Bleeping Computer reports that all Tor sites of the group have been disabled, and a representative of REvil posted a message on the XSS hacker forum that someone had taken over the attacker’s domains.

Recorded Future specialist Dmitry Smilyanets was the first to notice this message. He reported that an unknown person had seized onion domains of hackers using the same private keys as the REvil websites. As have been said, the unknown person seemed to have access to the backups of the hack group’s sites.

The fact is that to start an onion domain, user needs to generate a pair of private and public keys, which is used to initialize the service. The private key must be protected and only available to administrators, as anyone who has access to it can use it to run the same onion service on their own server. Since the third party was able to take over the REvil domains, this means that it also had access to the group’s private keys.

Although at first the hackers did not find any signs of compromising the servers, they still decided to stop the operations. The group’s partners were asked to contact the REvil operators through Tox to obtain decryption keys.

This is done so that the partners can continue the extortion on their own and provide the victims with a decoder if they pay the ransom.

Later, 0_neday reported that the grouping server had been compromised, and an unknown attacker was targeting REvil.

Bleeping Computer notes that this time, REvil has probably stopped working completely. The fact is that recently the ransomware has already “disappeared from the radar” after scandalous attacks on clients of the well-known MSP solution provider Kaseya and JBS, the world’s largest supplier of beef and poultry, as well as the second largest pork producer.

Although REvil eventually returned a few months later, some cybercriminals and information security experts believed that the FBI or other law enforcement agencies had gained access to the group’s servers and controlled them since the restart. After all, while REvil was inactive, Kaseya somehow obtained a universal key to decrypt its customers’ data.

Then, many believed that Russian law enforcement officers received the decryption key from the attackers themselves and handed it over to the FBI as a gesture of goodwill. But it seems that this is not so: the FBI said that they have no evidence that in Russia they are somehow fighting cyber intruders.

In addition, in the past, a member of the group known as Unknown or UNKN has posted advertisements or the latest news about REvil operations on hacker forums. After restarting the operations of the ransomware, he disappeared, and the hackers themselves wrote that Unknown was probably arrested. What happened to him is still not known for certain; according to journalists, the current hack may be associated with Unknown and his attempts to regain control.

It is also important that after the restart, REvil’s reputation suffered, and the ransomware operators tried to attract new partners by any means. It got to the point that they offered a commission increase of up to 90%, just to encourage other attackers to work with them.

The post REvil ransomware stopped working again, now after hacking sites appeared first on Gridinsoft Blog.

A press release from the Ukrainian cyber police states that the authorities have arrested a 25-year-old resident of Kiev. Searches were carried out at the place of residence of the suspect and in the homes of his relatives, as a result of which computer equipment, mobile phones, vehicles, more than $ 360,000 in cash were seized, and about $1.3 million in cryptocurrency were blocked.

In turn, Europol reports the arrest of two hackers who have been active since April 2020. At the same time, it is emphasized that this group “is known for its extortionate demands for a ransom from 5 to 70 million euros.”

Due to the mention of such large ransom amounts, some information security experts suggested that two suspects may be associated with the ransomware group REvil.

Let me remind you that the Cyber Police of Ukraine arrested persons linked with the Clop ransomware.

The post Ukrainian cyber police arrested ransomware operators who “earned” $150 million appeared first on Gridinsoft Blog.

Their partners ended up with nothing.

Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be the heir of the GandCrab ransomware. The ransomware operates according to the Ransomware-as-a-Service (RaaS, ransomware-as-a-Service) scheme, that is, malware developers deal directly with malware and payment sites, and their hired partners hack victims’ networks and encrypt devices. As a result, the ransom payments are distributed between the hack group itself and its partners, with the latter usually receiving 70-80% of the total.

Evgeny Boguslavsky, a specialist at Advanced Intel, told reporters that since at least 2020, there have been rumours on hacker forums that the creators of REvil often negotiate with victims in secret chats, while their partners do not even know about it. These rumours began to appear more often after the sudden disappearance of the ransomware DarkSide and Avaddon (the operators of the latter generally published decryption keys for their victims).

According to Boguslavsky, REvil administrators sometimes create a second chat, identical to the one that their partners use to negotiate with the victim. When negotiations reach a critical point, the creators of REvil step in and portray a victim who supposedly abruptly breaks off negotiations, refusing to pay the ransom. In fact, the REvil authors themselves continue negotiations with the victims, take the entire ransom and leave their partners with nothing.

