Cyber Threat Report | May 2022


</Reports </ Cybersecurity </ Cybercrime </ News


May 2022 was a turbulent time within the digital space as it saw a rise in cybersecurity threats, across government institutions worldwide and DeFi platforms. A recent report notes that in the first 5 months of 2022, funds stolen from DeFi platforms have already surpassed the total amount in 2021.

Within the AMATAS May 2022, you’ll also discover about Costa Rica state’s of emergency due to the rising Conti threat, as well as how Italy stopped ransomware attacks, believed to be carried out by pro-Russian hackers, Killnet.

Our newsletter will provide more information regarding the recent DOJ criminal complaint against the alleged designer behind Jigsaw v.2 and Thanos.

Read on to also find out how to protect your organization against the zero-day vulnerability in Microsoft Office and the two bugs in VMWare products. 

Cybercrime Breaking News

Costa Rica State of Emergency

Last month, the Russia-based ransomware group, Conti, attacked Costa Rica’s customs and taxes platforms, and several other government agencies, and even brought down one Costa Rican town’s energy supplier. The new government refused to pay the initial ransom of $10 million.

In May 2022:

  • On his first day of work, Rodrigo Chaves, Costa Rica's newly-inaugurated president, declared a state of emergency due to April’s devastating Conti attacks.
  • The Conti response - they threatened to 'overthrow" the new government and raised their demand to $20 million, which the government denied paying.
  • At the end of the month, the Costa Rican Social Security Fund was hit by a ransomware attack at the end of May. As a preventative measure, authorities deactivated the entity’s computer systems, causing problems in hospitals, clinics, and Ebais. The attack was believed to be perpetrated by the Hive group.

Even though Cybersecurity researchers confirmed that the Conti gang have taken their infrastructure offline, at the end of the month, the threat actors published nearly 1,500 documents from the Oregon county leak that took place in January.

Microsoft publish guidance for a zero-day vulnerability affecting Word documents, which allows attackers to "install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights" by using a flaw in a remote template feature.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive about vulnerabilities in VMware products after an incident response team detect threat actors exploiting two critical bugs: CVE-2022-22954 (an RCE flaw) and CVE-2022-22960 (a privilege escalation flaw). The directive asks for assistance from federal civilian agencies to patch the critical vulnerability.

  • SpiceJet, India's second-largest airline for low-cost domestic flights, was hit with a ransomware attack that impacted several flights.
  • 157-yea-old Lincoln College closes down due to multiple factors that include financial pressure as of the COVID-19 pandemic and a December 2021 ransomware attack that “thwarted admissions activities and hindered access to all institutional data”.

Cyberwar between Russia and Ukraine: Updates

Google’s Threat Analysis Group (TAG)'s latest report highlights that phishing schemes are targeting Eastern European countries to gain access to Ukraine, Lithuania, Central Asia, countries in the Baltics, and even Russia itself. 

The report notes that threat actors have been using the war in Ukraine "as a lure for phishing and malware campaigns".

UN representatives and experts are convening in Vienna between May 30 to June 10 for the second meeting of an Ad Hoc Committee. They'll look at the international cybercrime treaty, with a focus on the Russia-backed cybercrime resolution.

Security researchers warn that REvil ransomware gang may reemerge on the cybercrime scene, despite the arrests made in January. At the end of the May 2022, the group claimed responsibility for a DDoS campaign against an Akamai customer; however, the attack did not involve any data encryption or ransomware. 

Cybersecurity Justice

Italy stops attacks on the parliament, military, National Health Institute, and several other Italian institutions' websites believed to be carried out by a pro-Russian hacking group, Killnet.

President of Italy’s Senate, Maria Elisabetta Alberti Casellati, wrote on Twitter,

“No damage from the attack which involved the external network of the Senate. Thanks to the technicians for the immediate intervention. These are serious episodes, which should not be underestimated. We will continue to keep our guard up.”

DOJ unseal criminal complaint charging, 55-year-old Moises Luis Zagala Gonzalez (Zagala). The hacker and ransomware designer, also known as “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” is believed to have been the driving force behind several ransomware tools, including Jigsaw v. 2 and Thanos. 

The indictment alleges that Zagala “not only created and sold ransomware products to hackers, but also trained them in their use.”

For the first time ever, the U.S. Treasury Department sanctions a cryptocurrency mixer allegedly used to process more than $20.5 million in the Ronin Network hack.

Brian E. Nelson, undersecretary of the Treasury for terrorism and financial intelligence, said that such mixers 'assist [-ing] illicit transactions pose a threat to U.S. national security interests’ and ‘will not go unanswered’.

FinTech Updates

More than $1.57 billion in cryptocurrency has been stolen from DeFi platforms in 2022, as of May 1st 2022. A PeckShield alert notes that this amount has surpassed the total of funds stolen in 2021 - $1.55 billion.

In other news in the past month:

AMATAS will continue to monitor this space and deliver salient information regularly. 

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website or by e-mailing

As always – be vigilant, stay alert, think twice.

Ralitsa Kosturska in AMATAS