Let me remind you that REvil was one of the largest and most famous extortion groups. In particular, REvil is responsible for the high-profile hacking of MSP solutions provider Kaseya in 2021, as well as the attack on the world’s largest meat producer, JBS.

There was even a time when REvil spokesman boasted that hackers have access to ballistic missile launch systems.

The group’s apparent activity ceased in January 2022, after the Russian FSB announced the arrest of 14 people associated with the hack group, and searches were conducted at 25 addresses in Moscow, St. Petersburg and Lipetsk regions. At the same time, it was reported that “the basis for the search activities was the appeal of the competent US authorities.”

Then the Moscow court took into custody eight alleged members of the hack group. All of them were charged with the acquisition and possession of electronic funds intended for the illegal transfer of funds made by an organized group.

Later, Russian media reported that the investigation into the criminal case had almost reached a dead end, as the US authorities refused to further cooperate with Russia due to the Putin’s army invasion in Ukraine, and they could only accuse the suspects of fraud with the bank cards of two Mexicans living in the United States.

In December 2021, a new Ransom Cartel ransomware appeared on the scene, which, as experts already noted, is in many ways similar to the REvil malware. Now the malware has been studied by Palo Alto Network analysts, and they also write about a possible connection between the two groups.

The fact is that the source code of the REvil encryptor has never been “leaked” and has not been distributed openly. That is, in any new project using similar sources, they immediately suspect either a rebranding of REvil, or a new threat, at the origins of which are former REvil members.

When analyzing the Ransom Cartel malware, the researchers found similarities in the malware configuration structure, although the storage locations differ. So, some configuration values are missing in the Ransom Cartel code, and this, according to experts, means that the authors of the malware are either trying to make it more compact, or the old version of the REvil malware is the basis for this ransomware.

The strongest thing about the similarities between the two ransomware is the encryption schemes they use. The Ransom Cartel samples also generate multiple pairs of public and private keys and secrets, almost identical to the complex system used by REvil.

At the same time, the Ransom Cartel samples do not contain such a serious obfuscation that was found in the REvil malware. This may mean that the authors of the new ransomware do not have access to the original REvil obfuscation mechanism.

Another difference is that Ransom Cartel uses Windows Data Protection API (DPAPI) for stealing credentials. For this purpose, the group uses the very rare DonPAPI tool, which is able to search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords, and credentials stored in browsers, and then download and decrypt them locally on the machine. These credentials are then used to compromise the Linux ESXi servers and authenticate against the vCenter web interfaces.

Interestingly, despite the lack of leaks of REvil source codes, the Ransom Cartel is not the only group that uses REvil developments in their attacks. So, in April 2022, when the REvil Tor sites unexpectedly resumed their work, a new BlogXX encryptor was discovered, not only compiled based on the REvil source code, but also containing a number of changes.

Then information security experts wrote that the authors of BlogXX clearly have the REvil source code. In addition, when REvil’s Tor sites were up and running again, visitors were soon redirected to the BlogXX site. Although this resource was different from the previous REvil sites, the fact that the old sites started redirecting visitors to the BlogXX sites suggested that someone in the new hack group had access to Tor private keys that allowed them to make the necessary changes.

The post Researchers Linked Ransom Cartel members to Famous Hack Group REvil appeared first on Gridinsoft Blog.

The crooks’ weapon struck them back

The YouTube user Malvuln published a chain of videos regarding the exploitation of the breach in popular ransomware. This exploitation is based on how ransomware launches its executable files with high privileges. Exactly, this is the exploit inside of the other exploit. Let’s check out how that works.

Originally, when crooks launch the ransomware in the infected system, they palm off the malicious DLL to a legit program. Any application requires dynamic-link libraries to function, and if the used DLLs are not checked diligently, it is easy to substitute the original one with the library you need. Cybercriminals know about that breach and know which apps are vulnerable. Giving the malicious DLL to the legit program allows the ransomware to be launched with increased privileges.

However, ransomware itself is not ideal. As the researcher mentioned above figured out, it is also vulnerable to DLL interception. However, the exact method is different compared to how cybercriminals use it. That vulnerability lies in the way of naming the libraries used by ransomware to run the ciphering process. A specially compiled DLL named the one used by ransomware ends the encryption process right after its beginning.

