Summary: A previously unknown ransomware gang called Muliaka (or Muddy Water) has been targeting Russian businesses with malware based on the leaked source code from the Conti hacking group.
Threat Actor: Muliaka | Muliaka
Victim: Unnamed Russian business | Unnamed Russian business
Key Point :
- The Muliaka ransomware gang has been active since at least December 2023 and has been using malware based on the leaked source code from the Conti hacking group.
- In a recent attack, Muliaka targeted a Russian business by encrypting its Windows systems and VMware ESXi virtual infrastructure, using the company’s VPN service to gain remote access.
- Muliaka’s variant of ransomware terminates processes and stops certain system services before starting file encryption, making it an interesting upgrade compared to other malicious tools created after the Conti leak.
- The origins of the Muliaka group are unknown, and it is unclear if the targeted company paid the ransom demanded.
- Financially motivated hacker groups are taking advantage of the current geopolitical situation in Russia to increase their attacks.
A previously unknown ransomware gang has been attacking Russian businesses with malware based on the leaked source code from the Conti hacking group.
The gang, which researchers at the Moscow-based cybersecurity company F.A.C.C.T. have dubbed “Muliaka,” or Muddy Water in English, has left minimal traces from its attacks but has likely been active since at least December 2023.
In a January incident described in a F.A.C.C.T. report, the hackers attacked an unnamed Russian business by encrypting its Windows systems and VMware ESXi virtual infrastructure.
To remotely access the victim’s IT infrastructure, the attackers used the company’s virtual private network (VPN) service. To infect the targeted network with ransomware, the attackers disguised it as popular corporate antivirus software installed on the company’s computers.
Unlike the original Conti malware, the one developed by Muliaka — whose name comes from a phishing email sent by the group — terminates processes on the victim’s computer and stops certain system services before starting the file encryption, according to the analysis. Researchers said that Muliaka’s variant was “one of the most interesting upgrades among other malicious tools created after the Conti leak.”
The researchers couldn’t identify the origins of the group, nor did they specify the size of the ransom demanded or whether the targeted company paid it.
F.A.C.C.T. said that many financially motivated hacker groups are taking advantage of the current geopolitical situation in Russia to ramp up their attacks: “Impunity and a large number of potential victims who are careless about the cybersecurity of their business attract lovers of easy money.”
Recorded Future
Intelligence Cloud.
Source: https://therecord.media/muliaka-ransomware-group-targeting-russian-businesses-conti
“An interesting youtube video that may be related to the article above”