Maze Cartel ! Expands

The Maze ransomware “cartel” is growing.

Two more ransomware gangs, Conti and SunCrypt, have apparently joined the Maze collective, which currently consists of Maze, LockBit and Ragnar Locker.

Maze operators announced the creation of a ransomware cartel that included other cybercrime gangs, which teamed up to share resources, leak victims’ data on Maze’s “news” site and extort their victims.

The Conti ransomware gang, which recently launched its own data leak site, is collaborating with Maze. “They’ve published data from a number of Maze attacks,”.

Conti may be a replacement for Ryuk, which has seen a significant dip in activity in recent weeks. It shares some of its code with Ryuk, uses the same note and also the same infrastructure, which could indicate it was created by the Ryuk team or a splinter group.

Recently,researchers came across a leak disclosure post in which Conti ransomware operators claim to have allegedly breached the Volkswagen Group.

The further expansion highlights Maze’s increasing momentum, which has claimed responsibility for several high-profile ransomware attacks in recent months. Earlier this month, a major cyberattack on technology giant Canon was believed to the latest work of the cybercriminal gang.

Conti ! Small in name … Blazes in threat acting

A lesser-known ransomware strain known as Conti is using up to 32 simultaneous CPU threads to encrypt files on infected computers for blazing-fast encryption speeds.

Conti is just the latest in a long string of ransomware strains that have been spotted this year. Just like most ransomware families today, Conti was designed to be directly controlled by an adversary, rather than execute automatically by itself.

These types of ransomware strains are also known as “human-operated ransomware,” and they’re designed to be deployed during targeted intrusions inside large corporate or government networks.

This isn’t entirely unique. Other ransomware strains also support multi-threaded operations, running multiple concurrent computations on the CPU to gain speed during their execution and allow the encryption process to finish faster before the file-locking operation is detected and stopped by AV solutions.

Other ransomware strains seen using multiple CPU threads include the likes of REvil (Sodinokibi), LockBit, Rapid, Thanos, Phobos, LockerGoga, and MagaCortex — just to name a few.

Conti stood out because of the large number of concurrent threads it utilized — namely, 32 — which resulted “in faster encryption compared to many other families.”

Tricky network-only encryption mode
However, this was not the solely unique detail that Carbon Black has seen in Conti. The second was a fine-grained control over the ransomware’s encryption targets via a command-line client.

The ransomware can be configured to skip encrypting files on the local drives and encrypt data on networked SMB shares just by feeding the ransomware’s binary a list of IP addresses via the command-line.

“A successful attack may have destruction that’s limited to the shares of a server that has no Internet capability, but where there is no evidence of similar destruction elsewhere in the environment.

“This also has the effect of reducing the overall ‘noise’ of a ransomware attack where hundreds of systems immediately start showing signs of infection. Instead, the encryption may not even be noticeable for days, or weeks, later once the data is accessed by a user,” Baskin said.

The behavior might also confuse security teams performing incident response, who may not be able to pinpoint the point of entry into a network unless they perform a full audit of all systems, and allowing hackers to linger hidden inside a single machine on the victim’s network.

Conti abuses the Windows Restart Manager
The third unique technique spotted in the Conti code is its abuse of Windows Restart Manager — the Windows component that unlocks files before performing an OS restart.