As an effort to kill the ransomware industry, UK and US governments have unmasked some of the threat actors behind Conti and Trickbot which are linked to the group Wizard Spider. Both governments have not called out the link between these groups and Russia’s intelligence services. Seven group members were publicly sanctionned : Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev, and Valery Sedletski. UK and US revealed their names alongside their birthday, email addresses and their photos. The aim of publically revealing these names is to warn potential threat actors of the consequences of attacking using ransomware. No arrestations have been made at this time and since US does not have extradition with Russia, it seems unlikely these members will be arrested if they remain in Russia. There are a wide number of ransomware gangs and groups using ransomwares, this effort may not have the impact wanted.
In 2022, there were at least 437 known ransomware attack in the manufacturing industry which is a 107% jumped from 2021 at 211 known attacks. There are numerous possible explanations for this new attention. Often operators have little to no visibility into their systems and with shared credentials between information networks and operational technology systems, the opportunities are wide open for threat actors. Cyberattacks on critical infrastructures are always worrisome as the impact on human lives is great. Often due to limited resources these critical infrastructures are good targets for cyberattacks.
Indigo was victim of a cyberattacks on February 9th. As of February 15th, the website remains inactive. Although no customers’ data and points were impacted, reportedly. The company does not store credit card in their systems potentially explaining why customers’ data were not impacted. The stores can accept cash, credit or debit but cannot do exchanges and returns at this moment. Thus far, no groups seem to have taken credit for this attack.
This week a threat actor used a fake code-signing certificate to impersonate Emsisoft and target their customer as a way to bypass their defenses. By fake code-signing, the treat actor was able to get customers’ software and operating systems to think this software was not tempered with since it believes the publisher signed it. These fakes are not valid, but the names appear to be associated with trustworthy entity. The actor likely was able to gain access to targets via brute-forcing RDP or using stolen credentials then installed Mesh Central which typically trusted by security products but this one was signed with a fake Emsisoft certificate claiming to be “Emsisoft Server Trusted Network CA”. If the victim believes this to be a false positive, then the threat actor will gain full access to the device. Then, the threat actor can disable the defense mechanism, spread laterally within the network and potentially, if wanted, deploy a ransomware. It is important to be careful when overwriting alarms. Organizations should have multiple layers of protection to limit the risk.
