DarkSide Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 10 Feb 2022 22:32:38 +0000 en-US hourly 1 https://wordpress.org/?v=98854 200474804 Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups https://gridinsoft.com/blogs/experts-linked-blackcat-ransomware-to-blackmatter-and-darkside-groups/ https://gridinsoft.com/blogs/experts-linked-blackcat-ransomware-to-blackmatter-and-darkside-groups/#respond Tue, 08 Feb 2022 23:46:32 +0000 https://gridinsoft.com/blogs/?p=7094 A Recorded Future analyst interviewed a member of the hack group behind the BlackCat (ALPHV) ransomware, who confirmed that ALPHV is linked to notorious groups such as BlackMatter and DarkSide. Let me remind you that the unusual ransomware ALPHV (aka BlackCat and BC.a Noberus) written in Rust was discovered by researchers at the end of… Continue reading Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups

The post Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups appeared first on Gridinsoft Blog.

]]>
A Recorded Future analyst interviewed a member of the hack group behind the BlackCat (ALPHV) ransomware, who confirmed that ALPHV is linked to notorious groups such as BlackMatter and DarkSide.

Let me remind you that the unusual ransomware ALPHV (aka BlackCat and BC.a Noberus) written in Rust was discovered by researchers at the end of last year. Even then, experts noted that the creator of ALPHV was probably previously a member of the well-known hacker group REvil, and the new malware is a “very complex” encryptor.

Back at the end of 2021, after the appearance of ALPHV, a representative of the LockBit hack group stated that ALPHV is just a rebranding of the BlackMatter/DarkSide malware.

BlackCat and DarkSide

Now, these statements have been confirmed by the ALPHV representative himself:

Partly we are all connected to gandrevil [GandCrab/REvil], blackside [BlackMatter/DarkSide], mazegreggor [Maze/Egregor], LockBit and so on, because we are “advertising”. “Adverting” writes software, “advertising” chooses the brand name, the entire affiliate program is nothing without “advertising”. There was no rebranding or mixing of valuable personnel, because we are not directly related to these affiliate programs. Let’s just say we borrowed their strengths and eliminated their weaknesses.

Although BlackCat operators claim in interviews that they were only BlackMatter/DarkSide partners running their own extortion business, some experts do not believe this. For example, in response to the statements of hackers, Bleeping Computer quotes Emsisoft analyst Brett Callow, who is sure that BlackMatter simply replaced the development team after Emsisoft found a vulnerability in their malware that allowed victims to restore files for free.

While ALPHV claims to be former partners of DS/BM, it’s more likely that they *are* DS/BM, just trying to distance themselves from this brand due to the reputational hit they received after a bug [we discovered] that cost their partners of several million dollars.Callow says.

Bleeping Computer journalists also note that hackers do not seem to learn from their mistakes. The fact is that the responsibility for the recent attacks on the German companies Oiltanking and Mabanaft, engaged in the transportation and storage of oil and petroleum products, lies with the operators of the BlackCat/ALPHV encryptor. These attacks once again affected the fuel supply chain and caused a lot of problems.

This is quite ironic, considering that the DarkSide group was forced to cease its activities earlier precisely after the attack on the largest pipeline operator in the United States, Colonial Pipeline, as the incident provoked interruptions in the supply of fuel and drew too much unnecessary attention to the hackers.

About the same thing happened with the BlackMatter ransomware, which experts almost immediately called the rebranding of DarkSide – law enforcement agencies confiscated the group’s servers and forced it to stop operating again.

Now, after attacking Oiltanking and Mabanaft, the faction may again be under attack for the same reason. However, in an interview with Recorded Future, the hackers said that they cannot control targets of their partner’s attacks, and try to block those who break the rules.

