However, over the past few days, several important events have taken place at once.

Operation Cyclone, which was carried out by Interpol, the law enforcement agencies of Ukraine and the United States, lasted more than 30 months and was aimed at fighting Clop ransomware (aka Cl0p). As part of this operation, six Ukrainian citizens were arrested in June 2021.

The US Department of Justice has also indicted Yaroslav Vasinsky, a 22-year-old citizen of Ukraine, who is suspected of organizing a ransomware attack on Kaseya’s servers in July this year.

The suspect was detained last month under a US warrant. He was arrested by the Polish authorities at the border between Ukraine and Poland.

Let me remind you that in early July, customers of the MSP solution provider Kaseya suffered from a large-scale attack by the ransomware REvil (Sodinokibi). Then the hackers used 0-day vulnerabilities in the company’s product (VSA) and through them attacked Kaseya’s customers. Currently, patches have already been released for these vulnerabilities.

The main problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks. According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure hackers were able to encrypt approximately 800-1500 corporate networks.

As the authorities now say, Vasinsky was known on the network under the nickname MrRabotnik (as well as Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) and since 2019 has hacked companies around the world (having made at least 2,500 attacks), implementing to their infrastructure REvil malware.

To recover their files, the victims had to pay a ransom to the REvil hack group, and Vasinsky received a significant portion of this “profit”. The Justice Department said the hacker “earned” $2.3 million, demanding more than $760 million from companies in total.

In addition to Vasinsky, the US Department of Justice also indicted the second suspect, who also collaborated with the REvil hack group. In court documents, this person appears as a 28-year-old citizen of Russia Yevgeny Polyanin (aka LK4D4, Damnating, damn2Life, Noolleds, Antunpitre, Affiliate 23). He also reportedly worked with REvil as a partner, hacking companies on behalf of the group.

According to authorities, Polyanin hacked into the network of TSM Consulting, a managed service provider based in Texas, from where he deployed REvil malware on the intranets of at least 20 local government agencies on August 16, 2019.

Although Polyanin is still at large and wanted by the FBI, the Justice Department says that specialists managed to seize $6.1 million worth of cryptocurrency that the suspect had kept in an FTX account.

This week, Europol announced the arrest of seven suspects who worked as partners of the REvil (Sodinokibi) and GandCrab ransomware, and have helped carry out more than 7,000 ransomware attacks since the beginning of 2019. Experts from Bitdefender, KPN and McAfee also took part in the operation.

Let me remind you that, according to information security specialists, REvil and GandCrab are run by the same people who created the malware and offered it to other criminals for rent.

As we previously reported, the US government has also offered a $10,000,000 reward for any information that could lead to the identification or arrest of members of the DarkSide hack group.

The post US authorities arrest Kaseya hacker and attacker associated with REvil and GandCrab appeared first on Gridinsoft Blog.

Bleeping Computer reports that all Tor sites of the group have been disabled, and a representative of REvil posted a message on the XSS hacker forum that someone had taken over the attacker’s domains.

Recorded Future specialist Dmitry Smilyanets was the first to notice this message. He reported that an unknown person had seized onion domains of hackers using the same private keys as the REvil websites. As have been said, the unknown person seemed to have access to the backups of the hack group’s sites.

The fact is that to start an onion domain, user needs to generate a pair of private and public keys, which is used to initialize the service. The private key must be protected and only available to administrators, as anyone who has access to it can use it to run the same onion service on their own server. Since the third party was able to take over the REvil domains, this means that it also had access to the group’s private keys.

Although at first the hackers did not find any signs of compromising the servers, they still decided to stop the operations. The group’s partners were asked to contact the REvil operators through Tox to obtain decryption keys.

This is done so that the partners can continue the extortion on their own and provide the victims with a decoder if they pay the ransom.

Later, 0_neday reported that the grouping server had been compromised, and an unknown attacker was targeting REvil.

Bleeping Computer notes that this time, REvil has probably stopped working completely. The fact is that recently the ransomware has already “disappeared from the radar” after scandalous attacks on clients of the well-known MSP solution provider Kaseya and JBS, the world’s largest supplier of beef and poultry, as well as the second largest pork producer.

