Ransomware Review – February 2022

Our rundown of the key ransomware events, attacks, and group activity from February.

The FBI has issued an advisory warning that the BlackByte ransomware group has been observed targeting multiple US-based entities, including at least three related to critical infrastructure. Government facilities, alongside organisations in the financial, food and agriculture sectors, are all defined as critical infrastructure within this advisory. BlackByte emerged in late 2021 but has already garnered significant public attention due to its attacks on prominent targets. Most recently, the group was responsible for a ransomware incident impacting the San Francisco 49ers NFL team. Like other ransomware groups, BlackByte has adopted the data-theft-extortion model and frequently leaks data on its darknet leaks site from victims who refuse to pay. Notably, a decryptor for BlackByte was released in October 2021, but this has had seemingly only limited impact on the group’s public activities.

The operators behind the AlphV ransomware (also known as BlackCat) have confirmed they are connected to the now-defunct ransomware group DarkSide and its successor BlackMatter. However, the extent of this connection remains unknown. That AlphV is connected to an earlier ransomware group is not surprising: AlphV emerged seemingly fully formed in late 2021. Almost immediately, the threat actors began recruiting affiliates and naming victims on their data leaks site. The group also provided affiliates with a Linux variant of the malware. Since then, AlphV has been linked to multiple high-profile attacks. Most notably, Germany’s Federal Office for Information Security (BSI) attributed a recent ransomware incident targeting two large German oil suppliers, Oiltanking and Mabanaft.

In early February, decryption keys for the Maze, Egregor, and Sekhmet ransomware families were leaked. The decryption keys were leaked on the Bleeping Computer forum by a user known as Topleak, who claims to be the developer of all three ransomware. The authenticity of these decryption keys has been verified and Emsisoft has publicly released a decryption tool. The full circumstances surrounding this leak remain unknown and Topleak’s claims regarding their role in these groups’ operations has not been confirmed. However, it is noteworthy that neither Maze, Egregor, nor Sekhmet remain active, with some members of Egregor reportedly arrested in early 2021.

Key Events

3 February – Kenyon Produce (KP) Snacks, a large UK food producer, compromised by Conti ransomware

4 February – Swissport International, a Swiss aviation services company, is hit by AlphV ransomware

5 February – The Turkish Ministry of Industry and Technology targeted by LockBit ransomware

12 February – Emil Fray, based in Switzerland and one of Europe’s largest car dealerships, targeted by Hive ransomware

14 February – San Francisco 49ers NFL team hit by BlackByte ransomware

19 February – Japanese sportswear and equipment brand Mizuno experience ransomware incident

23 February – Deadbolt ransomware group conducts mass targeting Asustor Network Attached Storage (NAS) devices

Scroll to Top