Putin Team Leaks Victim’s Details in Their Telegram Channel
Cyble Research and Intelligence Labs (CRIL) have spotted multiple ransomware strains created based on the source of other ransomware families. Recently, CRIL observed new ransomware families, such as Putin Team, ScareCrow, BlueSky Meow, etc., created from the leaked source code of Conti Ransomware.
ScareCrow is a new ransomware strain that is based on Conti ransomware. After execution, it encrypts the files and appends .CROW as an extension. This ransomware drops a ransom note named “readme.txt” which contains three Telegram handles to contact the Threat Actor (TA). The Figure below shows the ransom note of ScareCrow ransomware.
BlueSky ransomware surfaced in the second half of 2022. This ransomware exhibits several similarities and overlaps with Conti and Babuk ransomware. The Source code of Babuk ransomware was also leaked in 2021. Upon execution, the BlueSky Ransomware encrypts files and adds .BLUESKY extension to them. The ransom note dropped by this ransomware is named, “# DECRYPT FILES BLUESKY #.txt” which contains instructions for decrypting the files. This ransomware group uses an onion site to interact with the victims.
Meow Ransomware was discovered recently. This ransomware is based on Conti ransomware. It encrypts the victim’s files and append .MEOW as an extension. It drops a ransom note named “readme.txt” which contains four email addresses, and two Telegram handles that victims can use to interact with the TA. The figure below shows the ransom note of MEOW ransomware.
CRIL discovered a new ransomware group named Putin Team. We believe that the Putin Team might have altered the leaked source code of Conti ransomware to generate the ransomware binaries. This group pretends to be of Russian origin, but currently, there are no valid proofs to substantiate this. Putin Team uses a Telegram channel to disclose details of its victims. This group has posted details of two victims so far on their Telegram channel.
Upon execution, this ransomware drops a ransom note named README.txt in each folder. The Ransom note contains Telegram links, the victim’s ID, and further instructions for decrypting the files. The figure below shows the ransom note.
Upon executing the Putin Ransomware binary (SHA256: fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9), it resolves the module names dynamically and loads them for its execution. The ransomware resolves the module names, which includes Iphlpapi.dll, Netapi32.dll, Oleaut32.dll, Rstrtmgr.dll, Shell32.dll, Shlwapi.dll, ntdll.dll, Shell32.dll, Ole32.dll and Advapi32.dll.
After resolving the module names, the ransomware copies the hardcoded ransom note, as shown below.
After this, the ransomware creates a Mutex named “hsfjuukjzloqu28oajh727190” to ensure one instance of malware is running in the victim’s machine, as shown in the image below.
The ransomware now gets the list of drives in the victim’s machine using GetLogicalDriveStringsW() method. Then it enumerates folders/files which are present in the drives identified for further encryption, as shown below.
While enumerating the directories, the ransomware creates a ransom note named “readme.txt” and drops it in each folder that it encounters. Now ransomware creates multiple threads for faster encryption using APIs such as CreateIOCompletionPort(), PostQueuedCompletionStatus(), GetQueuedCompletionPort().
This ransomware uses ChaCha20 encryption algorithm for its encrypting files. ChaCha20 is a symmetric stream cipher and is highly adopted by ransomware groups because of its fast encryption process. After encrypting the files, it renames them by appending .PUTIN as an extension, as shown below.
The TAs could use the source code and builders of various ransomware groups exposed on multiple platforms to develop a custom ransomware payload. In this case, the TAs have utilized the leaked Conti Ransomware Source code to start a new ransomware operation with minimal investment. CRIL research indicates we might witness a few more new ransomware families based on the Conti Source code in the future.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact And Cruciality of Ransomware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Financial loss.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|User Execution |
|Defense Evasion||T1027||Obfuscated Files or Information|
|System Information Discovery |
File and Directory Discovery
|Impact||T1486||Data Encrypted for Impact|
Indicators of Compromise
|Putin Team |
|Putin Team |
|Putin Team |
|ScareCrow Ransomware executable|
|Meow Ransomware executable|
|BlueSky Ransomware executable|