How can that be used?

As Malvuln showed in his videos, ransomware of 6 popular cybercrime gangs is vulnerable to that security breach. Those are AvosLocker, LokiLocker, Black Basta, REvil, Conti, and LockBit. All of them are well-known, and each of them attacks hundreds of companies each month. Some of them may ask for up to $1M ransoms. Using such a vulnerability, companies may easily protect themselves from having their files encrypted. Still, spyware those groups usually inject together with ransomware is still able to extract a lot of valuable data.

Adding a small DLL file on each computer in the network is pretty easy, and hard to detect for threat actors. In contrast to security solutions that are running in the network, DLL is not active and cannot be detected. Hence, crooks may get a very unpleasant surprise. Nonetheless, that does not mean that you can throw away your security solutions. EDR systems may be very effective against spyware, at least with data extraction. Keep in mind that you will likely pay a much bigger sum of money as a ransom than you will spend on an endpoint protection solution.

Thoughts on ransomware vulnerability

Cybercriminals like ones that belong to the named gangs love their brainchildren. And having such a vulnerability, they will not delay fixing it. That is their bread and butter, and they depend on that money flow. Hence, deploying the DLL as I have offered above is not a panacea. Sooner or later (likely sooner) that breach will be fixed, as it was to all other vulnerabilities that leaked to the public. And still – no one names a way to stop the complementary spyware.

This or another way, having the chance to stop the ransomware and prevent disruptions is better than not having it.

The post Vulnerabilities Allow Hijacking of Most Ransomware to Prevent File Encryption appeared first on Gridinsoft Blog.

However, over the past few days, several important events have taken place at once.

Operation Cyclone, which was carried out by Interpol, the law enforcement agencies of Ukraine and the United States, lasted more than 30 months and was aimed at fighting Clop ransomware (aka Cl0p). As part of this operation, six Ukrainian citizens were arrested in June 2021.

The US Department of Justice has also indicted Yaroslav Vasinsky, a 22-year-old citizen of Ukraine, who is suspected of organizing a ransomware attack on Kaseya’s servers in July this year.

The suspect was detained last month under a US warrant. He was arrested by the Polish authorities at the border between Ukraine and Poland.

Let me remind you that in early July, customers of the MSP solution provider Kaseya suffered from a large-scale attack by the ransomware REvil (Sodinokibi). Then the hackers used 0-day vulnerabilities in the company’s product (VSA) and through them attacked Kaseya’s customers. Currently, patches have already been released for these vulnerabilities.

The main problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks. According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure hackers were able to encrypt approximately 800-1500 corporate networks.

As the authorities now say, Vasinsky was known on the network under the nickname MrRabotnik (as well as Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) and since 2019 has hacked companies around the world (having made at least 2,500 attacks), implementing to their infrastructure REvil malware.

To recover their files, the victims had to pay a ransom to the REvil hack group, and Vasinsky received a significant portion of this “profit”. The Justice Department said the hacker “earned” $2.3 million, demanding more than $760 million from companies in total.

In addition to Vasinsky, the US Department of Justice also indicted the second suspect, who also collaborated with the REvil hack group. In court documents, this person appears as a 28-year-old citizen of Russia Yevgeny Polyanin (aka LK4D4, Damnating, damn2Life, Noolleds, Antunpitre, Affiliate 23). He also reportedly worked with REvil as a partner, hacking companies on behalf of the group.

According to authorities, Polyanin hacked into the network of TSM Consulting, a managed service provider based in Texas, from where he deployed REvil malware on the intranets of at least 20 local government agencies on August 16, 2019.

Although Polyanin is still at large and wanted by the FBI, the Justice Department says that specialists managed to seize $6.1 million worth of cryptocurrency that the suspect had kept in an FTX account.

This week, Europol announced the arrest of seven suspects who worked as partners of the REvil (Sodinokibi) and GandCrab ransomware, and have helped carry out more than 7,000 ransomware attacks since the beginning of 2019. Experts from Bitdefender, KPN and McAfee also took part in the operation.