The post Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/experts-linked-blackcat-ransomware-to-blackmatter-and-darkside-groups/feed/ 0 7094
US authorities offer $10 million for information on DarkSide operators https://gridinsoft.com/blogs/us-authorities-offer-10-million-for-information-on-darkside-operators/ https://gridinsoft.com/blogs/us-authorities-offer-10-million-for-information-on-darkside-operators/#respond Mon, 08 Nov 2021 21:21:27 +0000 https://blog.gridinsoft.com/?p=6093 The US government has offered a $10,000,000 reward for any information that could lead to the identification or arrest of members and operators of the DarkSide hack group. It is emphasized that this reward can be obtained for any information about the heads of the Darkside, who occupy key positions in the faction. If the… Continue reading US authorities offer $10 million for information on DarkSide operators

The post US authorities offer $10 million for information on DarkSide operators appeared first on Gridinsoft Blog.

]]>
The US government has offered a $10,000,000 reward for any information that could lead to the identification or arrest of members and operators of the DarkSide hack group.

It is emphasized that this reward can be obtained for any information about the heads of the Darkside, who occupy key positions in the faction. If the informant provides information that will lead to the arrest of DarkSide partners (in any country) who help hackers to carry out attacks, this information can get up to $5,000,000.

information about DarkSide operators

The US authorities said they are offering such a large reward due to an attack on the largest pipeline operator in the United States, the fuel transportation company Colonial Pipeline. Let me remind you that we talked about this attack in detail, because it was this incident that forced the authorities to introduce an emergency regime in a number of states and became the very straw that could break the back of a camel: the attention of law enforcement agencies to ransomware increased, and on hacker forums they rushed to ban advertising of ransomware.

In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals. The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware.message from the government indicated.

After the attack on the Colonial Pipeline company, which drew too much attention from the authorities to the hackers, DarkSide ceased its activities, claiming that it had lost access to some of its accounts and servers. However, experts soon reported that the new BlackMatter ransomware could be considered the “successor” of the DarkSide malware, and the group clearly simply carried out a “rebranding”.

However, we also wrote that after REvil shut down, members of the hack group DarkSide hastily moved $7 million.

The aforementioned BlackMatter also stopped working last week, citing pressure from local authorities and some recent news. Representatives of the group did not explain exactly what news were discussed, but the statement came after a series of major arrests in recent weeks.

The post US authorities offer $10 million for information on DarkSide operators appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/us-authorities-offer-10-million-for-information-on-darkside-operators/feed/ 0 6093
Operators of the BlackMatter ransomware announced the termination of activity https://gridinsoft.com/blogs/termination-of-blackmatter-ransomware/ https://gridinsoft.com/blogs/termination-of-blackmatter-ransomware/#respond Thu, 04 Nov 2021 16:47:45 +0000 https://blog.gridinsoft.com/?p=6081 The hackers behind the BlackMatter ransomware the termination of activity experiencing pressure from local authorities. The group announced it was “shutting down” on November 1, 2021, in the backend part of its darknet site, which is usually used by attackers’ partners. Representatives of the group did not explain what kind of pressure they are talking… Continue reading Operators of the BlackMatter ransomware announced the termination of activity

The post Operators of the BlackMatter ransomware announced the termination of activity appeared first on Gridinsoft Blog.

]]>
The hackers behind the BlackMatter ransomware the termination of activity experiencing pressure from local authorities.

The group announced it was “shutting down” on November 1, 2021, in the backend part of its darknet site, which is usually used by attackers’ partners.

BlackMatter ransomware group has announced they’re shutting down operations following pressure from local authorities – they state key members are no longer ‘available’Twitter account @vxunderground reported.

Representatives of the group did not explain what kind of pressure they are talking about, but this statement was published after a number of major events that have occurred in recent weeks.

First, Microsoft and Gemini Advisory recently linked the FIN7 criminal group (believed to be the developer of the DarkSide and BlackMatter malware) with the fake information security company Bastion Secure, which was looking for and hiring researchers.

Secondly, last week it was revealed that Emsisoft secretly created a decryptor for BlackMatter, which was provided victims so that they did not pay ransoms, and this considerably declined hackers’ profits.

