REvil administrators Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 12 Jan 2022 07:54:08 +0000 en-US hourly 1 https://wordpress.org/?v=63826 200474804 Media said that the REvil sites were hacked by law enforcement agencies https://gridinsoft.com/blogs/media-said-that-the-revil-sites-were-hacked-by-law-enforcement-agencies/ https://gridinsoft.com/blogs/media-said-that-the-revil-sites-were-hacked-by-law-enforcement-agencies/#respond Fri, 22 Oct 2021 21:04:23 +0000 https://blog.gridinsoft.com/?p=6050 Reuters reports that the recent shutdown of the REvil hack group was due to hack of hacker’s sites by law enforcement agencies. Let me remind you that earlier this week the operations of the ransomware REvil were again suspended, as an unknown person hacked the group’s website, through which hackers accepted payments from victims and… Continue reading Media said that the REvil sites were hacked by law enforcement agencies

The post Media said that the REvil sites were hacked by law enforcement agencies appeared first on Gridinsoft Blog.

]]>
Reuters reports that the recent shutdown of the REvil hack group was due to hack of hacker’s sites by law enforcement agencies.

Let me remind you that earlier this week the operations of the ransomware REvil were again suspended, as an unknown person hacked the group’s website, through which hackers accepted payments from victims and “leaked” data stolen from companies. A REvil spokesman known as 0_neday posted a message on the XSS hacker forum that someone had hijacked the attacker’s domains.

It was also reported that an unknown person hijacked the hacker’s onion domains using the same private keys as the REvil sites. At the same time, the unknown person seemed to have access to the backup copies of the hack group’s websites, and 0_neday stated that the grouping server had been compromised, and the unknown attacker was targeting REvil.

REvil Hacked by Law Enforcement Agencies

REvil Hacked by Law Enforcement Agencies

Now, Reuters’ own sources (three cybersecurity experts from the private sector and a former official) say that the group’s infrastructure was turned off as a result of a law enforcement operation carried out in several countries around the world. In particular, a person familiar with the events told the news agency that a foreign partner of the US government had carried out a hacking operation to infiltrate REvil’s infrastructure. A former US official who spoke to reporters on condition of anonymity said the operation is still ongoing.

The ransomware group REvil has restored its infrastructure from backups, assuming they were not compromised. Ironically, the group’s favourite tactic – compromising backups – was used against them.explain IT-specialists.

The head of cybersecurity strategy at VMWare, Tom Kellerman, who is also a cybercrime advisor to the US Secret Service, told the media the following:

The FBI, along with Cyber Command, the Secret Service and like-minded countries, has indeed taken serious subversive action against this group.

Many believe that this time REvil has ceased its work completely. The fact is that recently the ransomware has already “disappeared from the radar” after scandalous attacks on clients of the well-known MSP solutions provider Kaseya and JBS, the world’s largest supplier of beef and poultry, as well as the second largest pork producer.

Although REvil eventually returned a few months later, some cybercriminals and information security experts believed that the FBI or other law enforcement agencies had gained access to the group’s servers and controlled them since the restart. After all, while REvil was inactive, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then, many believed that Russian law enforcement officers received the decryption key from the attackers themselves and handed it over to the FBI as a gesture of goodwill.

In addition, in the past, a member of the group known as Unknown or UNKN has posted advertisements or the latest news about REvil operations on hacker forums. After restarting the operations of the ransomware, he disappeared, and the hackers themselves wrote that Unknown was probably arrested. What happened to him is still not known for certain.

The post Media said that the REvil sites were hacked by law enforcement agencies appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/media-said-that-the-revil-sites-were-hacked-by-law-enforcement-agencies/feed/ 0 6050
Ukrainian cyber police arrested ransomware operators who “earned” $150 million https://gridinsoft.com/blogs/ukrainian-cyber-police-arrested-ransomware-operators/ https://gridinsoft.com/blogs/ukrainian-cyber-police-arrested-ransomware-operators/#respond Mon, 04 Oct 2021 12:43:18 +0000 https://blog.gridinsoft.com/?p=5985 Ukrainian Cyber Police have arrested two operators of an unnamed ransomware. It is reported that the operation was carried out jointly by the Ukrainian and French police, the FBI, Europol and Interpol. The suspects are believed to have been involved in attacks on 100 North American and European companies, “earning” in this way over $… Continue reading Ukrainian cyber police arrested ransomware operators who “earned” $150 million

The post Ukrainian cyber police arrested ransomware operators who “earned” $150 million appeared first on Gridinsoft Blog.

]]>
Ukrainian Cyber Police have arrested two operators of an unnamed ransomware. It is reported that the operation was carried out jointly by the Ukrainian and French police, the FBI, Europol and Interpol. The suspects are believed to have been involved in attacks on 100 North American and European companies, “earning” in this way over $ 150 million.

