Jump to content

Search the Community

Showing results for tags 'revil'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 9 results

  1. The REvil ransomware operation has likely shut down once again after an unknown person hijacked their Tor payment portal and data leak blog. The Tor sites went offline earlier today, with a threat actor affiliated with the REvil operation posting to the XSS hacking forum that someone hijacked the gang's domains. The thread was first discovered by Recorded Future's Dmitry Smilyanets, and states that an unknown person hijacked the Tor hidden services (onion domains) with the same private keys as REvil's Tor sites and likely has backups of the sites. "But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a blog with the same keys as ours, my fears were confirmed. The third party has backups with onion service keys," a threat actor known as '0_neday' posted to the hacking forum. The threat actor went on to say that they found no signs of compromise to their servers but will be shutting down the operation. The threat actor then told affiliates to contact him for campaign decryption keys via Tox, likely so affiliates could continue extorting their victims and provide a decryptor if a ransom is paid. XSS forum topic about REvil sites being hijacked To launch a Tor hidden service (an .onion domain), you need to generate a private and public key pair, which is used to initialize the service. The private key must be secured and only accessible to trusted admins, as anyone with access to this key could use it to launch the same .onion service on their own server. As a third party was able to hijack the domains, it means they too have access to the hidden service's private keys. This evening, 0_neday once again posted to the hacking forum topic, but this time saying that their server was compromised and that whoever did it was targeting the threat actor. Forum post stating the REvil server was compromised At this time, it is unknown who compromised their servers. As Bitdefender and law enforcement gained access to the master REvil decryption key and released a free decryptor, some threat actors believe that the FBI or other law enforcement have had access to the servers since they relaunched. As no one knows what happened to Unknown, it is also possible that the threat actor is trying to regain control over the operation. REvil likely shut down for good After REvil conducted a massive attack on companies through a zero-day vulnerability in the Kaseya MSP platform, the REvil operation suddenly shut down, and their public-facing representative, Unknown, disappeared. After Unknown did not return, the rest of the REvil operators launched the operation and websites again in September using backups. Since then, the ransomware operation has been struggling to recruit users, going as far as to increase affiliate's commissions to 90% to entice other threat actors to work with them. With this latest mishap, the operation in its current forum will likely be gone for good. However, no good thing lasts forever when it comes to ransomware, and we will likely see them rebrand as a new operation shortly. Thx to @_TheEmperors_ for the tip! REvil ransomware shuts down again after Tor sites were hijacked
  2. A free master decryptor for the REvil ransomware operation has been released, allowing all victims encrypted before the gang disappeared to recover their files for free. The REvil master decryptor was created by cybersecurity firm Bitdefender in collaboration with a trusted law enforcement partner. While Bitdefender could not share details about how they obtained the master decryption key or the law enforcement agency involved, they told BleepingComputer that it works for all REvil victims encrypted before July 13th. "As per our blog post, we received the keys from a trusted law enforcement partner, and unfortunately, this is the only information we are at liberty to disclose right now," Bitdefender's Bogdan Botezatu, Director of Threat Research and Reporting, told BleepingComputer. "Once the investigation progresses and will come to an end, further details will be offered upon approval." REvil ransomware victims can download the master decryptor from Bitdefender (instructions) and decrypt entire computers at once or specify specific folders to decrypt. To test the decryptor, BleepingComputer encrypted a virtual machine with an REvil sample used in an attack earlier this year. After encrypting our files, we could use Bitdefender's decryptor to easily recover our files, as shown below. Decrypting REvil encrypted files with decryptor Law enforcement likely compromised REvil servers The REvil ransomware operation, aka Sodinokibi, is believed to be a rebrand or successor to the now "retired" ransomware group known as GandCrab. Since launching in 2019, REvil has conducted