{
	"id": "25acfa2e-2e5f-49ca-9c54-0b4d93fa337c",
	"created_at": "2026-04-06T00:09:50.417584Z",
	"updated_at": "2026-04-10T13:12:42.081269Z",
	"deleted_at": null,
	"sha1_hash": "4c8aca86871ecbac23192a2e3f9fbc77eba9d173",
	"title": "The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1757087,
	"plain_text": "The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'\r\nBy Lawrence Abrams\r\nPublished: 2022-04-01 · Archived: 2026-04-05 23:07:40 UTC\r\nWhile ransomware is still conducting attacks and all companies must stay alert, ransomware news has been relatively slow\r\nthis week. However, there were still some interesting stories that we outline below.\r\nThis week's most interesting story is CNN's report on Conti Leaks, a Ukrainian researcher who has had access to Conti's\r\ninternal servers for years.\r\nAfter Conti sided with Russia over the invasion of Ukraine, the researcher fought back by leaking internal chats and source\r\ncode for the Conti Ransomware gang, providing researchers and law enforcement a glimpse into their operations.\r\nhttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nOther interesting news is a clever 'IPFuscation' technique used by the Hive ransomware gang to obfuscate payloads by\r\nrepresenting them as IP addresses to evade detection. By running the list of IP addresses through a decoder, it results in a\r\nbinary payload that can be installed.\r\nContributors and those who provided new ransomware information and stories this week include: @PolarToffee,\r\n@FourOctets, @jorntvdw, @LawrenceAbrams, @Seifreed, @serghei, @malwrhunterteam, @DanielGallagher, @VK_Intel,\r\n@malwareforme, @Ionut_Ilascu, @struppigel, @demonslay335, @fwosar, @billtoulas, @BleepinComputer, @rivitna2,\r\n@MinervaLabs, @Amigo_A_, @SentinelOne, @AquaSecTeam, @ContiLeaks, @snlyngaas, and @pcrisk.\r\nMarch 27th 2022\r\nHive ransomware ports its Linux VMware ESXi encryptor to Rust\r\nThe Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and\r\nadded new features to make it harder for security researchers to snoop on victim's ransom negotiations.\r\nMarch 28th 2022\r\nSunCrypt ransomware is still alive and kicking in 2022\r\nSunCrypt, a ransomware as service (RaaS) operation that reached prominence in mid-2020, is reportedly still active, even if\r\nbarely, as its operators continue to work on giving its strain new capabilities.\r\nNew KalajaTomorr ransomware\r\nAmigo-A found a new ransomware that drops a ransom note named Hello.txt.\r\nMarch 29th 2022\r\nThreat Alert: First Python Ransomware Attack Targeting Jupyter Notebooks\r\nTeam Nautilus has uncovered a Python-based ransomware attack that, for the first time, was targeting Jupyter Notebook, a\r\npopular tool used by data practitioners. The attackers gained initial access via misconfigured environments, then ran a\r\nransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the\r\nattack. Since Jupyter notebooks are used to analyze data and build data models, this attack can lead to significant damage to\r\norganizations if these environments aren’t properly backed up.\r\nNew Dharma ransomware variant\r\nPCrisk found a new Dharma ransomware variant that appends the .snwd extension.\r\nMarch 30th 2022\r\nHive ransomware uses new 'IPfuscation' trick to hide payload\r\nThreat analysts have discovered a new obfuscation technique used by the Hive ransomware gang, which involves IPv4\r\naddresses and a series of conversions that eventually lead to downloading a Cobalt Strike beacon.\r\n'I can fight with a keyboard': How one Ukrainian IT specialist exposed a notorious Russian ransomware\r\ngang\r\nAs Russian artillery began raining down on his homeland last month, one Ukrainian computer researcher decided to fight\r\nback the best way he knew how -- by sabotaging one of the most formidable ransomware gangs in Russia.\r\nMarch 31st 2022\r\nhttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/\r\nPage 3 of 4\n\nLockBit victim estimates cost of ransomware attack to be $42 million\r\nAtento, a provider of customer relationship management (CRM) services, has published its 2021 financial performance\r\nresults, which show a massive impact of $42.1 million due to a ransomware attack the firm suffered in October last year.\r\nFour new STOP ransomware variants\r\nPCrisk found new STOP ransomware variants that append the .voom, .mpag, .gtys, or .udla extensions.\r\nThat's it for this week! Hope everyone has a nice weekend!\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/\r\nhttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/"
	],
	"report_names": [
		"the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434190,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c8aca86871ecbac23192a2e3f9fbc77eba9d173.pdf",
		"text": "https://archive.orkl.eu/4c8aca86871ecbac23192a2e3f9fbc77eba9d173.txt",
		"img": "https://archive.orkl.eu/4c8aca86871ecbac23192a2e3f9fbc77eba9d173.jpg"
	}
}