Moreover, with each new transaction, a smaller amount is transferred, which makes it difficult to track money.

CEO and co-founder of Profero first noticed the transfer process, and announced on Twitter that 107 bitcoins (about $7 million) from the group’s wallet had moved to another wallet. He emphasized that the money is clearly controlled by the hackers themselves, since the secret services usually simply move the seized assets to a new wallet under their control, and do not try to break the funds into smaller pieces.

As the blockchain analysis company Elliptic reported a little later, the DarkSide cryptocurrency passes through different wallets, and in the process the amount has already decreased from 107.8 BTC to 38.1 BTC. This is a typical money laundering scheme that makes it difficult to track funds and it helps criminals to convert cryptocurrency to fiat. According to Elliptic, this process is still ongoing, and small amounts have already been transferred to well-known exchanges.

Interestingly, DarkSide funds were set in motion shortly after the media reported that law enforcement was behind the cessation of another well-known hack group, REvil, by attacking the criminals’ infrastructure.

The fact is that DarkSide has also received a lot of attention, especially last summer when it hacked one of the largest pipeline operators in the United States, Colonial Pipeline. This incident forced the American authorities to introduce an emergency regime in a number of states and became the very straw that could break the back of a camel: the attention of law enforcement agencies to ransomware increased, and on hacker forums they rushed to ban advertising of ransomware altogether.

A week after the attack, and the government’s much unwelcome attention to hackers, DarkSide announced it would cease operations. Then the group claimed that it had lost control of some servers and cryptocurrency wallets (that is, its own money). However, in July, the hackers rebranded themselves by launching a new infrastructure and malware called BlackMatter.

It looks like now, after what happened to REvil, hackers want to make sure they don’t lose their funds a second time. Moreover, a few days earlier, the American authorities issued a warning about BlackMatter’s activities, stating that the ransomware had already attacked “several critical US infrastructures.”

The post After REvil shut down, members of the hack group DarkSide hastily moved $7 million appeared first on Gridinsoft Blog.

Bleeping Computer reports that all Tor sites of the group have been disabled, and a representative of REvil posted a message on the XSS hacker forum that someone had taken over the attacker’s domains.

Recorded Future specialist Dmitry Smilyanets was the first to notice this message. He reported that an unknown person had seized onion domains of hackers using the same private keys as the REvil websites. As have been said, the unknown person seemed to have access to the backups of the hack group’s sites.

The fact is that to start an onion domain, user needs to generate a pair of private and public keys, which is used to initialize the service. The private key must be protected and only available to administrators, as anyone who has access to it can use it to run the same onion service on their own server. Since the third party was able to take over the REvil domains, this means that it also had access to the group’s private keys.

Although at first the hackers did not find any signs of compromising the servers, they still decided to stop the operations. The group’s partners were asked to contact the REvil operators through Tox to obtain decryption keys.

This is done so that the partners can continue the extortion on their own and provide the victims with a decoder if they pay the ransom.

Later, 0_neday reported that the grouping server had been compromised, and an unknown attacker was targeting REvil.

Bleeping Computer notes that this time, REvil has probably stopped working completely. The fact is that recently the ransomware has already “disappeared from the radar” after scandalous attacks on clients of the well-known MSP solution provider Kaseya and JBS, the world’s largest supplier of beef and poultry, as well as the second largest pork producer.

Although REvil eventually returned a few months later, some cybercriminals and information security experts believed that the FBI or other law enforcement agencies had gained access to the group’s servers and controlled them since the restart. After all, while REvil was inactive, Kaseya somehow obtained a universal key to decrypt its customers’ data.

Then, many believed that Russian law enforcement officers received the decryption key from the attackers themselves and handed it over to the FBI as a gesture of goodwill. But it seems that this is not so: the FBI said that they have no evidence that in Russia they are somehow fighting cyber intruders.

In addition, in the past, a member of the group known as Unknown or UNKN has posted advertisements or the latest news about REvil operations on hacker forums. After restarting the operations of the ransomware, he disappeared, and the hackers themselves wrote that Unknown was probably arrested. What happened to him is still not known for certain; according to journalists, the current hack may be associated with Unknown and his attempts to regain control.