numerous attacks against well-known companies, including JBS, Coop, Travelex, and Grupo Fleury. Finally, in a massive July 2nd attack using a Kaseya zero-day vulnerability, the ransomware gang encrypted sixty managed service providers and over 1,500 businesses worldwide. REvil ransom demand for MSP encrypted ion July 2nd After facing intense scrutiny by international law enforcement and increased political tensions between Russia and the USA, REvil suddenly shut down its operation on July 13th and disappeared. While REvil was shut down, Kaseya mysteriously received a master decryptor for their attack, allowing MSPs and their customers to recover files for free. As Bitdefender states that victims who REvil encrypted before July 13th can use this decryptor, it is safe to assume that the ransomware operation's disappearance was tied to this law enforcement investigation. It is also likely that Kaseya obtaining the REvil master decryption key for the attack on their customers is also tied to the same investigation. While REvil has returned to attacking victims earlier this month, the release of this master decryptor comes as a massive boon for existing victims who chose not to pay or simply couldn't after the ransomware gang disappeared. Free REvil ransomware master decrypter released for past victims
  3. The REvil ransomware gang has fully returned and is once again attacking new victims and publishing stolen files on a data leak site. Since 2019, the REvil ransomware operation, aka Sodinokibi, has been conducting attacks on organizations worldwide where they demand million-dollar ransoms to receive a decryption key and prevent the leaking of stolen files. While in operation, the gang has been involved in numerous attacks against well-known companies, including JBS, Coop, Travelex, GSMLaw, Kenneth Cole, Grupo Fleury, and others. REvil's disappearance act REvil shut down their infrastructure and completely disappeared after their biggest caper yet - a massive attack on July 2nd that encrypted 60 managed service providers and over 1,500 businesses using a zero-day vulnerability in the Kaseya VSA remote management platform. REvil then demanded $50 million for a universal decryptor for all Kaseya victims, $5 million for an MSP's decryption, and a $44,999 ransom for individual file encryption extensions at affected businesses. REvil ransom demand for an encrypted MSP This attack had such wide-ranging consequences worldwide that it brought the full attention of international law enforcement to bear on the group. Likely feeling pressure and concerns about being apprehended, the REvil gang suddenly shut down on July 13th, 2021, leaving many victims in a lurch with no way of decrypting their files. The last we had heard of REvil, was that Kaseya received a universal decryptor that victims could use to decrypt files for free. It is unclear how Kaseya received the decryptor but stated it came from a "trusted third party." REvil returns with new attacks After their shutdown, researchers and law enforcement believed that REvil would rebrand as a new ransomware operation at some point. However, much to our surprise, the REvil ransomware gang came back to life this week under the same name. On September 7th, almost two months after their disappearance, the Tor payment/negotiation and data leak sites suddenly turned back on and became accessible. A day later, it was once again possible to log in to the Tor payment site and negotiate with the ransomware gang. All prior victims had their timers reset, and it appeared that their ransom demands were left as they were when the ransomware gang shut down in July. However, there was no proof of new attacks until September 9th, when someone uploaded a new REvil ransomware sample compiled on September 4th to VirusTotal. Today, we have seen further proof of their renewed attacks as the ransomware gang has published screenshots of stolen data for a new victim on their data leak site. If you have first-hand information about REvil's return, you can confidentially contact us on Signal at +16469613731, Wire at @lawrenceabrams-bc, or Jabber at [email protected] New REvil representative emerges In the past, REvil's public representative was a threat actor known as 'Unknown' or 'UNKN,' who frequently posted at hacking forums to recruit new affiliates or post news about the ransomware operation. Forum post by REvil's UNKN On September 9th, after the return of the ransomware operation, a new representative simply named 'REvil' had begun posting at hacking forums claiming that the gang briefly shut down after they though Unknown was arrested and servers were compromised. REvil post to Russian-speaking hacking forum Source: Advanced Intel This translation of these posts can be read below: "As Unknown (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. Thought that he was