Although REvil eventually returned a few months later, some cybercriminals and information security experts believed that the FBI or other law enforcement agencies had gained access to the group’s servers and controlled them since the restart. After all, while REvil was inactive, Kaseya somehow obtained a universal key to decrypt its customers’ data.

Then, many believed that Russian law enforcement officers received the decryption key from the attackers themselves and handed it over to the FBI as a gesture of goodwill. But it seems that this is not so: the FBI said that they have no evidence that in Russia they are somehow fighting cyber intruders.

In addition, in the past, a member of the group known as Unknown or UNKN has posted advertisements or the latest news about REvil operations on hacker forums. After restarting the operations of the ransomware, he disappeared, and the hackers themselves wrote that Unknown was probably arrested. What happened to him is still not known for certain; according to journalists, the current hack may be associated with Unknown and his attempts to regain control.

It is also important that after the restart, REvil’s reputation suffered, and the ransomware operators tried to attract new partners by any means. It got to the point that they offered a commission increase of up to 90%, just to encourage other attackers to work with them.

The post REvil ransomware stopped working again, now after hacking sites appeared first on Gridinsoft Blog.

A press release from the Ukrainian cyber police states that the authorities have arrested a 25-year-old resident of Kiev. Searches were carried out at the place of residence of the suspect and in the homes of his relatives, as a result of which computer equipment, mobile phones, vehicles, more than $ 360,000 in cash were seized, and about $1.3 million in cryptocurrency were blocked.

In turn, Europol reports the arrest of two hackers who have been active since April 2020. At the same time, it is emphasized that this group “is known for its extortionate demands for a ransom from 5 to 70 million euros.”

Due to the mention of such large ransom amounts, some information security experts suggested that two suspects may be associated with the ransomware group REvil.

Let me remind you that the Cyber Police of Ukraine arrested persons linked with the Clop ransomware.

The post Ukrainian cyber police arrested ransomware operators who “earned” $150 million appeared first on Gridinsoft Blog.

The fact is that in July 2021, the hack group went offline without giving any reason. Then it was a question of shutting down an entire network of conventional and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Let me remind you that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure hackers were able to encrypt approximately 800-1500 corporate networks.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States. At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil was fully resumed. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The publication also notes that in the past, a representative of the group, known under the nicknames Unknown or UNKN, published advertisements or the latest news about REvil operations on hacker forums. Now a new representative of the ransomware, who registered on these sites as REvil, returned to these publications and explained that, according to the hack group, Unknown was arrested and the group’s servers were compromised.

However, Bleeping Computer’s own sources told the media that REvil’s disappearance came as a surprise to law enforcement. For example, the publication provides a screenshot of a chat between an information security researcher and a representative of REvil, where the latter says that the ransomware operators simply took a break.

Let me also remind you that we wrote that REvil operators blackmailed Apple.

The post REvil ransomware resumed attacks appeared first on Gridinsoft Blog.

It was about a whole network of conventional and darknet sites that were used to negotiate a ransom, leak data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July of this year, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

After this attack, the hackers demanded a ransom of $70 million, and then promised to publish a universal decryptor that can unlock all computers. The group soon “lowered the bar” to $50 million.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world. And also REvil attacked the electronics manufacturer Acer.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation asked Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now, almost two months after the shutdown, experts at Recorded Future and Emsisoft have noticed that the group’s blog and site where REvil operators used to post lists of victims who refused to negotiate and pay the ransom are back online.

The last update on the site was dated July 8, 2021, that is, no new data and messages were published. It is currently unknown if this means that the hack group is back to work, the servers were turned on again by mistake, or if it has something to do with the actions of law enforcement agencies.

Let me also remind you that I talked about the fact that REvil spokesman boasts that hackers have access to ballistic missile launch systems.

The post Servers of the hack group REvil are back online appeared first on Gridinsoft Blog.

