Security News > 2022 > April > Gold Ulrick Hackers Still in Action Despite Massive Conti Ransomware Leak

The infamous ransomware group known as Conti has continued its onslaught against entities despite suffering a massive data leak of its own earlier this year, according to new research.

One of the most prolific ransomware groups of the last year along the likes of LockBit 2.0, PYSA, and Hive, Conti has locked the networks of hospitals, businesses, and government agencies, while receiving a ransom payment in exchange for sharing the decryption key as part of its name-and-shame scheme.

Intel 471's technical monitoring of Emotet campaigns between December 25, 2021, and March 25, 2022, identified that over a dozen Conti ransomware targets were victims of Emotet malspam attacks, highlighting how the two operations are intertwined.

The development comes as financial and tactical overlaps have been uncovered between Conti and the Karakurt data extortion group based on information published during the ContiLeaks saga, weeks after TrickBot's operators had been subsumed into the ransomware cartel.

The shared wallet hosting is also said to involve the now-defunct TrickBot gang's Diavol ransomware, with a "Diavol extortion address hosted by a wallet containing addresses used in Conti ransomware attacks," indicating that Diavol is being deployed by the same set of actors behind Conti and Karakurt.

Further forensic examination of an unnamed client that was hit with a subsequent wave of extortion attacks following a Conti ransomware infection has revealed that the second group used the same Cobalt Strike backdoor left behind by Conti, implying a strong association between seemingly disparate cybercrime actors.

News URL

https://thehackernews.com/2022/04/gold-ulrick-hackers-still-in-action.html