware Leak

The infamous ransomware group known as Conti has continued its onslaught against entities despite suffering a massive data leak of its own earlier this year, according to new research.

Conti, attributed to a Russia-based threat actor known as Gold Ulrick, is the second most prevalent malware strain in the ransomware landscape, accounting for 19% of all attacks during the three-month period between October and December 2021.

One of the most prolific ransomware groups of the last year along with the likes of LockBit 2.0, PYSA, and Hive, Conti has locked the networks of hospitals, businesses, and government agencies, while receiving a ransom payment in exchange for sharing the decryption key as part of its name-and-shame scheme.

But after the cybercriminal cartel came out in support of Russia over its invasion of Ukraine in February, an anonymous Ukrainian security researcher under the Twitter handle ContiLeaks began leaking the source code as well as private conversations between its members, offering an unprecedented insight into the group’s workings.

“The chats reveal a mature cybercrime ecosystem across multiple threat groups with frequent collaboration and support,” Secureworks said in a report published in March. The groups include Gold Blackburn (TrickBot and Diavol), Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID).

Indeed, Intel 471’s technical monitoring of Emotet campaigns between December 25, 2021, and March 25, 2022, identified that over a dozen Conti ransomware targets were, in fact, victims of Emotet malspam attacks, highlighting how the two operations are intertwined.

That said, the leaks don’t seem to have put a dampener on the syndicate’s activities, with the number of Conti victims posted in March surging to the second-highest monthly total since January 2021, per the Atlanta-headquartered cybersecurity firm.

What’s more, the group is said to have added 11 victims in the first four days of April, even as the malware authors have persistently worked to “evolve its ransomware, intrusion methods, and approaches” in response to the public disclosure of their arsenal.

The findings have also been corroborated by NCC Group late last month, which said that “Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware.”

A web of connections between Conti and Karakurt

The development comes as financial and tactical overlaps have been uncovered between Conti and the Karakurt data extortion group based on information published during the ContiLeaks saga, revealing what appears to be an extension of the ransomware-as-a-service (RaaS) business model.

Read more:

You can also read this: FBI warns US farmers of ransomware attacks

Leave a Reply

Your email address will not be published. Required fields are marked *