Cyble Research and Intelligence Labs (CRIL) identify new ransomware strains—Putin Team, ScareCrow, BlueSky, and Meow—that were created from leaked Conti source code. These variants encrypt victim files, drop ransom notes, and frequently use Telegram to interact with or disclose victim details. #PutinTeam #ScareCrow #BlueSky #Meow #Conti #CRIL
Keypoints
- CRIL identifies multiple new ransomware variants derived from leaked Conti source code, including Putin Team, ScareCrow, BlueSky, and Meow.
- Putin Team uses a ransom note in each folder, Telegram links for victims, dynamic module loading, mutex to prevent multiple instances, and ChaCha20 encryption with a .PUTIN extension.
- ScareCrow is branded as Conti-based, encrypts files, appends .CROW, and drops a readme.txt with Telegram handles for contact.
- BlueSky surfaced in 2022, shares overlaps with Conti/Babuk lineage, encrypts files with a .BLUESKY extension, and uses an onion site for victim interaction.
- Meow is Conti-derived, appends .MEOW to encrypted files, and provides a readme.txt with four email addresses and two Telegram handles for communication.
- Technical analysis highlights dynamic DLL/module loading, drive/file discovery, thread-based encryption, and multi-step ransom note handling.
- CRIL predicts more Conti-based variants may appear and offers practical security recommendations to prevent and respond to such attacks.
MITRE Techniques
- [T1204] User Execution – ‘Upon execution, the Putin Ransomware binary drops a ransom note named README.txt in each folder.’
- [T1129] Shared Modules – ‘the ransomware resolves the module names dynamically and loads them for its execution. The ransomware resolves the module names, which includes Iphlpapi.dll, Netapi32.dll, Oleaut32.dll, Rstrtmgr.dll, Shell32.dll, Shlwapi.dll, ntdll.dll, Shell32.dll, Ole32.dll and Advapi32.dll.’
- [T1027] Obfuscated Files or Information – ‘it resolves the module names dynamically and loads them for its execution.’
- [T1082] System Information Discovery – ‘gets the list of drives in the victim’s machine using GetLogicalDriveStringsW()’
- [T1083] File and Directory Discovery – ‘enumerates folders/files which are present in the drives identified for further encryption’
- [T1486] Data Encrypted for Impact – ‘ChaCha20 encryption algorithm for its encrypting files’ and ‘renames them by appending .PUTIN as an extension.’
Indicators of Compromise
- [MD5] Putin Team ransomware executable – 4dd2b61e0ccf633e008359ad989de2ed
- [SHA256] Putin Team ransomware executable – fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9
- [MD5] Putin Team ransomware executable – 1d70020ddf6f29638b22887947dd5b9c
- [SHA256] Putin Team ransomware executable – 7f624cfb74685effcb325206b428db2be8ac6cce7b72b3edebbe8e310a645099
- [MD5] BlueSky ransomware executable – 0bbb9b0d573a9c6027ca7e0b1f5478bf
- [SHA1] ScareCrow ransomware executable – 3eff7826b6eea73b0206f11d08073a68
- [SHA256] ScareCrow ransomware executable – 7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f
- [MD5] Meow ransomware executable – 033acf3b0f699a39becdc71d3e2dddcc
- [SHA1] Meow ransomware executable – 5949c404aee552fc8ce29e3bf77bd08e54d37c59
- [SHA256] Meow ransomware executable – 222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853
- [SHA256] BlueSky ransomware executable – b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec
Read more: https://blog.cyble.com/2022/12/22/new-ransomware-strains-emerging-from-leaked-contis-source-code/