Threats Tagged 'conti - s0575'

DragonForce, a ransomware-as-a-service group active since 2023, has rebranded as a cartel and formed alliances with groups like Scattered Spider, LAPSUS$, and ShinyHunters. The group uses Conti-derived code and employs BYOVD attacks to terminate processes. DragonForce has expanded its affiliate program, allowing partners to white-label payloads and create variants. The group has exposed over 200 victims on its leak site, targeting various sectors. DragonForce's partnership with Scattered Spider, known for sophisticated social engineering techniques, has led to high-profile breaches. The group's ransomware samples show significant overlap with Conti's leaked source files and use ChaCha20 encryption.

MediumMalwareGermanyFranceUnited Kingdom+5#conti#dragonforce#social engineering

Conti, a notorious ransomware operation identified in 2019, quickly gained infamy for its advanced encryption, rapid lateral movement, and double extortion tactics. Operated by the Russia-based Wizard Spider group, Conti evolved from Ryuk ransomware and maintained suspected ties to Russian state interests. Between 2019 and 2022, Conti targeted healthcare providers, governments, educational institutions, critical infrastructure, and private businesses, earning an estimated $180 million in 2021. Their aggressive tactics highlighted the urgent need for strong cybersecurity defenses. In 2022, internal divisions arose following leaked private chats. Conti's operations mimicked legitimate businesses, showcasing the industrialization of cybercrime and its devastating impact on critical sectors.

MediumMalwareGermanyFranceUnited Kingdom+7#education#double extortion#healthcare

A new ransomware group called Gunra has emerged with a Dedicated Leak Site (DLS) in April 2025. Gunra's code shows similarities to the infamous Conti ransomware, suggesting it may be leveraging Conti's leaked source code. The group employs aggressive tactics, including a time-based pressure technique that forces victims to begin negotiations within five days. Gunra ransomware encrypts files using a combination of RSA and ChaCha20 algorithms, excludes certain folders and file types from encryption, and drops a ransom note named 'R3ADM3.txt'. The ransomware also deletes volume shadow copies to hinder recovery efforts. As the threat of DLS ransomware grows, organizations are advised to implement robust security measures, including regular updates, backups, and user education.

MediumMalwareGermanyFranceUnited Kingdom+7#volume shadow copy#encryption#conti

A new ransomware strain resembling DragonForce but with unique traits has emerged, possibly connected to an entity called DEVMAN. The sample reuses DragonForce code but adds its own elements, including the .DEVMAN file extension. Attribution is unclear, as the ransom note is identical to DragonForce's. The malware operates offline, probes for SMB connections, and uses three encryption modes. It exhibits different behaviors on Windows 10 and 11, particularly in changing wallpapers. The ransomware encrypts its own ransom notes, likely due to a builder flaw. DEVMAN claims to have stopped using DragonForce months ago, suggesting this may be an experimental or outdated build.

MediumMalwareGermanyFranceUnited Kingdom+4#ransomware#conti#blacklock