Third, the New York Times reported over the weekend that Russia and the United States have begun closer cooperation to combat Russian-based cybercriminals and extortion groups. Let me remind you that FIN7 is a Russian-speaking group, and it is believed that it operates from Russia.

Fourth, the REvil ransomware recently shut down (for the second time this year), which, according to media reports, has been taken seriously by law enforcement agencies.

Fifth, what is happening may be associated with a large-scale operation by law enforcement agencies, during which 12 people responsible for 1,800 extortion attacks were recently detained.

It is also worth remembering that this is not the first time that hackers have stopped their activities. For example, the BlackMatter ransomware is considered the “successor” of the DarkSide malware, which stopped working in May of this year after the scandalous attack on the Colonial Pipeline company, which drew too close attention of the authorities to hackers.

On Twitter, the founder of the well-known information security conferences Black Hat and DEF CON, Jeff Moss, notes that ransomware is half a political issue, and law enforcement agencies usually know the identities of most of the malware operators, but they cannot pursue these hack groups from due to Russia’s unwillingness to cooperate.

Suggests the authorities have known all along and only once the pressure increased did they act. It’s examples like that that convinced me that ransomware is at least 50% a political problem.Jeff Moss writes.

According to BlackMatter, it can be assumed that the situation has changed, although many cybersecurity experts already predict a new “rebranding” of the group and its early return.

The post Operators of the BlackMatter ransomware announced the termination of activity appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/termination-of-blackmatter-ransomware/feed/ 0 6081
After REvil shut down, members of the hack group DarkSide hastily moved $7 million https://gridinsoft.com/blogs/members-of-the-darkside-hastily-moved-7-million/ https://gridinsoft.com/blogs/members-of-the-darkside-hastily-moved-7-million/#respond Mon, 25 Oct 2021 16:55:10 +0000 https://blog.gridinsoft.com/?p=6057 Information security specialists noticed that at the end of last week, the funds of the DarkSide hack group began to move: the attackers hastily moved about $7 million to other wallets. Moreover, with each new transaction, a smaller amount is transferred, which makes it difficult to track money. CEO and co-founder of Profero first noticed… Continue reading After REvil shut down, members of the hack group DarkSide hastily moved $7 million

The post After REvil shut down, members of the hack group DarkSide hastily moved $7 million appeared first on Gridinsoft Blog.

]]>
Information security specialists noticed that at the end of last week, the funds of the DarkSide hack group began to move: the attackers hastily moved about $7 million to other wallets.

Moreover, with each new transaction, a smaller amount is transferred, which makes it difficult to track money.

CEO and co-founder of Profero first noticed the transfer process, and announced on Twitter that 107 bitcoins (about $7 million) from the group’s wallet had moved to another wallet. He emphasized that the money is clearly controlled by the hackers themselves, since the secret services usually simply move the seized assets to a new wallet under their control, and do not try to break the funds into smaller pieces.

DarkSide moved $7 million

As the blockchain analysis company Elliptic reported a little later, the DarkSide cryptocurrency passes through different wallets, and in the process the amount has already decreased from 107.8 BTC to 38.1 BTC. This is a typical money laundering scheme that makes it difficult to track funds and it helps criminals to convert cryptocurrency to fiat. According to Elliptic, this process is still ongoing, and small amounts have already been transferred to well-known exchanges.

DarkSide moved $7 million
Withdrawal scheme

Interestingly, DarkSide funds were set in motion shortly after the media reported that law enforcement was behind the cessation of another well-known hack group, REvil, by attacking the criminals’ infrastructure.

The fact is that DarkSide has also received a lot of attention, especially last summer when it hacked one of the largest pipeline operators in the United States, Colonial Pipeline. This incident forced the American authorities to introduce an emergency regime in a number of states and became the very straw that could break the back of a camel: the attention of law enforcement agencies to ransomware increased, and on hacker forums they rushed to ban advertising of ransomware altogether.

A week after the attack, and the government’s much unwelcome attention to hackers, DarkSide announced it would cease operations. Then the group claimed that it had lost control of some servers and cryptocurrency wallets (that is, its own money). However, in July, the hackers rebranded themselves by launching a new infrastructure and malware called BlackMatter.

