REvil operators Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 21 Apr 2022 21:07:41 +0000 en-US hourly 1 https://wordpress.org/?v=92297 200474804 REvil ransomware stopped working again, now after hacking sites https://gridinsoft.com/blogs/revil-stopped-working-again/ https://gridinsoft.com/blogs/revil-stopped-working-again/#respond Mon, 18 Oct 2021 16:04:44 +0000 https://blog.gridinsoft.com/?p=6021 The REvil encryptor stopped working again – all operations were stopped, as an unknown person hacked the group’s website, through which hackers accepted payments from victims and “leaked” data stolen from companies. Bleeping Computer reports that all Tor sites of the group have been disabled, and a representative of REvil posted a message on the… Continue reading REvil ransomware stopped working again, now after hacking sites

The post REvil ransomware stopped working again, now after hacking sites appeared first on Gridinsoft Blog.

]]>
The REvil encryptor stopped working again – all operations were stopped, as an unknown person hacked the group’s website, through which hackers accepted payments from victims and “leaked” data stolen from companies.

Bleeping Computer reports that all Tor sites of the group have been disabled, and a representative of REvil posted a message on the XSS hacker forum that someone had taken over the attacker’s domains.

REvil stopped working again

Recorded Future specialist Dmitry Smilyanets was the first to notice this message. He reported that an unknown person had seized onion domains of hackers using the same private keys as the REvil websites. As have been said, the unknown person seemed to have access to the backups of the hack group’s sites.

Since today, someone brought up the hidden services of the landing page and blog with the same keys as ours, so my fears were confirmed. The third party has backups with keys from onion-services.writes a REvil representative under the nickname 0_neday on the forum.

The fact is that to start an onion domain, user needs to generate a pair of private and public keys, which is used to initialize the service. The private key must be protected and only available to administrators, as anyone who has access to it can use it to run the same onion service on their own server. Since the third party was able to take over the REvil domains, this means that it also had access to the group’s private keys.

Although at first the hackers did not find any signs of compromising the servers, they still decided to stop the operations. The group’s partners were asked to contact the REvil operators through Tox to obtain decryption keys.

This is done so that the partners can continue the extortion on their own and provide the victims with a decoder if they pay the ransom.

Later, 0_neday reported that the grouping server had been compromised, and an unknown attacker was targeting REvil.

REvil stopped working again

Bleeping Computer notes that this time, REvil has probably stopped working completely. The fact is that recently the ransomware has already “disappeared from the radar” after scandalous attacks on clients of the well-known MSP solution provider Kaseya and JBS, the world’s largest supplier of beef and poultry, as well as the second largest pork producer.

Although REvil eventually returned a few months later, some cybercriminals and information security experts believed that the FBI or other law enforcement agencies had gained access to the group’s servers and controlled them since the restart. After all, while REvil was inactive, Kaseya somehow obtained a universal key to decrypt its customers’ data.

Then, many believed that Russian law enforcement officers received the decryption key from the attackers themselves and handed it over to the FBI as a gesture of goodwill. But it seems that this is not so: the FBI said that they have no evidence that in Russia they are somehow fighting cyber intruders.

In addition, in the past, a member of the group known as Unknown or UNKN has posted advertisements or the latest news about REvil operations on hacker forums. After restarting the operations of the ransomware, he disappeared, and the hackers themselves wrote that Unknown was probably arrested. What happened to him is still not known for certain; according to journalists, the current hack may be associated with Unknown and his attempts to regain control.

It is also important that after the restart, REvil’s reputation suffered, and the ransomware operators tried to attract new partners by any means. It got to the point that they offered a commission increase of up to 90%, just to encourage other attackers to work with them.