Let me remind you that, according to information security specialists, REvil and GandCrab are run by the same people who created the malware and offered it to other criminals for rent.

As we previously reported, the US government has also offered a $10,000,000 reward for any information that could lead to the identification or arrest of members of the DarkSide hack group.

The post US authorities arrest Kaseya hacker and attacker associated with REvil and GandCrab appeared first on Gridinsoft Blog.

Moreover, with each new transaction, a smaller amount is transferred, which makes it difficult to track money.

CEO and co-founder of Profero first noticed the transfer process, and announced on Twitter that 107 bitcoins (about $7 million) from the group’s wallet had moved to another wallet. He emphasized that the money is clearly controlled by the hackers themselves, since the secret services usually simply move the seized assets to a new wallet under their control, and do not try to break the funds into smaller pieces.

As the blockchain analysis company Elliptic reported a little later, the DarkSide cryptocurrency passes through different wallets, and in the process the amount has already decreased from 107.8 BTC to 38.1 BTC. This is a typical money laundering scheme that makes it difficult to track funds and it helps criminals to convert cryptocurrency to fiat. According to Elliptic, this process is still ongoing, and small amounts have already been transferred to well-known exchanges.

Interestingly, DarkSide funds were set in motion shortly after the media reported that law enforcement was behind the cessation of another well-known hack group, REvil, by attacking the criminals’ infrastructure.

The fact is that DarkSide has also received a lot of attention, especially last summer when it hacked one of the largest pipeline operators in the United States, Colonial Pipeline. This incident forced the American authorities to introduce an emergency regime in a number of states and became the very straw that could break the back of a camel: the attention of law enforcement agencies to ransomware increased, and on hacker forums they rushed to ban advertising of ransomware altogether.

A week after the attack, and the government’s much unwelcome attention to hackers, DarkSide announced it would cease operations. Then the group claimed that it had lost control of some servers and cryptocurrency wallets (that is, its own money). However, in July, the hackers rebranded themselves by launching a new infrastructure and malware called BlackMatter.

It looks like now, after what happened to REvil, hackers want to make sure they don’t lose their funds a second time. Moreover, a few days earlier, the American authorities issued a warning about BlackMatter’s activities, stating that the ransomware had already attacked “several critical US infrastructures.”

The post After REvil shut down, members of the hack group DarkSide hastily moved $7 million appeared first on Gridinsoft Blog.

Let me remind you that earlier this week the operations of the ransomware REvil were again suspended, as an unknown person hacked the group’s website, through which hackers accepted payments from victims and “leaked” data stolen from companies. A REvil spokesman known as 0_neday posted a message on the XSS hacker forum that someone had hijacked the attacker’s domains.

It was also reported that an unknown person hijacked the hacker’s onion domains using the same private keys as the REvil sites. At the same time, the unknown person seemed to have access to the backup copies of the hack group’s websites, and 0_neday stated that the grouping server had been compromised, and the unknown attacker was targeting REvil.

Now, Reuters’ own sources (three cybersecurity experts from the private sector and a former official) say that the group’s infrastructure was turned off as a result of a law enforcement operation carried out in several countries around the world. In particular, a person familiar with the events told the news agency that a foreign partner of the US government had carried out a hacking operation to infiltrate REvil’s infrastructure. A former US official who spoke to reporters on condition of anonymity said the operation is still ongoing.

The head of cybersecurity strategy at VMWare, Tom Kellerman, who is also a cybercrime advisor to the US Secret Service, told the media the following:

Many believe that this time REvil has ceased its work completely. The fact is that recently the ransomware has already “disappeared from the radar” after scandalous attacks on clients of the well-known MSP solutions provider Kaseya and JBS, the world’s largest supplier of beef and poultry, as well as the second largest pork producer.

Although REvil eventually returned a few months later, some cybercriminals and information security experts believed that the FBI or other law enforcement agencies had gained access to the group’s servers and controlled them since the restart. After all, while REvil was inactive, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then, many believed that Russian law enforcement officers received the decryption key from the attackers themselves and handed it over to the FBI as a gesture of goodwill.