arrested. We tried to search, but to no avail. We waited - he did not show up and we restored everything from backups. After UNKWN disappeared, the hoster informed us that the Clearnet servers were compromised and they deleted them at once. We shut down the main server with the keys right afterward. Kaseya decryptor, which was allegedly leaked by the law enforcement, in fact, was leaked by one of our operators during the generation of the decryptor." - REvil Based on these claims, Kaseya's universal decryptor was obtained by law enforcement after they gained access to some of REvil's servers. However, BleepingComputer has been told by numerous sources that REvil's disappearance surprised law enforcement as much as everyone else. A chat between what is believed to be a security researcher and REvil, paints a different story, with an REvil operator claiming they simply took a break. Chat between a researcher and REvil about their disappearance While we may never know the real reason for the disappearance or how Kaseya obtained the decryption key, what is most important is to know that REvil is back to targeting corporations worldwide. With their skilled affiliates and ability to perform sophisticated attacks, all network admins and security professionals must become familiar with their tactics and techniques. REvil ransomware is back in full attack mode and leaking data
  4. The universal decryption key for REvil's attack on Kaseya's customers has been leaked on hacking forums allowing researchers their first glimpse of the mysterious key. On July 2nd, the REvil ransomware gang launched a massive attack on managed service providers worldwide by exploiting a zero-day vulnerability in the Kaseya VSA remote management application. This attack encrypted approximately sixty managed service providers and an estimated 1,500 businesses, making it possibly the largest ransomware attack in history. After the attack, the threat actors demanded a $70 million ransom to receive a universal decryptor that could be used to decrypt all victims of the Kaseya ransomware attack. However, the REvil ransomware gang mysteriously disappeared, and soon after, the gang's Tor payment sites and infrastructure were shut down. The gang's disappearance prevented companies who may have needed to purchase a decryptor now unable to do so. On July 22nd, Kaseya obtained a universal decryption key for the ransomware attack from a mysterious "trusted third party" and began distributing it to affected customers. Before sharing the decryptor with customers, CNN reported that Kaseya required them to sign a non-disclosure agreement, which may explain why the decryption key hasn't shown up until now. It is generally believed that Russian intelligence received the decryptor from the ransomware gang and shared it with US law enforcement as a gesture of goodwill. Decryption key leaked on a hacking forum Yesterday, security researcher Pancak3 told BleepingComputer that someone posted a screenshot of what they claimed was a universal REvil decryptor on a hacking forum. Forum post about Kaseya decryptor on a hacking forum This post linked to a screenshot on GitHub that showed an REvil decryptor running while displaying a base64 hashed 'master_sk' key. This key is 'OgTD7co7NcYCoNj8NoYdPoR8nVFJBO5vs/kVkhelp2s=', as shown below. Screenshot of alleged Kaseya REvil decryptor When REvil ransomware victims pay a ransom, they receive either a decryptor that works for a single encrypted file extension or a universal decryptor that works for all encrypted file extensions used in a particular campaign or attack. The screenshot above is for a universal REvil decryptor that can decrypt all extensions associated with the attack. To be clear, while it was originally thought that the decryption key in this screenshot might be the master 'operator' key for all REvil campaigns, BleepingComputer has confirmed that it is only the universal decryptor key for victims of the Kaseya attack. This was also confirmed by Emsisoft CTO and ransomware expert Fabian Wosar. BleepingComputer tested the leaked key by patching an REvil universal decryptor with the decryption key leaked in the screenshot. Patching an REvil universal decryptor After patching the decryptor, we encrypted a virtual machine with REvil ransomware samples used in the Kaseya attack. As shown in our video below, we then used our patched REvil Universal Decryptor to decrypt the encrypted files successfully. Security firm Flashpoint also confirmed that they could decrypt files encrypted during the Kaseya ransomware attack using this decryption key. We also tried the decryptor on other REvil samples we have accumulated over the past two years. The decryptor did not work, indicating it is not the master decryption key for all REvil victims. It is not clear why the Kaseya decryptor was posted on a hacking forum, which is an unlikely place for a victim to post. However, BleepingComputer was told by numerous sources in the cybersecurity intelligence industry that they believe that the poster is affiliated with the REvil ransomware gang rather than a victim. Regardless of the reasons for it being posted, for those following the Kaseya ransomware attack, this is our first access to the universal decryptor key that Kaseya mysteriously received. Kaseya's universal REvil decryption key leaked on a hacking forum