The post REvil ransomware stopped working again, now after hacking sites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/revil-stopped-working-again/feed/ 0 6021
Ukrainian cyber police arrested ransomware operators who “earned” $150 million https://gridinsoft.com/blogs/ukrainian-cyber-police-arrested-ransomware-operators/ https://gridinsoft.com/blogs/ukrainian-cyber-police-arrested-ransomware-operators/#respond Mon, 04 Oct 2021 12:43:18 +0000 https://blog.gridinsoft.com/?p=5985 Ukrainian Cyber Police have arrested two operators of an unnamed ransomware. It is reported that the operation was carried out jointly by the Ukrainian and French police, the FBI, Europol and Interpol. The suspects are believed to have been involved in attacks on 100 North American and European companies, “earning” in this way over $… Continue reading Ukrainian cyber police arrested ransomware operators who “earned” $150 million

The post Ukrainian cyber police arrested ransomware operators who “earned” $150 million appeared first on Gridinsoft Blog.

]]>
Ukrainian Cyber Police have arrested two operators of an unnamed ransomware. It is reported that the operation was carried out jointly by the Ukrainian and French police, the FBI, Europol and Interpol. The suspects are believed to have been involved in attacks on 100 North American and European companies, “earning” in this way over $ 150 million.

A press release from the Ukrainian cyber police states that the authorities have arrested a 25-year-old resident of Kiev. Searches were carried out at the place of residence of the suspect and in the homes of his relatives, as a result of which computer equipment, mobile phones, vehicles, more than $ 360,000 in cash were seized, and about $1.3 million in cryptocurrency were blocked.

In total, the hacker attacked more than 100 foreign companies in North America and Europe. Among the victims are world-famous energy and tourism companies, as well as equipment developers. The hacker demanded a ransom to restore access to the encrypted data. The damage caused to the victims reaches $ 150 million.Cyber Police of Ukraine reports.

In turn, Europol reports the arrest of two hackers who have been active since April 2020. At the same time, it is emphasized that this group “is known for its extortionate demands for a ransom from 5 to 70 million euros.”

The organised crime group is suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards. The criminals would deploy malware and steal sensitive data from these companies, before encrypting their files.Europol reports.

Due to the mention of such large ransom amounts, some information security experts suggested that two suspects may be associated with the ransomware group REvil.

That certainly sounds like REvil ransomware. The Kaseya ransom demand was famously $70 Million, and the average person may think REvil started in April 2020, with the famous hack of Grubman Shire Meiselas & Sacks happening about that time. For malware researchers, the timeline wouldn’t work, as REvil/Sodinokibi was being discussed as early as April 2019 by research teams like @cybereason and their @CR_Nocturnus team – but again – “the public” may not consider that to be the start.For example, @GarWarner, researcher of Malware, Terrorism & Social Networks of Criminals writes.

Let me remind you that the Cyber Police of Ukraine arrested persons linked with the Clop ransomware.

The post Ukrainian cyber police arrested ransomware operators who “earned” $150 million appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ukrainian-cyber-police-arrested-ransomware-operators/feed/ 0 5985
Hack group REvil deceived their partners due to a backdoor https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/ https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/#respond Thu, 23 Sep 2021 21:45:42 +0000 https://blog.gridinsoft.com/?p=5952 The researchers found that the creators of REvil deceived their partners using a scheme that allowed them to decrypt any systems blocked by the ransomware and take the entire ransom for themselves. Their partners ended up with nothing. Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be… Continue reading Hack group REvil deceived their partners due to a backdoor

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

]]>
The researchers found that the creators of REvil deceived their partners using a scheme that allowed them to decrypt any systems blocked by the ransomware and take the entire ransom for themselves.

Their partners ended up with nothing.

Such rumors have been circulating on hacker forums for a long time, but recently they were confirmed by cybersecurity researchers and malware developers. the Bleeping Computer media reports.

Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be the heir of the GandCrab ransomware. The ransomware operates according to the Ransomware-as-a-Service (RaaS, ransomware-as-a-Service) scheme, that is, malware developers deal directly with malware and payment sites, and their hired partners hack victims’ networks and encrypt devices. As a result, the ransom payments are distributed between the hack group itself and its partners, with the latter usually receiving 70-80% of the total.

