Researchers discover new ransomware gang ‘Muliaka’ attacking Russian businesses

A previously unknown ransomware gang has been attacking Russian businesses with malware based on the leaked source code from the Conti hacking group.

The gang, which researchers at the Moscow-based cybersecurity company F.A.C.C.T. have dubbed “Muliaka," or Muddy Water in English, has left minimal traces from its attacks but has likely been active since at least December 2023.

In a January incident described in a F.A.C.C.T. report, the hackers attacked an unnamed Russian business by encrypting its Windows systems and VMware ESXi virtual infrastructure.

To remotely access the victim’s IT infrastructure, the attackers used the company’s virtual private network (VPN) service. To infect the targeted network with ransomware, the attackers disguised it as popular corporate antivirus software installed on the company's computers.

Unlike the original Conti malware, the one developed by Muliaka — whose name comes from a phishing email sent by the group — terminates processes on the victim’s computer and stops certain system services before starting the file encryption, according to the analysis. Researchers said that Muliaka’s variant was “one of the most interesting upgrades among other malicious tools created after the Conti leak.”

The researchers couldn’t identify the origins of the group, nor did they specify the size of the ransom demanded or whether the targeted company paid it.

F.A.C.C.T. said that many financially motivated hacker groups are taking advantage of the current geopolitical situation in Russia to ramp up their attacks: “Impunity and a large number of potential victims who are careless about the cybersecurity of their business attract lovers of easy money.”