Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label REvil. Show all posts

FIN7 Cybercrime Syndicate: Emerges as a Major Player in Ransomware Ecosystem

 

A thorough investigation of FIN7 has revealed the organisational structure of the cybercrime group as well as its function as an associate for launching ransomware assaults. Additionally, it has revealed deeper connections between the group and the larger threat ecosystem, which includes the now-defunct DarkSide, REvil, and LockBit families of ransomware. 

The extremely active threat group Carbanak is known for using a wide range of instruments and strategies to broaden its "cybercrime horizons," including adding ransomware to its playbook and setting up fictitious security companies to entice researchers into performing ransomware attacks under the pretext of penetration testing. The financially motivated adversary has compromised more than 8,147 victims worldwide, with the majority of the affected businesses being based in the United States. Other notable nations include China, Germany, Canada, Italy, and the U.K.

Over the years, FIN7's invasion techniques have extended beyond conventional social engineering to include infected USB drives, compromised software supply chains, and the exploitation of stolen credentials obtained from dark web markets.

"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access," PRODAFT said in a report shared with The Hacker News.

The Russian-speaking hacking group has also reportedly been seen using a number of Microsoft Exchange security weaknesses, including CVE-2020-0688, CVE-2021-42321, ProxyLogon, and ProxyShell, as weapons to infiltrate target environments. Even in situations where the victim has previously paid a ransom, the organization has launched operations that have installed SSH backdoors on the compromised systems. This is despite the use of double extortion tactics.

As part of its illegal money-making scheme, the plan is to resell access to other ransomware organizations and retarget the victims, underlining its attempts to minimize effort and maximize profits. In addition, it prioritizes businesses based on their annual revenues, dates of founding, and the number of employees. According to the researchers, this "demonstrates a certain form of feasibility study regarded a distinctive habit among cybercrime gangs."

In other words, FIN7's method of operation is to shortlist businesses and organizations with the largest income by using tools like Dun & Bradstreet (DNB), Crunchbase, Owler, and Zoominfo. In order to track visitor traffic to the victims' websites, it also makes use of other website analytics tools like MuStat and Similarweb.

One of the various intrusion vectors is used to gain initial access, after which data is exfiltrated, files are encrypted, and finally the ransom price is calculated based on the company's income.
The remote access trojans Carbanak, Lizar (also known as Tirion), and IceBot are likewise intended to be loaded using these infection sequences. IceBot was initially identified by Recorded Future-owned Gemini Advisory in January 2022.

Other tools created and provided by FIN7 include the Cobalt Strike post-exploitation tool and the Checkmarks module, which automates mass scans for vulnerable Microsoft Exchange servers and other public-facing online applications.

Another example of how criminal organizations behave like legitimate businesses is FIN7, which has a team structure with top-level management, development, pentesting, affiliate, and marketing teams, all of which have specific tasks to do.

While Alex and Rash are the main drivers of the operation, Sergey-Oleg, the third management member, assigns tasks to the other members of the group and supervises their completion. A review of the group's Jabber communication history, however, has shown that operators in administrator roles use coercion and extortion to force team members to put in more effort and issue threats to "harm their family members in case of resigning or escaping from duties."

The information was uncovered more than a month after cybersecurity firm SentinelOne suspected FIN7 may have connections to the Black Basta ransomware operation.

PRODAFT concluded, "FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies. Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets."

"Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere."

Netwalker: Ex Canadian Government Employee Pleads Guilty to Cybercrimes 

 

An ex-government of Canada official pleaded guilty in a US court to crimes related to data theft stemming from his involvement with the NetWalker ransomware group. 

Sebastien Vachon-Desjardins admitted on Tuesday that he had planned to commit bank fraud and phishing scams, intentionally damaged a protected computer, and also sent another demand regarding that illegally damaged computer. 

 Plea agreement filled 

Vachon-Desjardins, 34, who had previously been sentenced to six years and eight months in prison after entering a guilty plea to five criminal offenses in Canada, was deported to the United States in March. 
Vachon-Desjardins is "one of the most prolific NetWalker Ransomware affiliates," as per his plea agreement, and was in charge of extorting millions of dollars from several businesses all over the world. Along with 21 laptops, smartphones, game consoles, and other technological devices, he will also forfeit $21.5 million. 

He has pleaded guilty to conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentionally harming a protected computer, and conveying a demand related to intentionally damaging a protected computer, according to a court filing submitted this weekThe accusations carry a maximum punishment of 40 years in jail combined. The attorneys did not identify the targeted business, but they did indicate that it is based in Tampa and was assaulted on May 1, 2020. 

 NetWalker gang's collapse

In 2019, a ransomware-as-a-service operation called NetWalker first surfaced. It is thought that the malware's creators are based in Russia. Its standard procedure – a profitable strategy also known as double extortion, includes acquiring sensitive personal data, encrypting it, and then holding it hostage in exchange for cryptocurrencies, or risk having the material exposed online.