It looks like now, after what happened to REvil, hackers want to make sure they don’t lose their funds a second time. Moreover, a few days earlier, the American authorities issued a warning about BlackMatter’s activities, stating that the ransomware had already attacked “several critical US infrastructures.”

The post After REvil shut down, members of the hack group DarkSide hastily moved $7 million appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/members-of-the-darkside-hastily-moved-7-million/feed/ 0 6057
The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide https://gridinsoft.com/blogs/new-blackmatter-ransomware/ https://gridinsoft.com/blogs/new-blackmatter-ransomware/#respond Wed, 04 Aug 2021 16:50:47 +0000 https://blog.gridinsoft.com/?p=5779 Last week, experts noticed the emergence of a new ransomware BlackMatter, which combines the “best” features of the now defunct DarkSide and REvil. In particular, the analysts of Recorded Future wrote that the new group could be associated with DarkSide, which ceased operations in May of this year, after the scandalous attack on the Colonial… Continue reading The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide

The post The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide appeared first on Gridinsoft Blog.

]]>
Last week, experts noticed the emergence of a new ransomware BlackMatter, which combines the “best” features of the now defunct DarkSide and REvil.

In particular, the analysts of Recorded Future wrote that the new group could be associated with DarkSide, which ceased operations in May of this year, after the scandalous attack on the Colonial Pipeline company, which attracted too close attention of the authorities to hackers.

Several companies have already suffered from BlackMatter, and hackers demanded a ransom from them in the amount of $ 3 to 4 million, Bleeping Computer now reports. One victim has already paid the cybercriminals $ 4 million and received an ESXi decryptor for Windows and Linux from them.

New BlackMatter ransomware

The journalists showed this tool to the information security expert and the technical director of the Emisosft company Fabian Vosar. He confirmed that BlackMatter uses the same unique encryption methods that the DarkSide group used in their attacks (including the special Salsa20 matrix, unique to this group).

The publication also notes that if BlackMatter is just a “rebranding” of DarkSide, this explains some of the limitations listed on the hackers’ site. So, among other things, the group reports that it is not going to attack “the oil and gas industry (pipelines, oil refineries).” Let me remind you that it was the attack on the operator of the Colonial Pipeline that led to the “closure” of DarkSide.

Meanwhile, at the beginning of this week, an expert analyst of Recorded Future, interviewed a representative of the new extortionist group. BlackMatter denies being involved with DarkSide; instead, the hackers say they were only inspired by “the work of colleagues.”

Darkside is relatively new software with a good codebase (partly problematic, but the ideas themselves deserve attention) and an interesting web part when compared to other RaaS. [Our] executable file incorporates ideas from LockBit, REvil and partly DarkSide. The web part has incorporated the technical approach of DarkSide, as we consider it the most structurally correct (separate companies for each goal, and so on).the criminals say.

When Smilyanets directly asked if representatives of the group could confirm that their infrastructure is based on DarkSide, they replied:

We can say for sure that we are fans of the dark theme in design and have known the DarkSide team for collaboration in the past, but we are not them, although their ideas are close to us.

The post The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-blackmatter-ransomware/feed/ 0 5779
BlackMatter ransomware attacks companies with revenues above $100 million https://gridinsoft.com/blogs/blackmatter-ransomware-attacks/ https://gridinsoft.com/blogs/blackmatter-ransomware-attacks/#respond Thu, 29 Jul 2021 15:40:54 +0000 https://blog.gridinsoft.com/?p=5756 Recorded Future analysts have discovered a new hack group accompanying the BlackMatter ransomware that attacks large companies and combines the “best” features of the now defunct DarkSide and REvil. Researchers say the group is currently recruiting “partners” through announcements on hacker forums Exploit and XSS. Although any advertising related to ransomware has been banned on… Continue reading BlackMatter ransomware attacks companies with revenues above $100 million

The post BlackMatter ransomware attacks companies with revenues above $100 million appeared first on Gridinsoft Blog.