  5. FBI: REvil cybergang behind the JBS ransomware attack The Federal Bureau of Investigations has officially stated that the REvil operation, aka Sodinokibi, is behind the ransomware attack targeting JBS, the world's largest meat producer. "We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice," says an FBI Statement on JBS Cyberattack. "We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable." Ransomware attacks have intensified over the past month as threat actors targeted critical infrastructure and services. Last month, the DarkSide ransomware operation attacked Colonial Pipeline, the largest US fuel pipeline, and led to a temporary shutdown of fuel transport to the southeast and northeast of the United States. A week later, Ireland's national healthcare system, the HSE, suffered a Conti ransomware attack that severely disrupted health services throughout the country. All of these ransomware gangs, including REvil, are believed to be operated out of Russia. In a press briefing today, Press Secretary Jen Psaki said that President Biden would be discussing these attacks with Russian President Vladimir Putin at the June 16th Geneva summit. "It will be a topic of discussion in direct, one-on-one discussions — or direct discussions with President Putin and President Biden happening in just a couple of weeks," Psaki said at the press briefing. The REvil ransomware operation The REvil ransomware operation is believed to be operated by a core group of Russian threat actors who recruit affiliates, or partners, who breach corporate networks, steal their data, and encrypt their devices. This operation is run as a ransomware-as-a-service, where the core team earns 20-30% of all ransom payments, while the rest goes to their affiliates. REvil, also known as Sodinokibi, launched its operation in April 2019 and is believed to be an offshoot or rebranding of the notorious GandCrab ransomware gang, which closed shop in June 2019. REvil ransom note The operation claims to have earned $100 million in a single year through ransom payments. The REvil ransomware group is responsible for numerous high-profile attacks, among them Travelex, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, SeaChange International, CyrusOne, Artech Information Systems, Albany International Airport, Kenneth Cole, Asteelflash, Pierre Fabre, and Quanta Computer. More recently, it is suspected that the REvil ransomware operation is behind a ransomware attack on FUJIFILM. The JBS ransomware attack The JBS ransomware attack occurred in the early morning hours of Sunday, May 31st, causing JBS to shut down its network to prevent the spread of the attack. "The company took immediate action, suspending all affected systems, notifying authorities and activating the company's global network of IT professionals and third-party experts to resolve the situation," JBS USA said in a statement. The attack also led to JBS shutting down multiple food production sites as they lost access to portions of their network. JBS stated that their backups were not affected and that they would be restoring from backup. However, BleepingComputer has learned from sources familiar with the attack that there were two encrypted/corrupted datasets that had prevented the company from going back online. The issues with these databases appear to have been resolved, and JBS states that most of their plants should be operational tomorrow. "Our systems are coming back online and we are not sparing any resources to fight this threat. We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans," said Andre Nogueira, JBS USA CEO. "Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow." BleepingComputer has contacted JBS with further questions about the attack but has not received a reply. FBI: REvil cybergang behind the JBS ransomware attack
