Putin Team Leaks Victim’s Details in Their Telegram Channel
Cyble Research and Intelligence Labs (CRIL) have spotted multiple ransomware strains created based on the source of other ransomware families. Recently, CRIL observed new ransomware families, such as Putin Team, ScareCrow, BlueSky Meow, etc., created from the leaked source code of Conti Ransomware.
ScareCrow Ransomware:
ScareCrow is a new ransomware strain that is based on Conti ransomware. After execution, it encrypts the files and appends .CROW as an extension. This ransomware drops a ransom note named “readme.txt” which contains three Telegram handles to contact the Threat Actor (TA). The Figure below shows the ransom note of ScareCrow ransomware.
BlueSky ransomware
BlueSky ransomware surfaced in the second half of 2022. This ransomware exhibits several similarities and overlaps with Conti and Babuk ransomware. The Source code of Babuk ransomware was also leaked in 2021. Upon execution, the BlueSky Ransomware encrypts files and adds .BLUESKY extension to them. The ransom note dropped by this ransomware is named, “# DECRYPT FILES BLUESKY #.txt” which contains instructions for decrypting the files. This ransomware group uses an onion site to interact with the victims.
Meow Ransomware
Meow Ransomware was discovered recently. This ransomware is based on Conti ransomware. It encrypts the victim’s files and append .MEOW as an extension. It drops a ransom note named “readme.txt” which contains four email addresses, and two Telegram handles that victims can use to interact with the TA. The figure below shows the ransom note of MEOW ransomware.
Putin Ransomware
CRIL discovered a new ransomware group named Putin Team. We believe that the Putin Team might have altered the leaked source code of Conti ransomware to generate the ransomware binaries. This group pretends to be of Russian origin, but currently, there are no valid proofs to substantiate this. Putin Team uses a Telegram channel to disclose details of its victims. This group has posted details of two victims so far on their Telegram channel.
Upon execution, this ransomware drops a ransom note named README.txt in each folder. The Ransom note contains Telegram links, the victim’s ID, and further instructions for decrypting the files. The figure below shows the ransom note.
Technical Analysis
Upon executing the Putin Ransomware binary (SHA256: fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9), it resolves the module names dynamically and loads them for its execution. The ransomware resolves the module names, which includes Iphlpapi.dll, Netapi32.dll, Oleaut32.dll, Rstrtmgr.dll, Shell32.dll, Shlwapi.dll, ntdll.dll, Shell32.dll, Ole32.dll and Advapi32.dll.
After resolving the module names, the ransomware copies the hardcoded ransom note, as shown below.
After this, the ransomware creates a Mutex named “hsfjuukjzloqu28oajh727190” to ensure one instance of malware is running in the victim’s machine, as shown in the image below.
The ransomware now gets the list of drives in the victim’s machine using GetLogicalDriveStringsW() method. Then it enumerates folders/files which are present in the drives identified for further encryption, as shown below.
While enumerating the directories, the ransomware creates a ransom note named “readme.txt” and drops it in each folder that it encounters. Now ransomware creates multiple threads for faster encryption using APIs such as CreateIOCompletionPort(), PostQueuedCompletionStatus(), GetQueuedCompletionPort().
This ransomware uses ChaCha20 encryption algorithm for its encrypting files. ChaCha20 is a symmetric stream cipher and is highly adopted by ransomware groups because of its fast encryption process. After encrypting the files, it renames them by appending .PUTIN as an extension, as shown below.
Conclusion
The TAs could use the source code and builders of various ransomware groups exposed on multiple platforms to develop a custom ransomware payload. In this case, the TAs have utilized the leaked Conti Ransomware Source code to start a new ransomware operation with minimal investment. CRIL research indicates we might witness a few more new ransomware families based on the Conti Source code in the future.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact And Cruciality of Ransomware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Financial loss.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1129 | User Execution Shared Modules |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Discovery | T1082 T1083 | System Information Discovery File and Directory Discovery |
| Impact | T1486 | Data Encrypted for Impact |
Indicators of Compromise
| Indicators | Indicator type | Description |
| 4dd2b61e0ccf633e008359ad989de2ed 94a9da09da3151f306ab8a5b00f60a38b077d594 fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9 | MD5 SHA-1 SHA256 | Putin Team Ransomware executable |
| 1d70020ddf6f29638b22887947dd5b9c 987ad5aa6aee86f474fb9313334e6c9718d68daf 7f624cfb74685effcb325206b428db2be8ac6cce7b72b3edebbe8e310a645099 | MD5 SHA-1 SHA256 | Putin Team Ransomware executable |
| 8f154ca4a8ee50dc448181afbc95cfd7 4f5d4e9d1e3b6a46f450ad1fb90340dfd718608b 5a936250411bf5709a888db54680c131e9c0f40ff4ff04db4aeda5443481922f | MD5 SHA-1 SHA256 | Putin Team Ransomware executable |
| 3eff7826b6eea73b0206f11d08073a68 578b1b0f46491b9d39d21f2103cb437bc2d71cac 7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f | MD5 SHA-1 SHA256 | ScareCrow Ransomware executable |
| 033acf3b0f699a39becdc71d3e2dddcc 5949c404aee552fc8ce29e3bf77bd08e54d37c59 222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853 | MD5 SHA-1 SHA256 | Meow Ransomware executable |
| 0bbb9b0d573a9c6027ca7e0b1f5478bf 59e756e0da6a82a0f9046a3538d507c75eb95252 b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec | MD5 SHA-1 SHA256 | BlueSky Ransomware executable |