]]>
Recorded Future analysts have discovered a new hack group accompanying the BlackMatter ransomware that attacks large companies and combines the “best” features of the now defunct DarkSide and REvil.

Researchers say the group is currently recruiting “partners” through announcements on hacker forums Exploit and XSS.

Although any advertising related to ransomware has been banned on these sites since May 2021, BlackMatter members do not advertise Ransomware-as-a-Service (RaaS), but advertisements for finding “initial access brokers”, that is, people who have access to compromised corporate networks.

BlackMatter ransomware attacks

According to the announcement, BlackMatter is only interested in working with brokers who can provide access to the networks of large companies, whose income is $100 million per year or more. Such a network must have between 500 and 15,000 hosts and must be located in the United States, United Kingdom, Canada, or Australia.

Hackers write that they are willing to pay up to $100,000 for exclusive access to any of the suitable networks.

The members of the group boast that they can encrypt data in different versions of operating systems and architectures. Including: Windows (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+, as well as NAS Synology, OpenMediaVault, FreeNAS and TrueNAS.

Like most modern ransomware, the BlackMater group has already launched its own data leak site, where hackers intend to publish information stolen from victims if the hacked company does not agree to pay the ransom for decrypting files. So far, the resource is empty, but BlackMatter announced themselves only this week and have not attacked anyone yet.

The BlackMatter website lists targets that the group is not going to attack (in case of accidental infection, the data of the victims will be decrypted for free). The list includes:

  • hospitals;
  • critical infrastructure facilities (nuclear power plants, power plants, water treatment plants);
  • oil and gas industry (pipelines, oil refineries);
  • defense industry;
  • non-profit organizations;
  • government sector.

Recorded Future analysts believe that the new group may be linked to other notorious ransomware, DarkSide, who ceased operations in May this year after the scandalous attack on the Colonial Pipeline company, which drew too close attention of the authorities to the hackers. However, while the researchers do not make final conclusions and continue to investigate.

The post BlackMatter ransomware attacks companies with revenues above $100 million appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackmatter-ransomware-attacks/feed/ 0 5756
Colonial Pipeline CEO Confirms that Company Paid Criminals $4.4M https://gridinsoft.com/blogs/colonial-pipeline-paid-criminals/ https://gridinsoft.com/blogs/colonial-pipeline-paid-criminals/#respond Wed, 19 May 2021 21:42:55 +0000 https://blog.gridinsoft.com/?p=5487 The head of Colonial Pipeline confirmed that the company paid the criminals a ransom after the largest pipeline operator in the United States suffered from the DarkSide ransomware attack in mid-May 2021. The attack caused problems with the supply of gasoline, diesel fuel, aviation fuel, and other refined products, and an emergency regime was introduced… Continue reading Colonial Pipeline CEO Confirms that Company Paid Criminals $4.4M

The post Colonial Pipeline CEO Confirms that Company Paid Criminals $4.4M appeared first on Gridinsoft Blog.

]]>
The head of Colonial Pipeline confirmed that the company paid the criminals a ransom after the largest pipeline operator in the United States suffered from the DarkSide ransomware attack in mid-May 2021.

The attack caused problems with the supply of gasoline, diesel fuel, aviation fuel, and other refined products, and an emergency regime was introduced in a number of states.

The incident forced Colonial Pipeline to temporarily suspend operations, and the company is transporting petroleum products between refineries located on the Gulf Coast and markets in the south and east of the United States. The company’s 5,500-mile pipeline carries up to 2,500,000 barrels per day, roughly 45% of all fuel consumed on the US East Coast.

At the end of last week, Bloomberg, citing its own anonymous sources, reported that the company had paid a ransom of $5,000,000 to the ransomware operators. Although the Washington Post and Reuters previously wrote that the company did not intend to negotiate with the attackers, Bloomberg said that this information was not true.