It is also important that after the restart, REvil’s reputation suffered, and the ransomware operators tried to attract new partners by any means. It got to the point that they offered a commission increase of up to 90%, just to encourage other attackers to work with them.

The post REvil ransomware stopped working again, now after hacking sites appeared first on Gridinsoft Blog.

Their partners ended up with nothing.

Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be the heir of the GandCrab ransomware. The ransomware operates according to the Ransomware-as-a-Service (RaaS, ransomware-as-a-Service) scheme, that is, malware developers deal directly with malware and payment sites, and their hired partners hack victims’ networks and encrypt devices. As a result, the ransom payments are distributed between the hack group itself and its partners, with the latter usually receiving 70-80% of the total.

Evgeny Boguslavsky, a specialist at Advanced Intel, told reporters that since at least 2020, there have been rumours on hacker forums that the creators of REvil often negotiate with victims in secret chats, while their partners do not even know about it. These rumours began to appear more often after the sudden disappearance of the ransomware DarkSide and Avaddon (the operators of the latter generally published decryption keys for their victims).

According to Boguslavsky, REvil administrators sometimes create a second chat, identical to the one that their partners use to negotiate with the victim. When negotiations reach a critical point, the creators of REvil step in and portray a victim who supposedly abruptly breaks off negotiations, refusing to pay the ransom. In fact, the REvil authors themselves continue negotiations with the victims, take the entire ransom and leave their partners with nothing.

Recently, these rumours have become more substantiated, as the reverse engineer reported on hack forums that the REvil malware, which RaaS operators provide to their partners for deployment on victims’ networks, contains a “cryptobackdoor”. The discovery came after Bitdefender released a versatile tool to decrypt data after the REvil attacks.

Interestingly, full control over what is happening and the ability to decrypt any system is a practice that other ransomware uses as well. So, Boguslavsky says that, according to rumours, the DarkSide operators worked the same way. After rebranding to BlackMatter, the attackers openly announced this practice, making everyone understand that they reserve the right to take over negotiations at any time without giving any reason.

The head of Advanced Intelligence, Vitaly Kremez, told Bleeping Computer that the latest REvil samples that have appeared recently, after the group restored activity, no longer has a master key that would allow decrypting any system that was blocked by REvil.

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

First, should be recalled that the background of what is happening: last week Bitdefender published a universal utility for decrypting files affected by the attacks of the ransomware REvil (Sodinokibi). The tool works for any data encrypted before July 13, 2021.

At the time, experts reported that the tool was created in collaboration with “trusted law enforcement partners,” but the company declined to disclose any details, citing an ongoing investigation. According to people familiar with the matter, the partner was not the FBI.

July 13 is mentioned above for a reason, as on this day the entire REvil infrastructure went offline without explanation. The hacker group completely “disappeared from the radar” for a while, and as a result, many companies were left without the ability to recover their data, even if they were willing to pay the hackers a ransom.

It is important that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks, and law enforcement agencies and authorities became very interested in hackers.

Then, when the group had already “disappeared”, representatives of the injured Kaseya unexpectedly announced that they had a universal key to decrypt customer data. Then the company refused to disclose where this tool came from, limiting itself to a vague “from a trusted third party.”

However, the company assured that it is universal and suitable for all affected MSPs and their clients. Moreover, before sharing the tool with clients, Kaseya required them to sign a non-disclosure agreement.

As the Washington Post now reports, the assumptions of many cybersecurity experts were correct: Kaseya really received the key from the FBI representatives. Law enforcement officials say they infiltrated the servers of the hack group and extracted a key from there, which ultimately helped to decrypt data and 1,500 networks, including in hospitals, schools and enterprises.

However, the FBI did not immediately share the key with the victims and the company. For about three weeks, the FBI kept the key secret, intending to carry out an operation to eliminate the hack group and not wanting to reveal their cards to the criminals. But the law enforcement officers did not have time: as a result, the REvil infrastructure went offline before the operation began. Then Kaseya was given the key to decrypt the data, and Emsisoft experts prepared a special tool for the victims.