Evgeny Boguslavsky, a specialist at Advanced Intel, told reporters that since at least 2020, there have been rumours on hacker forums that the creators of REvil often negotiate with victims in secret chats, while their partners do not even know about it. These rumours began to appear more often after the sudden disappearance of the ransomware DarkSide and Avaddon (the operators of the latter generally published decryption keys for their victims).

People who worked with REvil took part in these discussions, for example, the group’s partners who provided hackers with access to other people’s networks, ‘penetration testing’ services, VPN specialists, and so on.the expert said.

According to Boguslavsky, REvil administrators sometimes create a second chat, identical to the one that their partners use to negotiate with the victim. When negotiations reach a critical point, the creators of REvil step in and portray a victim who supposedly abruptly breaks off negotiations, refusing to pay the ransom. In fact, the REvil authors themselves continue negotiations with the victims, take the entire ransom and leave their partners with nothing.

Recently, these rumours have become more substantiated, as the reverse engineer reported on hack forums that the REvil malware, which RaaS operators provide to their partners for deployment on victims’ networks, contains a “cryptobackdoor”. The discovery came after Bitdefender released a versatile tool to decrypt data after the REvil attacks.

Interestingly, full control over what is happening and the ability to decrypt any system is a practice that other ransomware uses as well. So, Boguslavsky says that, according to rumours, the DarkSide operators worked the same way. After rebranding to BlackMatter, the attackers openly announced this practice, making everyone understand that they reserve the right to take over negotiations at any time without giving any reason.

The head of Advanced Intelligence, Vitaly Kremez, told Bleeping Computer that the latest REvil samples that have appeared recently, after the group restored activity, no longer has a master key that would allow decrypting any system that was blocked by REvil.

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/feed/ 0 5952
Added utility for decrypting data after REvil attacks https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/ https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/#respond Fri, 17 Sep 2021 16:13:51 +0000 https://blog.gridinsoft.com/?p=5934 The Romanian company Bitdefender has published a universal utility for decrypting data affected by REvil (Sodinokibi) ransomware attacks. The tool works for any data encrypted before July 13, 2021. However, the company has so far refused to provide any details, citing an ongoing investigation. Let me remind you that on July 13 of this year… Continue reading Added utility for decrypting data after REvil attacks

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.

]]>
The Romanian company Bitdefender has published a universal utility for decrypting data affected by REvil (Sodinokibi) ransomware attacks.

The tool works for any data encrypted before July 13, 2021.

However, the company has so far refused to provide any details, citing an ongoing investigation.

Let me remind you that on July 13 of this year the entire REvil infrastructure went offline without explanation. Then it was a question of shutting down an entire network of regular and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks. In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

As a result, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

Shortly thereafter, REvil went offline for several months, and only returned to service on September 7, 2021. According to information security companies, REvil operators re-activated their old sites, created new profiles on the forums.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil has fully resumed its activity. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/feed/ 0 5934
REvil ransomware resumed attacks https://gridinsoft.com/blogs/revil-ransomware-resumed-attacks/ https://gridinsoft.com/blogs/revil-ransomware-resumed-attacks/#respond Mon, 13 Sep 2021 16:21:31 +0000 https://blog.gridinsoft.com/?p=5918 Last week, the infrastructure of REvil (Sodinokibi) returned online after months of downtime, and now the ransomware has resumed attacks. The fact is that in July 2021, the hack group went offline without giving any reason. Then it was a question of shutting down an entire network of conventional and darknet sites that were used… Continue reading REvil ransomware resumed attacks

The post REvil ransomware resumed attacks appeared first on Gridinsoft Blog.

]]>
Last week, the infrastructure of REvil (Sodinokibi) returned online after months of downtime, and now the ransomware has resumed attacks.

The fact is that in July 2021, the hack group went offline without giving any reason. Then it was a question of shutting down an entire network of conventional and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Let me remind you that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure hackers were able to encrypt approximately 800-1500 corporate networks.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States. At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil was fully resumed. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The publication also notes that in the past, a representative of the group, known under the nicknames Unknown or UNKN, published advertisements or the latest news about REvil operations on hacker forums. Now a new representative of the ransomware, who registered on these sites as REvil, returned to these publications and explained that, according to the hack group, Unknown was arrested and the group’s servers were compromised.