In addition, in the past, a member of the group known as Unknown or UNKN has posted advertisements or the latest news about REvil operations on hacker forums. After restarting the operations of the ransomware, he disappeared, and the hackers themselves wrote that Unknown was probably arrested. What happened to him is still not known for certain.

The post Media said that the REvil sites were hacked by law enforcement agencies appeared first on Gridinsoft Blog.

Bleeping Computer reports that all Tor sites of the group have been disabled, and a representative of REvil posted a message on the XSS hacker forum that someone had taken over the attacker’s domains.

Recorded Future specialist Dmitry Smilyanets was the first to notice this message. He reported that an unknown person had seized onion domains of hackers using the same private keys as the REvil websites. As have been said, the unknown person seemed to have access to the backups of the hack group’s sites.

The fact is that to start an onion domain, user needs to generate a pair of private and public keys, which is used to initialize the service. The private key must be protected and only available to administrators, as anyone who has access to it can use it to run the same onion service on their own server. Since the third party was able to take over the REvil domains, this means that it also had access to the group’s private keys.

Although at first the hackers did not find any signs of compromising the servers, they still decided to stop the operations. The group’s partners were asked to contact the REvil operators through Tox to obtain decryption keys.

This is done so that the partners can continue the extortion on their own and provide the victims with a decoder if they pay the ransom.

Later, 0_neday reported that the grouping server had been compromised, and an unknown attacker was targeting REvil.

Bleeping Computer notes that this time, REvil has probably stopped working completely. The fact is that recently the ransomware has already “disappeared from the radar” after scandalous attacks on clients of the well-known MSP solution provider Kaseya and JBS, the world’s largest supplier of beef and poultry, as well as the second largest pork producer.

Although REvil eventually returned a few months later, some cybercriminals and information security experts believed that the FBI or other law enforcement agencies had gained access to the group’s servers and controlled them since the restart. After all, while REvil was inactive, Kaseya somehow obtained a universal key to decrypt its customers’ data.

Then, many believed that Russian law enforcement officers received the decryption key from the attackers themselves and handed it over to the FBI as a gesture of goodwill. But it seems that this is not so: the FBI said that they have no evidence that in Russia they are somehow fighting cyber intruders.

In addition, in the past, a member of the group known as Unknown or UNKN has posted advertisements or the latest news about REvil operations on hacker forums. After restarting the operations of the ransomware, he disappeared, and the hackers themselves wrote that Unknown was probably arrested. What happened to him is still not known for certain; according to journalists, the current hack may be associated with Unknown and his attempts to regain control.

It is also important that after the restart, REvil’s reputation suffered, and the ransomware operators tried to attract new partners by any means. It got to the point that they offered a commission increase of up to 90%, just to encourage other attackers to work with them.

The post REvil ransomware stopped working again, now after hacking sites appeared first on Gridinsoft Blog.

A press release from the Ukrainian cyber police states that the authorities have arrested a 25-year-old resident of Kiev. Searches were carried out at the place of residence of the suspect and in the homes of his relatives, as a result of which computer equipment, mobile phones, vehicles, more than $ 360,000 in cash were seized, and about $1.3 million in cryptocurrency were blocked.

In turn, Europol reports the arrest of two hackers who have been active since April 2020. At the same time, it is emphasized that this group “is known for its extortionate demands for a ransom from 5 to 70 million euros.”

Due to the mention of such large ransom amounts, some information security experts suggested that two suspects may be associated with the ransomware group REvil.

Let me remind you that the Cyber Police of Ukraine arrested persons linked with the Clop ransomware.

The post Ukrainian cyber police arrested ransomware operators who “earned” $150 million appeared first on Gridinsoft Blog.

Their partners ended up with nothing.

Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be the heir of the GandCrab ransomware. The ransomware operates according to the Ransomware-as-a-Service (RaaS, ransomware-as-a-Service) scheme, that is, malware developers deal directly with malware and payment sites, and their hired partners hack victims’ networks and encrypt devices. As a result, the ransom payments are distributed between the hack group itself and its partners, with the latter usually receiving 70-80% of the total.

