US Defense Contractor BlueForce Hit hit by Ransomware
Reading Time: 2 minutes

US Defense Contractor BlueForce Hit by ransomware. According to LeMagIT, they received evidence, a Hatching Triage page for the ransomware sample with a note from the threat actors who claimed to have used the Conti ransomware strain to infect the victim.

The note contained a message which said, all your files are currently encrypted by Conti strain. It further read “As you know (if you don’t – just “google it”), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software — the files might be damaged, so if you are willing to try — try it on the data of the lowest value.”

From the evidence available it is learned the note included a standard URL with a .onion link to an active chat conversation between the Conti operator and supposedly a negotiator believed to be from BlueForce Inc., a Virginia-based defense contractor.

BlueForce Inc is an organization that aims to create and develop the nexus between DoD [Department of Defense] and DoS [Department of State] with a skillfully blended mix of cross-functional defense, interagency, and international development expertise.

The bad actors show their willingness to negotiate in the original message dated April 9. It is after 2 weeks the supposed victim says, “please help, my files are encrypted!!!”

Later the ransomware operators ask the victim to identify themselves, while someone in the chat responds saying Thursday morning and identifies himself as BlueForce.
Asks for further instructions and if the data can be decrypted.

The hackers demanded 17 bitcoins, nearly $969,000 ransom for decrypting the files. They also added a list and data pack of files in order to verify that Conti had breached the company and stole the data. There has been no update to the chat since then.

BlueForce has chosen to remain silent on this topic. Conti ransomware has been active since mid-2020 and is capable of encrypting data with threats to publish it. Recently a number of schools in London have been victim to it.