However, over the past few days, several important events have taken place at once.

Operation Cyclone, which was carried out by Interpol, the law enforcement agencies of Ukraine and the United States, lasted more than 30 months and was aimed at fighting Clop ransomware (aka Cl0p). As part of this operation, six Ukrainian citizens were arrested in June 2021.

The US Department of Justice has also indicted Yaroslav Vasinsky, a 22-year-old citizen of Ukraine, who is suspected of organizing a ransomware attack on Kaseya’s servers in July this year.

The suspect was detained last month under a US warrant. He was arrested by the Polish authorities at the border between Ukraine and Poland.

Let me remind you that in early July, customers of the MSP solution provider Kaseya suffered from a large-scale attack by the ransomware REvil (Sodinokibi). Then the hackers used 0-day vulnerabilities in the company’s product (VSA) and through them attacked Kaseya’s customers. Currently, patches have already been released for these vulnerabilities.

The main problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks. According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure hackers were able to encrypt approximately 800-1500 corporate networks.

As the authorities now say, Vasinsky was known on the network under the nickname MrRabotnik (as well as Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) and since 2019 has hacked companies around the world (having made at least 2,500 attacks), implementing to their infrastructure REvil malware.

To recover their files, the victims had to pay a ransom to the REvil hack group, and Vasinsky received a significant portion of this “profit”. The Justice Department said the hacker “earned” $2.3 million, demanding more than $760 million from companies in total.

In addition to Vasinsky, the US Department of Justice also indicted the second suspect, who also collaborated with the REvil hack group. In court documents, this person appears as a 28-year-old citizen of Russia Yevgeny Polyanin (aka LK4D4, Damnating, damn2Life, Noolleds, Antunpitre, Affiliate 23). He also reportedly worked with REvil as a partner, hacking companies on behalf of the group.

According to authorities, Polyanin hacked into the network of TSM Consulting, a managed service provider based in Texas, from where he deployed REvil malware on the intranets of at least 20 local government agencies on August 16, 2019.

Although Polyanin is still at large and wanted by the FBI, the Justice Department says that specialists managed to seize $6.1 million worth of cryptocurrency that the suspect had kept in an FTX account.

This week, Europol announced the arrest of seven suspects who worked as partners of the REvil (Sodinokibi) and GandCrab ransomware, and have helped carry out more than 7,000 ransomware attacks since the beginning of 2019. Experts from Bitdefender, KPN and McAfee also took part in the operation.

Let me remind you that, according to information security specialists, REvil and GandCrab are run by the same people who created the malware and offered it to other criminals for rent.

As we previously reported, the US government has also offered a $10,000,000 reward for any information that could lead to the identification or arrest of members of the DarkSide hack group.

The post US authorities arrest Kaseya hacker and attacker associated with REvil and GandCrab appeared first on Gridinsoft Blog.

Bleeping Computer reports that all Tor sites of the group have been disabled, and a representative of REvil posted a message on the XSS hacker forum that someone had taken over the attacker’s domains.

Recorded Future specialist Dmitry Smilyanets was the first to notice this message. He reported that an unknown person had seized onion domains of hackers using the same private keys as the REvil websites. As have been said, the unknown person seemed to have access to the backups of the hack group’s sites.

The fact is that to start an onion domain, user needs to generate a pair of private and public keys, which is used to initialize the service. The private key must be protected and only available to administrators, as anyone who has access to it can use it to run the same onion service on their own server. Since the third party was able to take over the REvil domains, this means that it also had access to the group’s private keys.

Although at first the hackers did not find any signs of compromising the servers, they still decided to stop the operations. The group’s partners were asked to contact the REvil operators through Tox to obtain decryption keys.

This is done so that the partners can continue the extortion on their own and provide the victims with a decoder if they pay the ransom.

Later, 0_neday reported that the grouping server had been compromised, and an unknown attacker was targeting REvil.

Bleeping Computer notes that this time, REvil has probably stopped working completely. The fact is that recently the ransomware has already “disappeared from the radar” after scandalous attacks on clients of the well-known MSP solution provider Kaseya and JBS, the world’s largest supplier of beef and poultry, as well as the second largest pork producer.

