# The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard' **[bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) April 1, 2022 07:07 PM 0 While ransomware is still conducting attacks and all companies must stay alert, ransomware news has been relatively slow this week. However, there were still some interesting stories that we outline below. This week's most interesting story is [CNN's report on Conti Leaks, a Ukrainian researcher](https://www.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/index.html) who has had access to Conti's internal servers for years. After [Conti sided with Russia over the invasion of Ukraine, the researcher fought back by](https://www.bleepingcomputer.com/news/security/ransomware-gangs-hackers-pick-sides-over-russia-invading-ukraine/) [leaking internal chats and](https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/) [source code for the Conti Ransomware gang, providing](https://www.bleepingcomputer.com/news/security/more-conti-ransomware-source-code-leaked-on-twitter-out-of-revenge/) researchers and law enforcement a glimpse into their operations. ----- [Other interesting news is a clever IPFuscation technique used by the Hive ransomware](https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/) gang to obfuscate payloads by representing them as IP addresses to evade detection. By running the list of IP addresses through a decoder, it results in a binary payload that can be installed. Contributors and those who provided new ransomware information and stories this week [include: @PolarToffee,](https://twitter.com/PolarToffee) [@FourOctets,](https://twitter.com/FourOctets) [@jorntvdw,](https://twitter.com/jorntvdw) [@LawrenceAbrams,](https://twitter.com/LawrenceAbrams) [@Seifreed,](https://twitter.com/Seifreed) [@serghei,](https://twitter.com/serghei) [@malwrhunterteam,](https://twitter.com/malwrhunterteam) [@DanielGallagher,](https://twitter.com/DanielGallagher) [@VK_Intel,](https://twitter.com/VK_Intel) [@malwareforme,](https://twitter.com/malwareforme) [@Ionut_Ilascu,](https://twitter.com/Ionut_Ilascu) [@struppigel,](https://twitter.com/struppigel) [@demonslay335,](https://twitter.com/demonslay335) [@fwosar,](https://twitter.com/fwosar) [@billtoulas,](https://twitter.com/billtoulas) [@BleepinComputer,](https://twitter.com/BleepinComputer) [@rivitna2,](https://twitter.com/rivitna2) [@MinervaLabs,](https://twitter.com/minervalabs) [@Amigo_A_,](https://twitter.com/Amigo_A_) [@SentinelOne,](https://twitter.com/SentinelOne) [@AquaSecTeam,](https://twitter.com/AquaSecTeam) [@ContiLeaks,](https://twitter.com/ContiLeaks) [@snlyngaas, and](https://twitter.com/snlyngaas) [@pcrisk.](https://twitter.com/pcrisk) ## March 27th 2022 ### Hive ransomware ports its Linux VMware ESXi encryptor to Rust The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victim's ransom negotiations. ## March 28th 2022 ### SunCrypt ransomware is still alive and kicking in 2022 SunCrypt, a ransomware as service (RaaS) operation that reached prominence in mid-2020, is reportedly still active, even if barely, as its operators continue to work on giving its strain new capabilities. ### New KalajaTomorr ransomware [Amigo-A found a new ransomware that drops a ransom note named Hello.txt.](https://twitter.com/Amigo_A_) ## March 29th 2022 ### Threat Alert: First Python Ransomware Attack Targeting Jupyter Notebooks Team Nautilus has uncovered a Python-based ransomware attack that, for the first time, was targeting Jupyter Notebook, a popular tool used by data practitioners. The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack. Since Jupyter notebooks are used to analyze data and build data models, this attack can lead to significant damage to organizations if these environments aren’t properly backed up. ----- ### New Dharma ransomware variant [PCrisk found a new Dharma ransomware variant that appends the .snwd extension.](https://twitter.com/pcrisk) ## March 30th 2022 ### Hive ransomware uses new 'IPfuscation' trick to hide payload Threat analysts have discovered a new obfuscation technique used by the Hive ransomware gang, which involves IPv4 addresses and a series of conversions that eventually lead to downloading a Cobalt Strike beacon. ### 'I can fight with a keyboard': How one Ukrainian IT specialist exposed a notorious Russian ransomware gang As Russian artillery began raining down on his homeland last month, one Ukrainian computer researcher decided to fight back the best way he knew how -- by sabotaging one of the most formidable ransomware gangs in Russia. ### March 31st 2022 LockBit victim estimates cost of ransomware attack to be $42 million Atento, a provider of customer relationship management (CRM) services, has published its 2021 financial performance results, which show a massive impact of $42.1 million due to a ransomware attack the firm suffered in October last year. ### Four new STOP ransomware variants [PCrisk found new STOP ransomware variants that append the .voom, .mpag, .gtys, or](https://twitter.com/pcrisk) **.udla extensions.** ### That's it for this week! Hope everyone has a nice weekend! Related Articles: [The Week in Ransomware - March 18th 2022 - Targeting the auto industry](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-18th-2022-targeting-the-auto-industry/) [The Week in Ransomware - April 15th 2022 - Encrypting Russia](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-15th-2022-encrypting-russia/) [The Week in Ransomware - May 20th 2022 - Another one bites the dust](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-20th-2022-another-one-bites-the-dust/) [The Week in Ransomware - May 13th 2022 - A National Emergency](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-13th-2022-a-national-emergency/) [The Week in Ransomware - May 6th 2022 - An evolving landscape](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-6th-2022-an-evolving-landscape/) ----- [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. -----