  6. Asteelflash electronics maker hit by REvil ransomware attack Asteelflash, a leading French electronics manufacturing services company, has suffered a cyberattack by the REvil ransomware gang who is demanding a $24 million ransom. Asteelflash is a world-leading French electronics manufacturing services (EMS) company that specializes in the design, engineering, and printing of printed circuit boards. While Asteelflash has not publicly disclosed an attack, BleepingComputer found this week a sample of the REvil ransomware that allowed access to the Tor negotiation page for their cyberattack. This page shows that the REvil ransomware group, also known as Sodin and Sodinokibi, was initially demanding a $12 million ransom, but as the time limit expired, the ransom doubled to $24 million. REvil ransom demand for Asteelflash cyberattack Source: BleepingComputer The Tor payment site showed a brief conversation between the REvil threat actors and Asteelflash. As part of this conversation, the threat actors shared a file named 'asteelflash_data_part1.7z' that was shared to prove that files were stolen during the attack. Metadata of some of the shared files show that Asteelflash employees authored them. At this point, the conversation between the two parties has stalled and there are no details about the company's intentions regarding the ransom. BleepingComputer has contacted Asteelflash multiple times but has not received a response to our inquiries. LeMagIT had more success, an Asteelflash representative stating for them that the "the incident is being evaluated." Neither BleepingComputer nor LeMagIT could confirm whether the attack was successful in encrypting files on affected systems. For more than a year, ransomware gangs started to steal data from their victims before locking the computers. This allows them to extort victims by promising not to publish or sell the information. Source: Asteelflash electronics maker hit by REvil ransomware attack
  7. REvil ransomware has a new ‘Windows Safe Mode’ encryption mode The REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection by security software and for greater success when encrypting files. Windows Safe Mode is a special startup mode that allows users to run administrative and diagnostic tasks on the operating system. This mode only loads the bare minimum of software and drivers required for the operating system to work. Furthermore, any programs installed in Windows that are configured to start automatically will not start in Safe Mode unless their autorun is configured a certain way. One of the ways to create an autorun in Windows is to create entries under the following Registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce The 'Run' keys will launch a program every time you log in, while the 'RunOnce' key will launch a program only once and then remove the entry from the Registry. For example, the following Registry key will automatically start the C:\Users\test\test.exe program when you log in to Windows. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Startup"="C:\Users\test\test.exe" However, the above autorun will not launch in Safe Mode unless you add an asterisk (*) to the beginning of the value name like the following: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "*Startup"="C:\Users\test\test.exe" REvil now includes a 'Safe Mode' mode In a new sample of the REvil ransomware discovered by MalwareHunterTeam, a new -smode command-line argument was added that forces the computer to reboot into Safe Mode before encrypting a device. To do this, REvil will execute the following commands to force the computer to boot into Safe Mode with Networking when Windows next restarts. bootcfg /raw /a /safeboot:network /id 1 bcdedit /set {current} safeboot network It then creates a 'RunOnce' autorun called '*franceisshit' that executes 'bcdedit /deletevalue {current} safeboot' after the users logs into Safe Mode. RunOnce entry to delete the Finally, the ransomware performs a forced restart of Windows that cannot be interrupted by the user. Right before the process exits, it will create an additional RunOnce autorun named 'AstraZeneca,' possibly about France's recent deliberations about using the vaccine. This autorun will relaunch the REvil ransomware without the -smode argument when the next user logs in after the device is rebooted. AstraZenica autorun entry It is important to remember that both of these 'RunOnce' entries will be executed after logging into Safe Mode and will automatically be deleted by Windows. On reboot, the device will start up in Safe Mode With Networking, and the user will be prompted to log into Windows. Once they login, the REvil ransomware will be executed without the -smode argument so that it begins to encrypt the files on the device. Windows will also run the 'bcdedit /deletevalue {current} safeboot' command configured by the '*AstraZeneca' Registry key so that the machine can reboot into normal mode when the ransomware is finished. While REvil is encrypting files, the Safe Mode screen will be blank, but it is still possible to use Ctrl+Alt+Delete to launch the Windows Task Manager. From there, you can see the executable running, which in our test is named 'smode.exe,' as shown below. REvil ransomware running in Safe Mode While running, the ransomware will prevent users from launching any programs through