Executive Summary
If you keep up with the latest cyber security news, then you have probably noticed that several cybercriminal gangs have gone dark – especially ransomware-as-a-service (RaaS) gangs. In recent years, RaaS has become the attack vector of choice amongst cyber criminals, and despite other attack vectors gaining popularity it will continue to be their preference.
In May 2021, we witnessed the ransomware gang DarkSide launch a supply chain attack that ended up becoming one of the most impactful ransomware attacks in U.S history. DarkSide gained access to Colonial Pipeline’s virtual private network (VPN) account due to a single compromised password. During the same month, the nation-state threat actor NOBELIUM attacked SolarWinds – an attack that prompted President Biden to put cybersecurity at the top of his list of priorities for the following year.
These attacks were devastating and long-lasting. However, just as quickly as threat actors like DarkSide and NOBELIUM appeared, they disappeared. As the media and infosec community discussed their attacks, the less we heard from the threat actors. In May 2021, one year after disrupting gasoline distribution across the U.S, DarkSide went dark and suspended their operations. Additionally, not much was heard from NOBELIUM after their attack on SolarWinds.
It appeared as if both groups disbanded and were done, but with a little research one can see that is not the case. DarkSide may have gone dark in May 2021, but they re-emerged under the name BlackMatter in June 2021 – causing more destruction. While NOBELIUM has not officially gone dark, they have been very quiet and non-active under their original name. However, recent reports show that NOBELIUM has been active but are identified by other researchers as CozyBear or APT29.
Recently, threat actors like AstraLocker, Conti, and Avaddon have also gone dark – releasing decryption keys and data while saying “goodbye”. Given the prior history of cybercriminals who go dark, are these groups really saying goodbye or are they just rebranding/forming alliances with smaller groups? Let’s take a look at AstraLocker, Conti, and Avaddon’s disappearance and why it is important to keep a close watch on threat actors who shut down their operations.
In May 2021, the FBI and the Australian Cyber Security Center (ACSC) issued an alert regarding the ransomware gang Avaddon and how they were actively leveraging phishing campaigns with double extortion attempts. The Russian threat actors targeted several global private sector entities, including COVID-19 vaccine developers and those in the healthcare sector.
Initially spotted in the wild in February 2019, Avaddon lets affiliates leverage the ransomware if they promise to return a portion of the profits to Avaddon’s developers. Proofpoint observed Avaddon using a victim’s geolocation and system language to determine if they wanted to attack their system. They also observed Avaddon sending more than 1 million messages between June 4 and June 10, 2020.
During 2021, Avaddon was able to exploit several organizations by sending email attachment downloads via PowerShell. After the attachments were opened, Avaddon ran and displayed a ransom message, later demanding $800 payments in bitcoin via TOR. Avaddon’s operators also offered 24/7 customer support and resources regarding the purchase of bitcoin and testing files for decryption. They wanted to make sure they lessened the challenges that could interfere with their victims paying the demanded ransom.
In addition to healthcare, Avaddon affiliates target North America in the manufacturing, education, and financial sectors on a global scale. Avaddon’s affiliates used Windows Scheduled Task for persistence, as well as ProtonMail service to send and receive data at the early stages of intrusion. If victims refuse to pay, they threaten them with DDoS attacks in addition to encryption.
As stated previously, Avaddon conducted their attacks via phishing campaigns. The malware allowed the attackers to capture operating system operations, network configurations, hostnames, disk information, and network interferences. They were also able to capture Volume Shadow Copy files and delete services.
By June 2021, Avaddon appeared to call it quits and shutdown their RaaS operation, releasing decryption keys for their victims to BleepingComputer.com. The gang gave the technology site a password and a link to a password-protected ZIP file. The file contained the decryption keys for Avaddon ransomware’s victims.
Avaddon appeared to go off the grid but even after they went dark, Mandiant tracked Avaddon and found that there were other ransomware families that shared code similarities. They also observed previous RaaS services operating since 2019 to 2021 connected to Avaddon’s source code. Mandiant stated that the timeline of the services and the similarities in the code could be a part of the rebuilding process. Mandiant also speculated that Avaddon could be collaborating with other threat actors, or the source code is likely being shared by multiple threat actors.
In June 2022, AstraLocker was a lesser-known ransomware strain that dropped its payload directly from email attachments. The ransomware gang focused less on reconnaissance and lateral network movement, and more on performing “smash-n-grab” attacks. Their goal was to lure victims through a Microsoft Word document and receive a quick payout once the victim opened the document.
Instead of choosing VBA macros to distribute their malware, AstraLocker chose OLE objects. They also chose to use an outdated packer called Safe Engine Shielder v2.4.0.0, to pack the executable. This packer is so old that reverse engineering is nearly impossible.
In July 2022, AstraLocker shut down and released decryptors – stating that they were switching to cryptojacking. Like Avaddon, the developers released a ZIP archive with AstraLocker’s decryptors. Cryptojacking happens when an attacker maliciously hacks into a computer (mobile device or laptop) and installs malicious software. The software is used to steal cryptocurrency and a code runs in the background (even after attackers have left), hijacking their victims’ resources.