In 2019, Maze ransomware operators began using a new double-ransom tactic, in which attackers steal unencrypted files and then threaten to publish them if the ransom is not paid.

Many groups have adopted a similar strategy, but according to experts from the Coveware company, not all ransomware operators keep their promises to remove the stolen data even after paying the ransom.

Some gangs publish stolen data after paying the ransom, use fake data as evidence, or even re-extort the ransom from the victim.

For example, Sodinokibi repeatedly demanded a ransom from victims several weeks after payment, threatening to publish the same data, while Netwalker and Mespinoza published the data of the companies that paid the ransom, and Conti published fake files as proof of fulfilment of promises.

Maze, Sekhmet, and Egregor were also mentioned in the report as groups that are not responsible for their promises. As Maze grew, its operations became disorganized and victims’ data could have been mistakenly posted on a leaked site, experts say. Now the operators of Maze have announced that work on this project has been discontinued.

Conti, in turn, provided victims with fake links to allegedly deleted data after paying the ransom. The links were designed to trick victims into thinking their data had been removed.

The victim cannot know for sure if the ransomware operator deletes the stolen data after the payment has been made.

Because of this, Coveware recommends not paying the ransom as there are no guarantees of safety.

Companies are also encouraged to treat any cyberattack as data theft and, as required by law, inform all customers, employees and business partners that their data has been stolen.

Let me remind you that Microsoft estimated that ransomware attacks take less than 45 minutes.

The post Ransomwares doesn’t always delete stolen data after paying the ransom appeared first on Gridinsoft Blog.

The ZDNet magazine writes that the attackers managed to gain domain administrator rights, thanks to which the ransomware quickly spread to 18,000 workstations.

“Oddly enough, this incident did not lead to problems with the Internet connection for the provider’s customers and did not affect the operation of telephony and cable TV services. However, due to the consequences of the attack, a number of Telecom Argentina’s official websites are still not working”, – according to journalists ZDNet.

Several employees of the affected company share on social media how the provider is coping with the crisis. It seems that immediately after the attack was detected, the company began to warn employees about what was happening, asking them to limit interaction with the corporate network, not to connect to the internal VPN network, and not to open emails with archives in attachments.

Reporters think that responsibility o the attack lies on the REvil hack group, based on a tweeted post that showed a screenshot of the ransomware site. Based on this image, the attackers demanded a ransom 109,345.35 Monero (approximately $7.53 million) from the company. The hackers promised that in case of non-payment, this amount would double in three days, making this ransom demand one of the largest this year.

Telecom Argentina officials have not yet commented on the situation, and it is not known whether the company intends to pay the cybercriminals.

Interestingly, according to local media reports, the ISP considers a malicious attachment from a letter received by one of its employees to be the starting point of this attack.

“This is not entirely consistent with regular REvil attacks, as the group usually penetrates companies’ networks through unprotected network equipment. In particular, attackers are actively exploiting vulnerabilities in Pulse Secure and Citrix VPN”, – reported in ZDNet.

However, the specialists of the information security company Bad Packets told ZDNet journalists that Telecom Argentina not only worked with Citrix VPN servers, but among them there were systems vulnerable to the CVE-2019-19781 problem (although the patch was released many months ago).

let me remind you that, information security specialists of the Danish provider KPN applied sinkholing to REvil (Sodinokibi) cryptographic servers and studied the working methods of one of the largest ransomware threats today. A very interesting analysis – I recommend it.

The post REvil Operators Demand $7.5 Million Ransom from Argentine Internet Provider appeared first on Gridinsoft Blog.

Recall that REvil works under the “ransomware as a service” (RaaS) scheme, which means malware is leased to various criminal groups.

“Because there are many groups, as well as because of the high customizability of REvil, it is extremely difficult to monitor all the operations of the encryptor and the numerous affiliate campaigns for its distribution”, – write KPN specialists.

KPN experts succeeded in synching and intercepting the messages that were exchanged infected by the ransomware computers and REvil management servers.

“We collected unique information about REvil operations, including the number of active infections, the number of infected computers per attack, and even found out a range of sums that hackers demand from their victims as a ransom”, – write researchers.