Recently, these rumours have become more substantiated, as the reverse engineer reported on hack forums that the REvil malware, which RaaS operators provide to their partners for deployment on victims’ networks, contains a “cryptobackdoor”. The discovery came after Bitdefender released a versatile tool to decrypt data after the REvil attacks.

Interestingly, full control over what is happening and the ability to decrypt any system is a practice that other ransomware uses as well. So, Boguslavsky says that, according to rumours, the DarkSide operators worked the same way. After rebranding to BlackMatter, the attackers openly announced this practice, making everyone understand that they reserve the right to take over negotiations at any time without giving any reason.

The head of Advanced Intelligence, Vitaly Kremez, told Bleeping Computer that the latest REvil samples that have appeared recently, after the group restored activity, no longer has a master key that would allow decrypting any system that was blocked by REvil.

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

The tool works for any data encrypted before July 13, 2021.

However, the company has so far refused to provide any details, citing an ongoing investigation.

Let me remind you that on July 13 of this year the entire REvil infrastructure went offline without explanation. Then it was a question of shutting down an entire network of regular and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks. In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

As a result, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

Shortly thereafter, REvil went offline for several months, and only returned to service on September 7, 2021. According to information security companies, REvil operators re-activated their old sites, created new profiles on the forums.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil has fully resumed its activity. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.

The fact is that in July 2021, the hack group went offline without giving any reason. Then it was a question of shutting down an entire network of conventional and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Let me remind you that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure hackers were able to encrypt approximately 800-1500 corporate networks.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States. At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil was fully resumed. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The publication also notes that in the past, a representative of the group, known under the nicknames Unknown or UNKN, published advertisements or the latest news about REvil operations on hacker forums. Now a new representative of the ransomware, who registered on these sites as REvil, returned to these publications and explained that, according to the hack group, Unknown was arrested and the group’s servers were compromised.

However, Bleeping Computer’s own sources told the media that REvil’s disappearance came as a surprise to law enforcement. For example, the publication provides a screenshot of a chat between an information security researcher and a representative of REvil, where the latter says that the ransomware operators simply took a break.

Let me also remind you that we wrote that REvil operators blackmailed Apple.

The post REvil ransomware resumed attacks appeared first on Gridinsoft Blog.

The hackers claim to have obtained data on Apple products after the Taiwanese company Quanta Computer was hacked. It is the world’s largest laptop manufacturer and also one of the few companies that assembles Apple products based on designs and circuits provided to them (including the Watch, Apple Macbook Air, and Apple Macbook Pro). Quanta Computer has a long list of well-known clients including Apple, Dell, Hewlett-Packard, Alienware, Lenovo, Cisco, and Microsoft.

On its darknet site, the attackers posted a ransomware message addressed to Quanta Computer, claiming that the company must pay $ 50,000,000 by April 27, or $100,000,000 after that date. Otherwise, REvil operators threatened to release more than a dozen diagrams and drawings of MacBook components into the public domain (although they do not seem to be related to new Apple products).

In a special chat for negotiations with the affected company, the hackers warned that “blueprints of all Apple devices and all personal data of employees and customers will be published and sold” if Quanta Computer does not start negotiations for a buyout.

Since the representatives of the hacked company refused to pay after the end of the allocated time, the REvil operators really began to publish the schemes on their website. Apparently, the hackers decided that it might be more profitable to blackmail Apple, one of Quanta Computer’s main customers.

Recorded Future analysts say this is the first major incident in which hackers have publicly requested a ransom from a victim’s client:

The attackers’ site has now posted 21 screenshots of Macbook diagrams, and the attackers promise to publish new data every day until Apple or Quanta Computer agree to pay the ransom.

In addition, the official representative of REvil, known as UNKN, calls this leak “the loudest attack in history.”

The Record notes that the hackers have timed their ransomware activity to the Spring Loaded event held yesterday. At this presentation, Apple announced new products and software updates.

Apple representatives contacted by reporters say that the company is investigating the incident and has not yet commented on what happened. The press has not yet been able to contact a representative of Quanta Computer.

Although this is a quite loud attack on the electronic giant, it is far from the first. Let me remind you that I said that Attackers again deceived Apple’s notarization process, and also that Shlayer malware bypassed Apple security checks.

The post REvil operators are blackmailing Apple appeared first on Gridinsoft Blog.