Evgeny Boguslavsky, a specialist at Advanced Intel, told reporters that since at least 2020, there have been rumours on hacker forums that the creators of REvil often negotiate with victims in secret chats, while their partners do not even know about it. These rumours began to appear more often after the sudden disappearance of the ransomware DarkSide and Avaddon (the operators of the latter generally published decryption keys for their victims).

According to Boguslavsky, REvil administrators sometimes create a second chat, identical to the one that their partners use to negotiate with the victim. When negotiations reach a critical point, the creators of REvil step in and portray a victim who supposedly abruptly breaks off negotiations, refusing to pay the ransom. In fact, the REvil authors themselves continue negotiations with the victims, take the entire ransom and leave their partners with nothing.

Recently, these rumours have become more substantiated, as the reverse engineer reported on hack forums that the REvil malware, which RaaS operators provide to their partners for deployment on victims’ networks, contains a “cryptobackdoor”. The discovery came after Bitdefender released a versatile tool to decrypt data after the REvil attacks.

Interestingly, full control over what is happening and the ability to decrypt any system is a practice that other ransomware uses as well. So, Boguslavsky says that, according to rumours, the DarkSide operators worked the same way. After rebranding to BlackMatter, the attackers openly announced this practice, making everyone understand that they reserve the right to take over negotiations at any time without giving any reason.

The head of Advanced Intelligence, Vitaly Kremez, told Bleeping Computer that the latest REvil samples that have appeared recently, after the group restored activity, no longer has a master key that would allow decrypting any system that was blocked by REvil.

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

First, should be recalled that the background of what is happening: last week Bitdefender published a universal utility for decrypting files affected by the attacks of the ransomware REvil (Sodinokibi). The tool works for any data encrypted before July 13, 2021.

At the time, experts reported that the tool was created in collaboration with “trusted law enforcement partners,” but the company declined to disclose any details, citing an ongoing investigation. According to people familiar with the matter, the partner was not the FBI.

July 13 is mentioned above for a reason, as on this day the entire REvil infrastructure went offline without explanation. The hacker group completely “disappeared from the radar” for a while, and as a result, many companies were left without the ability to recover their data, even if they were willing to pay the hackers a ransom.

It is important that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks, and law enforcement agencies and authorities became very interested in hackers.

Then, when the group had already “disappeared”, representatives of the injured Kaseya unexpectedly announced that they had a universal key to decrypt customer data. Then the company refused to disclose where this tool came from, limiting itself to a vague “from a trusted third party.”

However, the company assured that it is universal and suitable for all affected MSPs and their clients. Moreover, before sharing the tool with clients, Kaseya required them to sign a non-disclosure agreement.

As the Washington Post now reports, the assumptions of many cybersecurity experts were correct: Kaseya really received the key from the FBI representatives. Law enforcement officials say they infiltrated the servers of the hack group and extracted a key from there, which ultimately helped to decrypt data and 1,500 networks, including in hospitals, schools and enterprises.

However, the FBI did not immediately share the key with the victims and the company. For about three weeks, the FBI kept the key secret, intending to carry out an operation to eliminate the hack group and not wanting to reveal their cards to the criminals. But the law enforcement officers did not have time: as a result, the REvil infrastructure went offline before the operation began. Then Kaseya was given the key to decrypt the data, and Emsisoft experts prepared a special tool for the victims.

Journalists note that due to the resulting delay, it was already too late for many of the victims. For example, the publication quotes a representative of JustTech, which is one of the clients of MSP Kaseya.

The company spent more than a month restoring the systems of its customers, as restoring from backups or replacing the system is an expensive and time-consuming process:

Swedish grocery chain Coop, also affected by the attack, said it still does not know how much it would cost to temporarily close its stores:

The post FBI Kept Secret Key To Decrypt Data After REvil Attacks appeared first on Gridinsoft Blog.

The tool works for any data encrypted before July 13, 2021.

However, the company has so far refused to provide any details, citing an ongoing investigation.

Let me remind you that on July 13 of this year the entire REvil infrastructure went offline without explanation. Then it was a question of shutting down an entire network of regular and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks. In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

As a result, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

Shortly thereafter, REvil went offline for several months, and only returned to service on September 7, 2021. According to information security companies, REvil operators re-activated their old sites, created new profiles on the forums.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil has fully resumed its activity. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.