The fact is that in July 2021, the hack group went offline without giving any reason. Then it was a question of shutting down an entire network of conventional and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Let me remind you that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure hackers were able to encrypt approximately 800-1500 corporate networks.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States. At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil was fully resumed. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The publication also notes that in the past, a representative of the group, known under the nicknames Unknown or UNKN, published advertisements or the latest news about REvil operations on hacker forums. Now a new representative of the ransomware, who registered on these sites as REvil, returned to these publications and explained that, according to the hack group, Unknown was arrested and the group’s servers were compromised.

However, Bleeping Computer’s own sources told the media that REvil’s disappearance came as a surprise to law enforcement. For example, the publication provides a screenshot of a chat between an information security researcher and a representative of REvil, where the latter says that the ransomware operators simply took a break.

Let me also remind you that we wrote that REvil operators blackmailed Apple.

The post REvil ransomware resumed attacks appeared first on Gridinsoft Blog.

The ZDNet magazine writes that the attackers managed to gain domain administrator rights, thanks to which the ransomware quickly spread to 18,000 workstations.

“Oddly enough, this incident did not lead to problems with the Internet connection for the provider’s customers and did not affect the operation of telephony and cable TV services. However, due to the consequences of the attack, a number of Telecom Argentina’s official websites are still not working”, – according to journalists ZDNet.

Several employees of the affected company share on social media how the provider is coping with the crisis. It seems that immediately after the attack was detected, the company began to warn employees about what was happening, asking them to limit interaction with the corporate network, not to connect to the internal VPN network, and not to open emails with archives in attachments.

Reporters think that responsibility o the attack lies on the REvil hack group, based on a tweeted post that showed a screenshot of the ransomware site. Based on this image, the attackers demanded a ransom 109,345.35 Monero (approximately $7.53 million) from the company. The hackers promised that in case of non-payment, this amount would double in three days, making this ransom demand one of the largest this year.

Telecom Argentina officials have not yet commented on the situation, and it is not known whether the company intends to pay the cybercriminals.

Interestingly, according to local media reports, the ISP considers a malicious attachment from a letter received by one of its employees to be the starting point of this attack.

“This is not entirely consistent with regular REvil attacks, as the group usually penetrates companies’ networks through unprotected network equipment. In particular, attackers are actively exploiting vulnerabilities in Pulse Secure and Citrix VPN”, – reported in ZDNet.

However, the specialists of the information security company Bad Packets told ZDNet journalists that Telecom Argentina not only worked with Citrix VPN servers, but among them there were systems vulnerable to the CVE-2019-19781 problem (although the patch was released many months ago).

let me remind you that, information security specialists of the Danish provider KPN applied sinkholing to REvil (Sodinokibi) cryptographic servers and studied the working methods of one of the largest ransomware threats today. A very interesting analysis – I recommend it.

The post REvil Operators Demand $7.5 Million Ransom from Argentine Internet Provider appeared first on Gridinsoft Blog.

Recall that REvil works under the “ransomware as a service” (RaaS) scheme, which means malware is leased to various criminal groups.

“Because there are many groups, as well as because of the high customizability of REvil, it is extremely difficult to monitor all the operations of the encryptor and the numerous affiliate campaigns for its distribution”, – write KPN specialists.

KPN experts succeeded in synching and intercepting the messages that were exchanged infected by the ransomware computers and REvil management servers.

“We collected unique information about REvil operations, including the number of active infections, the number of infected computers per attack, and even found out a range of sums that hackers demand from their victims as a ransom”, – write researchers.

Analysts watched REvil for about five months and found more than 150,000 unique infections worldwide. All 150,000 infected machines were linked to only 148 REvil samples. Each of these samples represents a successful infection of a network of a company. Moreover, some attacks are huge, encrypting more than 3,000 unique systems. Researchers note that only a few of these attacks were discussed in the media, while many companies were silent about compromise.

According to KPN, in recent months REvil operators have requested ransoms totaling more than $38,000,000 and, on average, extort $260,000 from affected companies. In some cases, the ransom amount was $48,000, which is less than the average REvil level, but still higher than the usual $1,000-$2,000 that other extortionists demand from home users.

“If REvil manages to infect several workstations in the company’s network, the average ransom amount rises to $470,000, and in many cases, the demands of the attackers even exceeded $1,000,000”, — report KPN researchers.

It is not clear how many compromised companies agreed to pay a buyback to REvil operators, but the KPN study points to the fact that discussed above sums may be far from reality.

For example, according to Coverware, which helps victims recover from ransomware attacks and sometimes negotiates ransom on behalf of the victims, in the fourth quarter of 2019, the average ransom amount increased by 104% to $84,116, compared to $41,198 in the third quarter of 2019. Thus, REvil operators demand much more from their victims than other ransomware. Most likely, the fact is that REvil targets companies and large corporate networks, but not individual users.

Recall that according to a study, Emotet topped the rating of the most common threats in 2019. There is no good study on ransomware that appeared last year, though I think that in such a rating REvil (Sodinokibi) will take the leading place. Because some information security researchers believe that REvil is a reboot of the famous GandCrab ransomware, we can assume that we are dealing with one of the most dangerous ransomware of the decade.

The post IS specialists studied working methods of the REvil (Sodinokibi) ransomware operators appeared first on Gridinsoft Blog.