Task Manager until it finishes encrypting the device. Once the device is encrypted, it will allow the rest of the bootup sequence to proceed, and the desktop will be shown with a ransom note and encrypted files. Device encrypted in Safe Mode Unusual approach REvil's new Safe Mode operation is a bit strange as it requires users to log in to the device after they restart into Safe Mode. Furthermore, once they log into Safe Mode, they will be presented with a blank screen, and heavy thrashing of drives as the ransomware encrypts the device. This behavior could cause users to become instantly suspicious and hibernate or shut down their computers to be safe. For this reason, it is possible that the attackers are manually running the new Safe Mode command against specific computers, such as virtual machines or servers, that they want to encrypt without issues. Regardless of the reasons, this is another new attack method that security professionals and Windows admins need to watch out for as ransomware gangs constantly evolve their tactics. REvil is not the only operation to utilize Safe Mode for encrypting devices. In 2019, another ransomware known as 'Snatch' also added the ability to encrypt a device in Safe Mode using a Windows service. Source: REvil ransomware has a new ‘Windows Safe Mode’ encryption mode
  8. Pan-Asian retail giant Dairy Farm suffers REvil ransomware attack Source: Wing1990hk Massive pan-Asian retail chain operator Dairy Farm Group was attacked this month by the REvil ransomware operation. The attackers claim to have demanded a $30 million ransom. The Dairy Farm Group operates over 10,000 outlets and has 230,000 employees throughout Asia. In 2019, the Dairy Farm Group's total annual sales exceeded $27 billion. The group operates numerous grocery, convenience store, health and beauty, home furnishing, and restaurant brands in Asian markets, including Wellcome, Giant, Cold Storage, Hero, 7-Eleven, Rose Pharmacy, GNC, Mannings, Ikea, Maxims, and more. REvil ransomware attack on Dairy Farm This week, BleepingComputer was contacted by a threat actor who stated that the REvil ransomware group had compromised Dairy Farm Group's network and encrypted devices around January 14th, 2021. BleepingComputer was told that the ransom demand is $30 million but has not independently confirmed this amount. To prove they had access to the Dairy Farm network, the threat actor shared a screenshot of the Active Directory Users and Computers MMC. A leaked screenshot of the Dairy Farm Windows domain Redacted by BleepingComputer The attackers claim to still have access to the network seven days after the attack, including full control over Dairy Farm's corporate email, which they state will be used for phishing attacks. "They cannot shut down their network because their business will stop. There is a group of revil partners who are still attacking this company, there are more than 30k hosts there," the threat actor told BleepingComputer. Dairy Farm confirmed to BleepingComputer that they suffered a cyberattack this month but said that less than 2 percent of all company devices were affected. "At Dairy Farm , the protection of our systems is a top priority. On Thursday, we identified an incident that impacted less than 2 per cent of our business servers. These were taken offline and isolated. As an additional precaution, we initiated a full and thorough investigation with the support of an external security specialist, introduced additional security measures and strengthened our monitoring systems further." "All of our stores are open, trading and serving our customers across all markets, and are only closed where there are COVID-19 restrictions put in place by national or local governments," Dairy Farm told BleepingComputer via email. In a later phone conversation with Dairy Farm, BleepingComputer informed the company that the threat actors claim to still have access and are allegedly still downloading data from the network. The company stated that they were not aware of any data being stolen during the attack, even though screenshots seen by BleepingComputer show that the threat actors continued to have access to email and computers after the attack. For example, below is a internal Dairy Farm email about the cyberattack leaked by the attackers. Internal email about the ransomware attack Redacted by BleepingComputer As REvil is known for stealing data during an attack and then threatening to release it if a ransom is not paid, it would come as no surprise to find that stolen data was leaked at a later date. Since the Christmas holidays, ransomware gangs appeared to be taking a break from large scale attacks. Unfortunately, this break is now over, and large enterprise attacks are increasing again, as was seen with the Dairy Farm attack and an ongoing global cyberattack against crane manufacturer Palfinger. Source: Pan-Asian retail giant Dairy Farm suffers REvil ransomware attack