Journalists note that due to the resulting delay, it was already too late for many of the victims. For example, the publication quotes a representative of JustTech, which is one of the clients of MSP Kaseya.

The company spent more than a month restoring the systems of its customers, as restoring from backups or replacing the system is an expensive and time-consuming process:

Swedish grocery chain Coop, also affected by the attack, said it still does not know how much it would cost to temporarily close its stores:

The post FBI Kept Secret Key To Decrypt Data After REvil Attacks appeared first on Gridinsoft Blog.

The tool works for any data encrypted before July 13, 2021.

However, the company has so far refused to provide any details, citing an ongoing investigation.

Let me remind you that on July 13 of this year the entire REvil infrastructure went offline without explanation. Then it was a question of shutting down an entire network of regular and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks. In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

As a result, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

Shortly thereafter, REvil went offline for several months, and only returned to service on September 7, 2021. According to information security companies, REvil operators re-activated their old sites, created new profiles on the forums.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil has fully resumed its activity. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.

The fact is that in July 2021, the hack group went offline without giving any reason. Then it was a question of shutting down an entire network of conventional and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Let me remind you that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure hackers were able to encrypt approximately 800-1500 corporate networks.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States. At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil was fully resumed. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The publication also notes that in the past, a representative of the group, known under the nicknames Unknown or UNKN, published advertisements or the latest news about REvil operations on hacker forums. Now a new representative of the ransomware, who registered on these sites as REvil, returned to these publications and explained that, according to the hack group, Unknown was arrested and the group’s servers were compromised.

However, Bleeping Computer’s own sources told the media that REvil’s disappearance came as a surprise to law enforcement. For example, the publication provides a screenshot of a chat between an information security researcher and a representative of REvil, where the latter says that the ransomware operators simply took a break.

Let me also remind you that we wrote that REvil operators blackmailed Apple.

The post REvil ransomware resumed attacks appeared first on Gridinsoft Blog.

It was about a whole network of conventional and darknet sites that were used to negotiate a ransom, leak data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July of this year, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

After this attack, the hackers demanded a ransom of $70 million, and then promised to publish a universal decryptor that can unlock all computers. The group soon “lowered the bar” to $50 million.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world. And also REvil attacked the electronics manufacturer Acer.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation asked Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now, almost two months after the shutdown, experts at Recorded Future and Emsisoft have noticed that the group’s blog and site where REvil operators used to post lists of victims who refused to negotiate and pay the ransom are back online.

The last update on the site was dated July 8, 2021, that is, no new data and messages were published. It is currently unknown if this means that the hack group is back to work, the servers were turned on again by mistake, or if it has something to do with the actions of law enforcement agencies.

Let me also remind you that I talked about the fact that REvil spokesman boasts that hackers have access to ballistic missile launch systems.

The post Servers of the hack group REvil are back online appeared first on Gridinsoft Blog.

The hackers claim to have obtained data on Apple products after the Taiwanese company Quanta Computer was hacked.

It is the world’s largest laptop manufacturer and also one of the few companies that assembles Apple products based on designs and circuits provided to them (including the Watch, Apple Macbook Air, and Apple Macbook Pro).

As representatives of the affected company refused to pay the hackers, REvil operators began to publish diagrams and drawings of Apple products on their website. Apparently, the hackers decided that it might be more profitable to blackmail one of Quanta Computer’s main customers.

According to media reports, the company had to pay $50,000,000 by April 27, or $100,000,000 after that date.

In total, 21 screenshots of Macbook diagrams were posted on the attacker’s website, and the hackers promised to release new data every day until Apple or Quanta Computer agreed to pay the ransom.

According to the Bleeping Computer journalists, in a new private chat created for negotiations between REvil and Quanta Computer, the hackers reported that in order to continue negotiations, they hid the page with the “leak” of data, and also stopped communicating with the press.

REvil representatives say that by starting a dialogue with them, the company “can count on a good discount”: the ransom will be reduced from $50 to $20 million, and the deadline for payment has been postponed to May 7, 2021.