Analysts watched REvil for about five months and found more than 150,000 unique infections worldwide. All 150,000 infected machines were linked to only 148 REvil samples. Each of these samples represents a successful infection of a network of a company. Moreover, some attacks are huge, encrypting more than 3,000 unique systems. Researchers note that only a few of these attacks were discussed in the media, while many companies were silent about compromise.

According to KPN, in recent months REvil operators have requested ransoms totaling more than $38,000,000 and, on average, extort $260,000 from affected companies. In some cases, the ransom amount was $48,000, which is less than the average REvil level, but still higher than the usual $1,000-$2,000 that other extortionists demand from home users.

“If REvil manages to infect several workstations in the company’s network, the average ransom amount rises to $470,000, and in many cases, the demands of the attackers even exceeded $1,000,000”, — report KPN researchers.

It is not clear how many compromised companies agreed to pay a buyback to REvil operators, but the KPN study points to the fact that discussed above sums may be far from reality.

For example, according to Coverware, which helps victims recover from ransomware attacks and sometimes negotiates ransom on behalf of the victims, in the fourth quarter of 2019, the average ransom amount increased by 104% to $84,116, compared to $41,198 in the third quarter of 2019. Thus, REvil operators demand much more from their victims than other ransomware. Most likely, the fact is that REvil targets companies and large corporate networks, but not individual users.

Recall that according to a study, Emotet topped the rating of the most common threats in 2019. There is no good study on ransomware that appeared last year, though I think that in such a rating REvil (Sodinokibi) will take the leading place. Because some information security researchers believe that REvil is a reboot of the famous GandCrab ransomware, we can assume that we are dealing with one of the most dangerous ransomware of the decade.

The post IS specialists studied working methods of the REvil (Sodinokibi) ransomware operators appeared first on Gridinsoft Blog.

At the beginning of this year was discovered CVE-2019-19781 vulnerability, which affects a number of versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, as well as two old versions of Citrix SD-WAN WANOP. As was reported at the beginning of the month, there were exploits for it in the public domain.

After the publication of the exploits, attacks on vulnerable versions of Citrix intensified, just as it was expected, as numerous hackers hope to compromise some important goal that did not have time to upgrade – a corporate network, a state server, or a government agency.

“The main problem was that though more than a month has passed since the vulnerability was discovered, Citrix developers were in no hurry to release the patch”, – IS experts condemn the company.

Firstly, company limited itself to only safety recommendations, explaining to customers how to reduce risks.

There was even an interesting precedent – an unknown hacker used vulnerable methods to patch vulnerable Citrix servers and, according to information security analysts, not because he was Robin Hood, his intentions were dubious.

Citrix developers presented an actual patch only last week, and did not release the final patches untill the last Friday.

Citrix and FireEye experts also provided free solutions to identify compromises and vulnerable systems.

Now FireEye and Under the Breach analysts are warning that cryptographic operators REvil (Sodinokibi) and Ragnarok are actively infecting vulnerable Citrix servers, which are still numerous.

“I examined the files REvil posted from Gedia.com after they refused to pay the ransomware. The interesting thing I discovered is that they obviously hacked Gedia via the Citrix exploit. My bet is that all recent targets were accessed via this exploit. It just goes to show how much impact a single exploit could have. Other files included invoices, data structures and a complete dump of the servers passwords. GDPR will go hard on these guys and this is exactly what REvil wants, the incentive to ransomware is truly alive!”, — writes Under the Breach company representative.

Additionally, according to unconfirmed reports, the creators of the Maze ransomware targeted vulnerable systems.

It is necessary to say that overall the process of installing patches is going well. If in December 2019 the number of vulnerable systems was estimated at 80,000 servers, then in mid-January their number dropped to about 25,000, and last week it fell below 11,000 systems altogether. Specialists from the GDI Foundation closely monitor these statistics.

The post Citrix releases new patches, racing with the hackers that install encryptors on vulnerable machines appeared first on Gridinsoft Blog.