  9. Is ‘REvil’ the New GandCrab Ransomware? The cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.” “We are getting a well-deserved retirement,” the GandCrab administrator(s) wrote in their farewell message on May 31. “We are a living proof that you can do evil and get off scot-free.” However, it now appears the GandCrab team had already begun preparations to re-brand under a far more private ransomware-as-a-service offering months before their official “retirement.” In late April, researchers at Cisco Talos spotted a new ransomware strain dubbed Sodinokibi that was used to deploy GandCrab, which encrypts files on infected systems unless and until the victim pays the demanded sum. A month later, GandCrab would announce its closure. A payment page for a victim of REvil, a.k.a. Sodin and Sodinokibi. Meanwhile, in the first half of May an individual using the nickname “Unknown” began making deposits totaling more than USD $130,000 worth of virtual currencies on two top cybercrime forums. The down payments were meant to demonstrate the actor meant business in his offer to hire just a handful of affiliates to drive a new, as-yet unnamed ransomware-as-a-service offering. “We are not going to hire as many people as possible,” Unknown told forum members in announcing the new RaaS program. “Five affiliates more can join the program and then we’ll go under the radar. Each affiliate is guaranteed USD 10,000. Your cut is 60 percent at the beginning and 70 percent after the first three payments are made. Five affiliates are guaranteed [USD] 50,000 in total. We have been working for several years, specifically five years in this field. We are interested in professionals.” Asked by forum members to name the ransomware service, Unknown said it had been mentioned in media reports but that he wouldn’t be disclosing technical details of the program or its name for the time being. Unknown said it was forbidden to install the new ransomware strain on any computers in the Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan. The prohibition against spreading malware in CIS countries has long been a staple of various pay-per-install affiliate programs that are operated by crooks residing in those nations. The idea here is not to attract attention from local law enforcement responding to victim complaints (and/or perhaps to stay off the radar of tax authorities and extortionists in their hometowns). But Kaspersky Lab discovered that Sodinokobi/REvil also includes one other nation on its list of countries that affiliates should avoid infecting: Syria. Interestingly, latter versions of GandCrab took the same unusual step. What’s the significance of the Syria connection? In October 2018, a Syrian man tweeted that he had lost access to all pictures of his deceased children after his computer got infected with GandCrab. “They want 600 dollars to give me back my children, that’s what they’ve done, they’ve taken my boys away from me for a some filthy money,” the victim wrote. “How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?” That heartfelt appeal apparently struck a chord with the developer(s) of GandCrab, who soon after released a decryption key that let all GandCrab victims in Syria unlock their files for free. But this rare display of mercy probably cost the GandCrab administrators and its affiliates a pretty penny. That’s because a week after GandCrab released decryption keys for all victims in Syria, the No More Ransom project released a free GandCrab decryption tool developed by Romanian police in collaboration with law enforcement offices from a number of countries and security firm Bitdefender. The GandCrab operators later told affiliates that the release of the decryption keys for Syrian victims allowed the entropy used by the random number generator for the ransomware’s master key to be calculated. Approximately 24 hours after NoMoreRansom released its free tool, the GandCrab team shipped an update that rendered it unable to decrypt files. There are also similarities between the ways that both GandCrab and REvil generate URLs that are used as part of the infection process, according a recent report from Dutch security firm Tesorion. “Even though the code bases differ significantly, the lists of strings that are used to generate the URLs are very similar (although not identical), and there are some striking similarities in how this specific part of the code works, e.g., in the somewhat far-fetched way that the random length of the filename is repeatedly recalculated,” Tesorion observed. My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators. It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise. Source: Is ‘REvil’ the New GandCrab Ransomware? (KrebsOnSecurity - Brian Krebs)
  • Create New...