Cyble Research and Intelligence Labs (CRIL) has spotted several new ransomware families such as Putin Team, ScareCrow, BlueSky, and Meow based on Conti’s source code leaked earlier this year.
The ScareCrow ransomware encrypts the files and appends .CROW as an extension. It then drops a ransom note named “readme.txt” which contains three Telegram handles to contact the threat actor.
Another Conti-based ransomware strain named BlueSky was first spotted in the second half of 2022. The researchers say that this strain exhibits several similarities and overlaps with Conti and Babuk ransomware, which source code was leaked in 2021. Upon execution, BlueSky encrypts files and adds .BLUESKY extension to them. The ransom note dropped by this ransomware named “# DECRYPT FILES BLUESKY #.txt” contains instructions for decrypting the files. This ransomware operation uses an .onion portal to interact with the victims.
The Meow ransomware encrypts the victim’s files and appends .MEOW as an extension. It drops a ransom note named “readme.txt” which contains four email addresses, and two Telegram handles that victims can use to interact with the ransomware operators.
As for the Putin Team ransomware, the researchers believe that the threat actors behind it might have modified the leaked source code of the Conti ransomware to generate the ransomware binaries. Although the group pretends to be of Russian origin, at present there is no evidence to support this claim. Putin Team uses a Telegram channel to disclose details of its victims. So far, only two victims are listed on the group’s Telegram channel, according to CRIL.
“The TAs could use the source code and builders of various ransomware groups exposed on multiple platforms to develop a custom ransomware payload. In this case, the TAs have utilized the leaked Conti Ransomware Source code to start a new ransomware operation with minimal investment. CRIL research indicates we might witness a few more new ransomware families based on the Conti Source code in the future,” the researchers have warned.