The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Sep 22 around the CONTI Ransomware Group, providing detailed information regarding its exploits and affiliates. Together with the Federal Bureau of Investigation (FBI), they have seen Conti ransomware in over 400 attacks targeted on international enterprises. A PDF version of the advisory which contains …

Following the recent trend in ransomware affiliates, BlackMatter has emerged as the latest ransomware-as-service (RaaS). According to Threat Intelligence company Recorded Future, BlackMatter has announced that they have “incorporated in itself the best features of DarkSide, REvil, and LockBit” as mentioned in an interview. Black Matter cited the following inspirations from each of their partner …

RansomEXX recently gained notoriety due to its attack on Gigabyte, a well-known hardware manufacturer from Taiwan and an attack against Italy’s Lazio Region. The result of the first attack was the theft of 112GB of business data, and the second crippled the national COVID-19 Vaccination Registration Portal for 6 million people. Though it initially started …

Following REvil’s sudden disappearance, the empty niche in the RaaS (Ransomware as a Service) ecosystem has quickly been occupied by a new actor: LockBit that recently unveiled their LockBit 2.0 ransomware, capable of impressive encryption speeds – according to their own benchmarks – a full-fledged exfiltration service and a new affiliate program. Soon after its …

By Alberto Pelliccione, CEO – ReaQta The Revil hacker group managed to obtain a 0-Day to gain access to Kaseya VSA, a management software for IT infrastructures, using it as a conduit to spread ransomware to those MSPs using the platform. Supply-chain attacks are extremely effective and such threats are rising in frequency and complexity. …

Recently, The Financial Times reported that Asian subsidiaries of a French Global insurance company were hit by a latest ransomware attack known as Avaddon. Attackers seized 3TB of data, impacting IT operations in Thailand, Malaysia, Hong Kong and the Philippines, taking hold of sensitive information like medical records and hospital data. What is Avaddon ransomware …

We have noticed a change of behaviour in the latest spam email campaigns used by Locky. Since its first release Locky took advantage of compromised domains to download the dropper binary, while recently Locky dropper is being delivered embedded into the loader code itself. By tracking these campaigns we have also noticed that Locky’s authors have made …

On 13th of June, while monitoring Twitter, we have observed an interesting tweet that reported a suspicious domain with an open directory listing. Among the listed files we found a zip archive containing a javascript. In this blogpost we will take a closer look at the javascript and we will show that it has ransomware capabilities, which …

ReaQta has been monitoring a new and massive worldwide Locky ransomware spam campaign. The attacks are carried out in the usual way: a javascript file attached to an email message delivered to the victims, although this is the first campaign we have tracked that shows a different deployment behaviour. The javascript downloader usually retrieves Locky’s dropper …

In Part 1 we’ve analyzed a vast Crypt0L0cker ransomware distribution operation currently affecting continental Europe and ready to jump to new countries. In this second post we’ll analyze in detail the server side code used to dispatch the victims towards the correct websites, up to the ransomware itself. We’ll also analyze the ransomware behaviour and how …

Nemucod is a Javascript downloader used to perform all kind of nasty stuff, recently a “ransomware” routine has been found in some samples, even if a simple one: a XOR with a predefined 255 bytes key. In other instances we have observed the download of a malicious executable responsible for the encryption process. What we will analyze this …

Recently we uncovered a ransomware distribution operation targeting European users and carried out via phishing scams. In this post we will show how we have conducted the research: from the initial infection stage back to the person that is orchestrating the whole operation. These campaigns are targeting Italy, Denmark and Spain, although we have detected two new campaigns about to be started …

Bandarchor is a ransomware identified for the first time at the end of 2014 that seemed almost to disappear halfway through 2015. With some surprise we’ve found it to still be alive, well and with a very low detection rate: in fact lately we have been receiving help requests from companies infected by a ransomware that …

On the 2nd of January Joe Security research team uncovered a new threat dubbed HydraCrypt ransomware. We gave it a quick test run to understand if our customers are already protected from the threat or not, and what damage this new ransomware can cause to the infected systems. For what we have seen so far this ransomware appears to be …

Ransomware is a type of malicious software (known as malware) that restricts, using encryption, access to data on your computer. Once the restriction takes place, a ransom is requested to unblock your data and if paid the restriction is removed, in theory. In principle, ransomware is a simple threat, yet one that has caused a lot …