However, Bleeping Computer’s own sources told the media that REvil’s disappearance came as a surprise to law enforcement. For example, the publication provides a screenshot of a chat between an information security researcher and a representative of REvil, where the latter says that the ransomware operators simply took a break.

REvil resumed attacks

Let me also remind you that we wrote that REvil operators blackmailed Apple.

The post REvil ransomware resumed attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/revil-ransomware-resumed-attacks/feed/ 0 5918
REvil operators are blackmailing Apple https://gridinsoft.com/blogs/revil-blackmailing-apple/ https://gridinsoft.com/blogs/revil-blackmailing-apple/#respond Wed, 21 Apr 2021 16:09:45 +0000 https://blog.gridinsoft.com/?p=5393 Media reported that REvil ransomware operators are blackmailing Apple and demand a ransom. Otherwise, they threaten to arrange a leak of company’s confidential information. The hackers claim to have obtained data on Apple products after the Taiwanese company Quanta Computer was hacked. It is the world’s largest laptop manufacturer and also one of the few… Continue reading REvil operators are blackmailing Apple

The post REvil operators are blackmailing Apple appeared first on Gridinsoft Blog.

]]>
Media reported that REvil ransomware operators are blackmailing Apple and demand a ransom. Otherwise, they threaten to arrange a leak of company’s confidential information.

The hackers claim to have obtained data on Apple products after the Taiwanese company Quanta Computer was hacked. It is the world’s largest laptop manufacturer and also one of the few companies that assembles Apple products based on designs and circuits provided to them (including the Watch, Apple Macbook Air, and Apple Macbook Pro). Quanta Computer has a long list of well-known clients including Apple, Dell, Hewlett-Packard, Alienware, Lenovo, Cisco, and Microsoft.

On its darknet site, the attackers posted a ransomware message addressed to Quanta Computer, claiming that the company must pay $ 50,000,000 by April 27, or $100,000,000 after that date. Otherwise, REvil operators threatened to release more than a dozen diagrams and drawings of MacBook components into the public domain (although they do not seem to be related to new Apple products).

REvil blackmailing Apple

In a special chat for negotiations with the affected company, the hackers warned that “blueprints of all Apple devices and all personal data of employees and customers will be published and sold” if Quanta Computer does not start negotiations for a buyout.

REvil blackmailing Apple

Since the representatives of the hacked company refused to pay after the end of the allocated time, the REvil operators really began to publish the schemes on their website. Apparently, the hackers decided that it might be more profitable to blackmail Apple, one of Quanta Computer’s main customers.

Recorded Future analysts say this is the first major incident in which hackers have publicly requested a ransom from a victim’s client:

This is a new approach to double extortion and name-and-shame, where an attacker contacts affected third parties after failing to negotiate a ransom with the primary victim.

The attackers’ site has now posted 21 screenshots of Macbook diagrams, and the attackers promise to publish new data every day until Apple or Quanta Computer agree to pay the ransom.

REvil blackmailing Apple

Our team is negotiating the sale of a large amount of confidential drawings and gigabytes of personal data with several major brands. We recommend that Apple buy out the data that we have before May 1.the hackers write.

In addition, the official representative of REvil, known as UNKN, calls this leak “the loudest attack in history.”

The Record notes that the hackers have timed their ransomware activity to the Spring Loaded event held yesterday. At this presentation, Apple announced new products and software updates.

Apple representatives contacted by reporters say that the company is investigating the incident and has not yet commented on what happened. The press has not yet been able to contact a representative of Quanta Computer.

Although this is a quite loud attack on the electronic giant, it is far from the first. Let me remind you that I said that Attackers again deceived Apple’s notarization process, and also that Shlayer malware bypassed Apple security checks.

The post REvil operators are blackmailing Apple appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/revil-blackmailing-apple/feed/ 0 5393