Resurge of Russian Ransomware Gangs

Key Takeaways

  • Following a quiet period after the disappearance of Russian cyber gangs REvil and DarkSide at the end of the summer, both old and new threats are behind a spike in ransomware attacks in the U.S. over the last week.

  • Iowa agriculture business New Cooperative was hit this week with a ransomware attack from DarkMatter, a new cyber gang with ties to DarkSide.

  • Several U.S. agencies released an alert warning businesses of an increasing ransomware threat from Conti, another Russia-based criminal threat responsible for 400 attacks this year.

Prophetic Warning from National Cyber Director

The summer of 2021 was filled with ransomware attacks grave enough to grab the headlines with victims such as Kaseya Ltd.Colonial Pipeline, and JBS. All of these attacks were attributed to Russian cyber gangs REvil and DarkSide, who at the end of the summer suddenly went quiet. On July 13, REvil's dark web advertisement pages were shut down and their servers went offline, leaving infected victims who had not paid the ransom unable to recover their encrypted data. Similarly, the DarkSide ransomware hackers disappeared from the web not long after its hack of Colonial Pipeline.

Some speculate that this disappearance may have been in reaction to US President Biden's threat of a more robust attack on cybercriminal operations and urging of Russian President Vladimir Putin to commit to fighting global cybercriminal organisations operating within Russian borders. Others believe the ransomware group's action is a tactical move to rethink its operational approach. The possibility is based on previous events in which cybercriminal groups have suspended their operations in the wake of significant media and law enforcement attention. The groups would later reappear after a rebranding process that would help with avoiding detection.

Back in early September, the nation’s first National Cyber Director Chris Inglis warned that while the U.S. was enjoying a dip in ransomware attacks, “it’s too soon to say we’re out of the woods on this”. 

“Those attacks have fallen off. Those syndicates [cyber gangs] have to some degree deconstructed. I think it’s a fair bet they have self-deconstructed and essentially gone cold and quiet to see whether the storm will blow over and whether they can come back”, Inglis said at an event hosted at the Reagan Institute that was live streamed on Youtube.

Ingles spoke as a 28-year veteran of the NSA who spent seven and a half years as its deputy director. His warning that the dip in attacks was likely temporary is now proving true.

Bitdefender sees signs of REvil return

As law enforcement and cybersecurity firms brace for the return of these ransomware gangs, the Romanian cybersecurity firm Bitdefender released a free decryption tool for early victims of REvil. The decryptor will aid victims hit before July 13, when REvil’s infrastructure shut down.

“We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two month hiatus,” Bitdefender wrote in a blog post.

According to another cybersecurity firm, Flashpoint, REvil is already fully back in business. Flashpoint’s blog explains that a threat actor operating under the alias “REvil” appeared on Exploit, a cybercrime forum, claiming to be the group’s new representative. The alleged representative of REvil went on to explain that the ransomware group has managed to come back online using their backups. The fact that they needed to use backup servers and that Joe Biden hinted at an offensive response from the U.S. indicates that REvil may have been taken down instead of self-deconstructed. This is apparently the first time that REvil has appeared on Exploit since the ransomware group disappeared for unspecified reasons in July following its high-profile attack on Kaseya.

New Cooperative Ransomware Attack

Just last week, and two weeks after Ingles’s address, Iowa agriculture business New Cooperative was hit with a ransomware attack and a $5.9 million ransom. The attack was from BlackMatter, a new Russian cyber gang that researchers believe has risen from the ashes of DarkSide, the group behind the JBS attack.

New Cooperative was forced to shut down the computer networks used to keep food supply chains and feeding schedules on track for millions of chickens, hogs and cattle. The attack also compromised its soil-mapping software — a master-control system that optimizes irrigation and fertilization. 

The hacking group BlackMatter threatened to publish a terabyte of the cooperative’s data, including invoices, research and development documents, and the source code to its soil-mapping technology, if it did not receive the ransom payment in cryptocurrency by Sept. 25.

BlackMatter on its dark-web site says it does not target infrastructure such as hospitals, pipelines and power plants.

New Cooperative officials sought to negotiate with hackers on Monday for the group to release the company’s data without a payment. A company official told a representative from the hacking group that the cooperative should not be targeted because it was “critical infrastructure.” In the exchange with the hackers, New Cooperative claimed the hack threatened to affect the software controlling 40 percent of the nation’s grain production, as well as the feed schedule of 11 million animals.

We will see tomorrow if New Cooperative pays in time and if they don’t we’ll see if DarkMatter hold to its threat of publishing a terabyte of stolen data.

Conti Ransomware Spike

As if the BlackMatter attack wasn’t enough for the return of ransomware to our headlines, a perhaps worse threat is growing, Conti Ransomware. In an alert on Wednesday, the Department of Homeland Security’s cybersecurity agency, the FBI and National Security Agency urged organizations to update their systems amid an increase in Conti ransomware attacks. The alert reported over 400 attacks using Conti ransomware against U.S. targets in the last year. 


The group primarily runs “double extortion” campaigns in which hackers encrypt and steal files. In the scheme, they demand a ransom from the victim in order to restore access to the systems; if the victim doesn’t pay, the actors threaten to leak the stolen data.

The most damaging element of these attacks is that they targeted extremely critical parts of U.S. infrastructure, U.S. health care providers and first responder networks as well as schools, businesses and local governments.

Conti is considered a ransomware-as-a-service (RaaS) model. The gang behind Conti is known as Wizard Spider and is based in St. Petersburg, Russia. The report warns that Conti often gains initial access to systems through spearphishing campaigns or malicious downloads posing as real software. It then uses that access to scan for credentials to get higher privileges.

Mitigation steps for organizations include updating operating systems, requiring multi-factor authentication, implementing network segmentation and filter traffic, and securing user accounts according to the alert.

Conclusion

Following a brief 2 month quiet period, Russian-based ransomware threats have ramped up again at the end of September 2021. REvil is back online, DarkSide may have been reborn as DarkMatter, and Conti Ransomware attacks are surging. Federal agencies and cybersecurity firms were supposedly anticipating the return of these threats. Businesses should heed the government’s advice and prepare their systems against the imminent threat of the reborn ransomware gangs. We’ve had the opportunity to learn from the summer, let’s ensure we are better prepared to prevent and address these attacks this fall.