A press release from the Ukrainian cyber police states that the authorities have arrested a 25-year-old resident of Kiev. Searches were carried out at the place of residence of the suspect and in the homes of his relatives, as a result of which computer equipment, mobile phones, vehicles, more than $ 360,000 in cash were seized, and about $1.3 million in cryptocurrency were blocked.

In total, the hacker attacked more than 100 foreign companies in North America and Europe. Among the victims are world-famous energy and tourism companies, as well as equipment developers. The hacker demanded a ransom to restore access to the encrypted data. The damage caused to the victims reaches $ 150 million.Cyber Police of Ukraine reports.

In turn, Europol reports the arrest of two hackers who have been active since April 2020. At the same time, it is emphasized that this group “is known for its extortionate demands for a ransom from 5 to 70 million euros.”

The organised crime group is suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards. The criminals would deploy malware and steal sensitive data from these companies, before encrypting their files.Europol reports.

Due to the mention of such large ransom amounts, some information security experts suggested that two suspects may be associated with the ransomware group REvil.

That certainly sounds like REvil ransomware. The Kaseya ransom demand was famously $70 Million, and the average person may think REvil started in April 2020, with the famous hack of Grubman Shire Meiselas & Sacks happening about that time. For malware researchers, the timeline wouldn’t work, as REvil/Sodinokibi was being discussed as early as April 2019 by research teams like @cybereason and their @CR_Nocturnus team – but again – “the public” may not consider that to be the start.For example, @GarWarner, researcher of Malware, Terrorism & Social Networks of Criminals writes.

Let me remind you that the Cyber Police of Ukraine arrested persons linked with the Clop ransomware.

The post Ukrainian cyber police arrested ransomware operators who “earned” $150 million appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ukrainian-cyber-police-arrested-ransomware-operators/feed/ 0 5985
Hack group REvil deceived their partners due to a backdoor https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/ https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/#respond Thu, 23 Sep 2021 21:45:42 +0000 https://blog.gridinsoft.com/?p=5952 The researchers found that the creators of REvil deceived their partners using a scheme that allowed them to decrypt any systems blocked by the ransomware and take the entire ransom for themselves. Their partners ended up with nothing. Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be… Continue reading Hack group REvil deceived their partners due to a backdoor

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

]]>
The researchers found that the creators of REvil deceived their partners using a scheme that allowed them to decrypt any systems blocked by the ransomware and take the entire ransom for themselves.

Their partners ended up with nothing.

Such rumors have been circulating on hacker forums for a long time, but recently they were confirmed by cybersecurity researchers and malware developers. the Bleeping Computer media reports.

Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be the heir of the GandCrab ransomware. The ransomware operates according to the Ransomware-as-a-Service (RaaS, ransomware-as-a-Service) scheme, that is, malware developers deal directly with malware and payment sites, and their hired partners hack victims’ networks and encrypt devices. As a result, the ransom payments are distributed between the hack group itself and its partners, with the latter usually receiving 70-80% of the total.

Evgeny Boguslavsky, a specialist at Advanced Intel, told reporters that since at least 2020, there have been rumours on hacker forums that the creators of REvil often negotiate with victims in secret chats, while their partners do not even know about it. These rumours began to appear more often after the sudden disappearance of the ransomware DarkSide and Avaddon (the operators of the latter generally published decryption keys for their victims).

People who worked with REvil took part in these discussions, for example, the group’s partners who provided hackers with access to other people’s networks, ‘penetration testing’ services, VPN specialists, and so on.the expert said.

According to Boguslavsky, REvil administrators sometimes create a second chat, identical to the one that their partners use to negotiate with the victim. When negotiations reach a critical point, the creators of REvil step in and portray a victim who supposedly abruptly breaks off negotiations, refusing to pay the ransom. In fact, the REvil authors themselves continue negotiations with the victims, take the entire ransom and leave their partners with nothing.

Recently, these rumours have become more substantiated, as the reverse engineer reported on hack forums that the REvil malware, which RaaS operators provide to their partners for deployment on victims’ networks, contains a “cryptobackdoor”. The discovery came after Bitdefender released a versatile tool to decrypt data after the REvil attacks.

Interestingly, full control over what is happening and the ability to decrypt any system is a practice that other ransomware uses as well. So, Boguslavsky says that, according to rumours, the DarkSide operators worked the same way. After rebranding to BlackMatter, the attackers openly announced this practice, making everyone understand that they reserve the right to take over negotiations at any time without giving any reason.

The head of Advanced Intelligence, Vitaly Kremez, told Bleeping Computer that the latest REvil samples that have appeared recently, after the group restored activity, no longer has a master key that would allow decrypting any system that was blocked by REvil.

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/feed/ 0 5952