The hackers also warned that if they did not receive an answer again, they would soon begin to publish drawings of the new iPad and sketches of new Apple logos.

Journalists write that, according to their information, Quanta Computer never responded to this “generous offer.”

Let me remind you that this is not the first time that Apple has been attacked, as I wrote that Shlayer malware bypassed Apple security checks, and, for example, Google experts talked about vulnerabilities in Apple operating systems.

The post Criminals threaten to leak new Apple logo, if the company doesn’t pay the ransom appeared first on Gridinsoft Blog.

At the end of last week, the hackers posted a message on their website that they had hacked Acer, and as proof of this statement, they shared screenshots of the files allegedly stolen from the company. Published images include documents, financial spreadsheets, bank balances, and messages.

Acer representatives have already commented on what is happening, but so far they avoid talking openly about the ransomware attack. Instead, the company said it had already reported the “emergency” to law enforcement agencies, but they cannot disclose details while the investigation continues.

The Record reports that analysts at Malwarebytes were able to track down another hacker site on the darknet, where victims are negotiating a ransom with attackers. Here you can see that the Acer representative was shocked by the demand of $50 million, and the negotiations were at an impasse. Journalists note that at some point, REvil operators turned to threats and vaguely advised Acer “not to repeat the fate of SolarWinds”.

The $50,000,000 ransom is the largest to date. The previous “record” was $30,000,000: the same REvil operators demanded the same amount from the hacked Dairy Farm company.

According to Bleeping Computer, specialist Vitaly Kremez discovered that some time ago, the REvil hack group was targeting a Microsoft Exchange server in the Acer domain.

Recently, the attackers behind the DearCry ransomware have already exploited ProxyLogon vulnerabilities to deploy the ransomware on vulnerable systems of small companies. Probably the REvil operators could have gone the same way.

Let me remind you that REvil spokesman boasts that hackers have access to ballistic missile launch systems.

The post REvil ransomware operators attacked Acer and demand $50,000,000 appeared first on Gridinsoft Blog.

The ZDNet magazine writes that the attackers managed to gain domain administrator rights, thanks to which the ransomware quickly spread to 18,000 workstations.

“Oddly enough, this incident did not lead to problems with the Internet connection for the provider’s customers and did not affect the operation of telephony and cable TV services. However, due to the consequences of the attack, a number of Telecom Argentina’s official websites are still not working”, – according to journalists ZDNet.

Several employees of the affected company share on social media how the provider is coping with the crisis. It seems that immediately after the attack was detected, the company began to warn employees about what was happening, asking them to limit interaction with the corporate network, not to connect to the internal VPN network, and not to open emails with archives in attachments.

Reporters think that responsibility o the attack lies on the REvil hack group, based on a tweeted post that showed a screenshot of the ransomware site. Based on this image, the attackers demanded a ransom 109,345.35 Monero (approximately $7.53 million) from the company. The hackers promised that in case of non-payment, this amount would double in three days, making this ransom demand one of the largest this year.

Telecom Argentina officials have not yet commented on the situation, and it is not known whether the company intends to pay the cybercriminals.

Interestingly, according to local media reports, the ISP considers a malicious attachment from a letter received by one of its employees to be the starting point of this attack.

“This is not entirely consistent with regular REvil attacks, as the group usually penetrates companies’ networks through unprotected network equipment. In particular, attackers are actively exploiting vulnerabilities in Pulse Secure and Citrix VPN”, – reported in ZDNet.

However, the specialists of the information security company Bad Packets told ZDNet journalists that Telecom Argentina not only worked with Citrix VPN servers, but among them there were systems vulnerable to the CVE-2019-19781 problem (although the patch was released many months ago).

let me remind you that, information security specialists of the Danish provider KPN applied sinkholing to REvil (Sodinokibi) cryptographic servers and studied the working methods of one of the largest ransomware threats today. A very interesting analysis – I recommend it.

The post REvil Operators Demand $7.5 Million Ransom from Argentine Internet Provider appeared first on Gridinsoft Blog.