Although REvil eventually returned a few months later, some cybercriminals and information security experts believed that the FBI or other law enforcement agencies had gained access to the group’s servers and controlled them since the restart. After all, while REvil was inactive, Kaseya somehow obtained a universal key to decrypt its customers’ data.

Then, many believed that Russian law enforcement officers received the decryption key from the attackers themselves and handed it over to the FBI as a gesture of goodwill. But it seems that this is not so: the FBI said that they have no evidence that in Russia they are somehow fighting cyber intruders.

In addition, in the past, a member of the group known as Unknown or UNKN has posted advertisements or the latest news about REvil operations on hacker forums. After restarting the operations of the ransomware, he disappeared, and the hackers themselves wrote that Unknown was probably arrested. What happened to him is still not known for certain; according to journalists, the current hack may be associated with Unknown and his attempts to regain control.

It is also important that after the restart, REvil’s reputation suffered, and the ransomware operators tried to attract new partners by any means. It got to the point that they offered a commission increase of up to 90%, just to encourage other attackers to work with them.

The post REvil ransomware stopped working again, now after hacking sites appeared first on Gridinsoft Blog.

First, should be recalled that the background of what is happening: last week Bitdefender published a universal utility for decrypting files affected by the attacks of the ransomware REvil (Sodinokibi). The tool works for any data encrypted before July 13, 2021.

At the time, experts reported that the tool was created in collaboration with “trusted law enforcement partners,” but the company declined to disclose any details, citing an ongoing investigation. According to people familiar with the matter, the partner was not the FBI.

July 13 is mentioned above for a reason, as on this day the entire REvil infrastructure went offline without explanation. The hacker group completely “disappeared from the radar” for a while, and as a result, many companies were left without the ability to recover their data, even if they were willing to pay the hackers a ransom.

It is important that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks, and law enforcement agencies and authorities became very interested in hackers.

Then, when the group had already “disappeared”, representatives of the injured Kaseya unexpectedly announced that they had a universal key to decrypt customer data. Then the company refused to disclose where this tool came from, limiting itself to a vague “from a trusted third party.”

However, the company assured that it is universal and suitable for all affected MSPs and their clients. Moreover, before sharing the tool with clients, Kaseya required them to sign a non-disclosure agreement.

As the Washington Post now reports, the assumptions of many cybersecurity experts were correct: Kaseya really received the key from the FBI representatives. Law enforcement officials say they infiltrated the servers of the hack group and extracted a key from there, which ultimately helped to decrypt data and 1,500 networks, including in hospitals, schools and enterprises.

However, the FBI did not immediately share the key with the victims and the company. For about three weeks, the FBI kept the key secret, intending to carry out an operation to eliminate the hack group and not wanting to reveal their cards to the criminals. But the law enforcement officers did not have time: as a result, the REvil infrastructure went offline before the operation began. Then Kaseya was given the key to decrypt the data, and Emsisoft experts prepared a special tool for the victims.

Journalists note that due to the resulting delay, it was already too late for many of the victims. For example, the publication quotes a representative of JustTech, which is one of the clients of MSP Kaseya.

The company spent more than a month restoring the systems of its customers, as restoring from backups or replacing the system is an expensive and time-consuming process:

Swedish grocery chain Coop, also affected by the attack, said it still does not know how much it would cost to temporarily close its stores:

The post FBI Kept Secret Key To Decrypt Data After REvil Attacks appeared first on Gridinsoft Blog.

It was about a whole network of conventional and darknet sites that were used to negotiate a ransom, leak data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July of this year, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

After this attack, the hackers demanded a ransom of $70 million, and then promised to publish a universal decryptor that can unlock all computers. The group soon “lowered the bar” to $50 million.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world. And also REvil attacked the electronics manufacturer Acer.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation asked Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now, almost two months after the shutdown, experts at Recorded Future and Emsisoft have noticed that the group’s blog and site where REvil operators used to post lists of victims who refused to negotiate and pay the ransom are back online.

The last update on the site was dated July 8, 2021, that is, no new data and messages were published. It is currently unknown if this means that the hack group is back to work, the servers were turned on again by mistake, or if it has something to do with the actions of law enforcement agencies.

Let me also remind you that I talked about the fact that REvil spokesman boasts that hackers have access to ballistic missile launch systems.

The post Servers of the hack group REvil are back online appeared first on Gridinsoft Blog.