Almost at the same time as this announcement, Colonial Pipeline was indeed able to restore its pipeline to normal operation, and supplies of petroleum products were resumed to normal volumes.the media noted.

Colonial Pipeline CEO Joseph Blount officially confirmed to Wall Street Journal reporters today that the company paid the cybercriminals a ransom of $4.4 million in bitcoins. According to him, it was necessary to recover as quickly as possible from the ransomware attack, which had an impact on critical energy infrastructure. Blount calls the ransom payment “the right thing to do” for the country.

I know this is a very controversial decision. It was not easy for me to do it. I confess it was uncomfortable to see how money goes to such people.said Blount, saying that the ransom was paid back on May 7.

In the end, the company did receive a tool for decrypting data, but, as previously reported, it worked so slowly that in the end, the company’s specialists were forced to continue the previously started recovery of systems from backups.

Let me remind you that After the sensational cyberattack on the American fuel giant Colonial Pipeline, experts proposed a kind of “vaccine” against Russian hackers.

The post Colonial Pipeline CEO Confirms that Company Paid Criminals $4.4M appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/colonial-pipeline-paid-criminals/feed/ 0 5487
Cyrillic on the keyboard may become a “vaccine” against Russian hackers https://gridinsoft.com/blogs/vaccine-against-russian-hackers/ https://gridinsoft.com/blogs/vaccine-against-russian-hackers/#respond Tue, 18 May 2021 16:08:54 +0000 https://blog.gridinsoft.com/?p=5482 After the sensational cyberattack on the American fuel giant Colonial Pipeline, experts proposed a kind of “vaccine” against Russian hackers. The cybercriminal group DarkSide behind the attack on the Colonial Pipeline hastened to disown any political motives. According to the hackers, they are apolitical and “do not participate in geopolitics.” However, according to journalist Brian… Continue reading Cyrillic on the keyboard may become a “vaccine” against Russian hackers

The post Cyrillic on the keyboard may become a “vaccine” against Russian hackers appeared first on Gridinsoft Blog.

]]>
After the sensational cyberattack on the American fuel giant Colonial Pipeline, experts proposed a kind of “vaccine” against Russian hackers.

The cybercriminal group DarkSide behind the attack on the Colonial Pipeline hastened to disown any political motives.

According to the hackers, they are apolitical and “do not participate in geopolitics.” However, according to journalist Brian Krebs, the cybercriminals’ statement is not true.

Here’s the thing: digital ransomware groups like DarkSide are very concerned about making their entire platform geopolitical because their malware is specifically designed to work only in certain parts of the world.Krebs writes.

According to the journalist, similarly to other ransomware programs, DarkSide contains an embedded list of countries in which it does not infect computer systems. As a rule, this list includes the countries of the former USSR and the CIS countries. In particular, the DarkSide list includes: Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Romania, Syria, Turkmenistan, Tajikistan, Tatarstan, Ukraine and Uzbekistan.

Before installing on a system, the malware checks for the presence of the language of the country from the list and, if it is detected, is not installed.

Cybercriminals are known to react quickly to defenses that reduce their profitability, so why don’t the bad guys just make a difference and start ignoring language checks? Well, they certainly can and maybe even will (the latest version of DarkSide analyzed by Mandiant does not check the system language).the journalist said.

However, the refuse from language check increases the security risk of cybercriminals themselves and reduces profits, explained the chief researcher of the New York-based information security company Unit221B Allison Nixon.

Because of Russia’s “unique legal culture”, Nixon said, Russian cybercriminals use language tests to make sure their victims are abroad.

They do it for legal protection. Installing a Cyrillic keyboard or changing a specific registry entry to “RU”, etc., may be enough to convince malware that you are Russian. Technically, this can be used as a “vaccine” against Russian malware.Nixon explained.

Does this mean that installing the Russian layout will one hundred percent secure the system from hackers? Not. There are many groups in the cybercriminal world that, unlike DarkSide, don’t care about the victims of their attacks. Changing language settings cannot replace cyber hygiene and cybersecurity best practices, Krebs emphasizes. However, the expert sees no reason why not to try such simple preventive way to keep yourself safe.