AstraLocker has already been linked to Chaos ransomware based off of a Monero wallet address. Additionally, analysis revealed that AstraLocker is based on the leaked source code of Babuk Locker – a dangerous ransomware strain that left cyber space in September 2021. Unlike Avaddon, AstraLocker made it clear that they were shutting down their ransomware operation, but they would still remain active via cryptojacking. Cryptojacking is a quieter way for AstraLocker to make money.
Conti is one of the most talked about ransomware gangs in the history of cyber security. Conti is a Russian-speaking RaaS organization, that uses RaaS to deploy disruptive ransomware attacks that target critical infrastructure (hospitals and government organizations). Conti generally focuses on attacking companies with more than $100 million in annual revenue. They specialize in double extortion, simultaneous data encryption, and data exfiltration for financial gain. If the ransom is not paid, Conti will blackmail their victims by threatening to publish stolen files.
It is believed that Conti is controlled by a Russian-based cybercrime group, Wizard Spider. Wizard Spider is known for creating and operating TrickBot banking malware. Conti also helped popularize the removal of an organization’s backups after encryption.
Unlike other ransomware gangs, Conti has historically targeted critical infrastructure. To date, Conti has successfully infiltrated the networks of the Defense Industrial Base (DIB), Leon Medical Centers, Nocona General Hospital, and Rehoboth McKinley Christian Health Care Services (RMCHCS).
In June 2021, Avertium published a Threat Intelligence Report regarding Conti shutting down and splintering into smaller, lesser-known ransomware groups. According to our partners, AdvIntel, Conti is currently rebranding as multiple ransomware groups and the brand (not the organization) is shutting down. On May 19, 2022, Conti’s official website went offline, as well as their negotiations service site. Conti’s infrastructure (chat rooms, servers, proxy hosts, etc.) went through a massive reset.
The publicity function of Conti’s blog is still active, but the operational function of “Conti News” (used to upload new data to force victims to pay) is defunct – including infrastructure related to data uploads, negotiations, and the hosting of stolen data. AdvIntel believes that Conti can no longer support their operation and that the shutdown was not spontaneous but calculated. Conti spread out into smaller groups that are mostly unknown so they could avoid law enforcement but still stay mobile in cyber space.
When threat actors break out into smaller groups or form alliances with groups, it means that they are trying to reorganize and avoid the pressures that come with being a large and visible group.
Since disbanding in June 2021, Conti’s members have formed alliances with and splintered off into BlackCat, AvosLocker, Hive, and FiveHands. These are four threat groups who are not as well-known – something that Conti was likely seeking. Most cybercriminal gangs, who shut down and join other gangs, will have some of the same tactics, techniques, or TTPs as they did previously.
If members from a disbanded gang join another one, they will eventually tell on themselves. Some gangs have been known to accidentally leave old email addresses attached to ransom notes, use the same source code of their previous brand to deploy ransomware, or even have the same exact ransom note language from a previous one.
For example, one of the ways BlackMatter was discovered to be a rebrand of DarkSide, is due to the similarities between the groups’ goals. Both groups had a set of rules that prohibited them from attacking critical infrastructure and both groups made it clear that their priority was to make money and “take care of their families”. The two groups were also using the same encryption algorithm – a custom Salso20 matrix.
If cyber security professionals follow threat actors beyond their shutdowns, they’ll see that a lot of threat actors disappear but re-emerge in some form. By keeping a close watch, cyber security professionals will be able to get a head of the threat.
RaaS gangs go dark, re-emerge, or join other ransomware gangs for a few reasons:
Threat actors like Avaddon, AstraLocker, and Conti are persistent and have one bottom line – financial gain. Staying current with the latest cyber threats and paying close attention to how threat actors move is necessary if you want to keep a safe cyber environment. Additionally, Avertium has services that can help organizations stay ahead of threats, as well as recover from attacks. Avertium’s Cyber Threat Intelligence team is on watch for when these rebranded groups will resurface:
For threat actors like Avaddon, Conti, and AstraLocker, Avertium recommends the following:
Avaddon
AstraLocker
Conti
AstraLocker
Avaddon
Conti
Threat Alert: Russian-Backed Threat Actors, Avaddon Ransomware (healthitsecurity.com)
End of Year Recap for 2021 (avertium.com)
Threat Actor Profile – “BlackMatter” Ransomware (avertium.com)An In-Depth Look at Black Basta Ransomware (avertium.com)
An In-depth Look at Conti's Leaked Log Chats (avertium.com)
Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs (reversinglabs.com)
AstraLocker Ransomware - Decryption, removal, and lost files recovery (updated) (pcrisk.com)
Avaddon_Ransomware.pdf (subexsecure.com)
Avaddon RaaS | Breaks Public Decryptor, Continues On Rampage - SentinelLabs (sentinelone.com)
AstraLocker ransomware shuts down and releases decryptors (bleepingcomputer.com)
Avaddon ransomware shuts down and releases decryption keys (bleepingcomputer.com)
One Source to Rule Them All: Chasing AVADDON Ransomware | Mandiant
AstraLocker 2.0 infects users directly from Word attachments (bleepingcomputer.com)
TIR-20211004 An In-Depth Look at Ransomware Gang, Conti (avertium.com)
Evidence suggests that DarkSide and BlackMatter are the same groupSecurity Affairs
Threat Hunting for Avaddon Ransomware (force.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.