The worst thing that can happen is that you accidentally switch language settings, and all your menu items will be in Russian.writes Krebs.

Let me remind you that I also wrote that NATO experimented with deceptive techniques to combat Russian hackers.

The post Cyrillic on the keyboard may become a “vaccine” against Russian hackers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vaccine-against-russian-hackers/feed/ 0 5482
Hacker XSS Forum Banned Ransomware Ads https://gridinsoft.com/blogs/hacker-xss-forum-banned-ransomware-ads/ https://gridinsoft.com/blogs/hacker-xss-forum-banned-ransomware-ads/#respond Fri, 14 May 2021 16:16:38 +0000 https://blog.gridinsoft.com/?p=5471 The administration of the popular hacker forum XSS (formerly DaMaGeLab) has banned advertising and sale of any ransomware on its pages. Groups like REvil, LockBit, DarkSide, Netwalker, Nefilim, and so on have often used the forum to advertise new customer acquisition. As a result, ransomware affiliate programs, renting such malware and selling lockers are now… Continue reading Hacker XSS Forum Banned Ransomware Ads

The post Hacker XSS Forum Banned Ransomware Ads appeared first on Gridinsoft Blog.

]]>
The administration of the popular hacker forum XSS (formerly DaMaGeLab) has banned advertising and sale of any ransomware on its pages.

Groups like REvil, LockBit, DarkSide, Netwalker, Nefilim, and so on have often used the forum to advertise new customer acquisition.

The main purpose of the DaMaGeLab forum is knowledge. We are a technical forum, we learn, research, share knowledge, write interesting articles. The goal of Ransomware is just to make money. The goals are not the same. No, of course, everyone needs money, but not by the cost of basic aspirations. We are not a market or a marketplace. Degradation on the face. Newbies open up the media, see some crazy virtual millions of dollars that they will never get. They don’t want anything, they don’t learn anything, they don’t code anything, they just don’t even think, the whole essence of coming down to “encrypt – get $”.the XSS administrator writes in his statement.

As a result, ransomware affiliate programs, renting such malware and selling lockers are now prohibited on XSS.

Shortly after this publication, representatives of a number of groups expressed their dissatisfaction with what was happening. For example, a LockBit spokesperson left a comment with just one word: “suddenly”.

XSS Banned Ransomware Ads

The representative of REvil, in turn, writes that the group is leaving the forum altogether and moving to another hacker resource – Exploit[.]in.

XSS Banned Ransomware Ads

I must say that a little earlier, the operators of REvil, which is currently one of the largest ransomware on the market, also announced the upcoming changes in their work. The hackers said they intend to stop advertising their RaaS platform and will continue to work privately, that is, with a small group of well-known and trusted persons.

REvil plans to stop attacking important social sectors, including healthcare, education, and government networks anywhere in the world, as such attacks could draw unwanted attention to the group’s work.operators REvil write.

If one of the clients nevertheless attacks a “forbidden” company or organization, the hackers intend to provide the victims with a free decryption key and then promise to stop working with such a “partner”.

Apparently, everything that happens is directly related to the attention of the special services, which has attracted the DarkSide ransomware, which last week attacked the largest pipeline operator in the United States, Colonial Pipeline. This high-profile incident received attention at the highest level: the other day, US President Joe Biden announced that the US authorities intend to interfere with the work of the hacking group.

As a result, representatives of DarkSide said that they had already lost access to their servers and multimillion-dollar ransoms (although the American authorities, it seems, have not yet taken any action) and announced the termination of work.

It seems that the XSS administration and the REvil operators do not want to be the object of the same scrutiny from law enforcement agencies, and are trying to act proactively.

Let me remind you that earlier I wrote that REvil spokesman boasts that hackers have access to ballistic missile launch systems.

The post Hacker XSS Forum Banned Ransomware Ads appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hacker-xss-forum-banned-ransomware-ads/feed/ 0 5471