According to reports, the NetWalker gang intentionally targeted the healthcare industry during the COVID-19 pandemic to take advantage of the global disaster. To work for other RaaS groups like Sodinokibi (REvil), Suncrypt, and Ragnarlocker, Vachon-Desjardins is suspected of being connected to at least 91 attacks since April 2020 in his capacity as one of the 100 affiliates for the NetWalker gang. 

The Feds dismantled the crime gangs' servers and the dark website is used to contact ransomware victims as part of the takedown of the NetWalker gang. Then they took down Vachons-Desjardins, who, according to the FBI, made $27 million for the NetWalker gang. 

His role in cybercrime is said to have included gathering information on victims, managing the servers hosting tools for reconnaissance, privilege escalation, data theft, as well as running accounts that posted the stolen data on the data leak site and collecting payments following a successful attack. 

However, some victims did pay fees, and the plea deal connected Vachons-Desjardins to the successful extortion of roughly 1,864 Bitcoin in ransom payments, or about $21.5 million, from multiple businesses around the world.

The Reaction of Russian Hackers to the Arrests of REvil Became Known


Russian hackers have made their own security issues a priority after the arrests of other cybercriminals, including from the REvil group. Dmitry Volkov, CEO, and founder of Group-IB spoke about this reaction of the darknet to the events taking place. "Security and anonymity have become priorities after the precedents with the shutdown of REvil servers, the arrests of members of the group, as well as the detention in Russia of criminals who helped to cash out the incomes of cybercriminals. Another catalyst for this was the release of the fight against ransomware to the state level,” Mr. Volkov said. 

At the same time, partner programs that distribute ransomware on the dark web have become more closed. Now only those who are personally acquainted with its organizer can take part in such a project. According to Group-IB analysts, all this is happening against the background of the consolidation of the darknet around ransomware and the groups involved in it. 

"The entire criminal underground unites around ransomware. Everyone found a job: both those who sell access to hacked companies, those who attack them, and those who negotiate for ransom or post stolen data on the darknet. New groups will constantly appear in this market, reassembled from previous associations," Mr. Volkov is sure. 

According to Group-IB, the main list of victims at the country level, as well as the industry preferences of hackers remained unchanged. Globally, almost half of ransomware attacks are in the US (49.2 percent in 2021). Canada (5.6 percent) and France (5.2 percent) followed closely behind. Manufacturing enterprises are most often attacked (9.6 percent of attacks), the real estate sector (9.5 percent), and the transport industry (8.2 percent). 

"This became apparent after the ransomware attack on a hospital in Germany, which killed a person, and also after the attack on the Colonial Pipeline, which attracted the attention of US authorities. At the same time, individual groups, of course, can violate these unspoken prohibitions,” Mr. Volkov concluded.

BlackCat Ransomware Gang Employing Novel Techniques to Target Organizations

 

Last year in December, malware researchers from Recorded Future and MalwareHunterTeam unearthed ALPHV (aka BlackCat), the first professional ransomware strain that was designed in the Rust programming language. In this post, we will explore some of the methodologies employed by ransomware developers to target organizations.

According to an analysis published last month by Varonis, BlackCat was observed recruiting operators from multiple ransomware organizations, offering to allow affiliates to leverage the ransomware and keep 80-90% of the ransom payment.

“The group’s leak site, active since early December 2021, has named over twenty victim organizations as of late January 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is likely greater,” Varonis’s Jason Hill explained. 

The attackers leveraging BlackCat, often referred to as the "BlackCat gang,” employ multiple tactics that are becoming increasingly commonplace in the ransomware space. Notably, they use several extortion techniques in some cases, including the siphoning of victim data before ransomware deployment, threats to release data if the ransom is not paid, and distributed denial-of-service (DDoS) attacks.

According to cybersecurity researchers at Recorded Future, the ALPHV/BlackCat developer was previously involved with the REvil ransomware gang. Last month, the Russian government disclosed that at the United States’ request it arrested 14 individuals in Russia linked to the REvil ransomware gang.

Still, REvil rolls on despite these actions, according to Paul Roberts at ReversingLabs. “The recent arrests have NOT led to a noticeable change in detections of REvil malicious files,” Roberts wrote. “In fact, detections of files and other software modules associated with the REvil ransomware increased modestly in the week following the arrests by Russia’s FSB intelligence service.” 

Meanwhile, the U.S. State Department has a standing $10 million reward for information leading to the identification or location of any individuals holding key leadership positions in REvil. 

As of December 2021, BlackCat has the seventh-largest number of victims listed on their leak site among ransomware groups tracked by Unit 42 researchers. While Conti (ranked second) has been around in various guises for almost two years, it is surrounded at the top of the chart by emerging families.

REvil Ransomware Operations Seem Unaffected by Recent Arrests

 

According to threat intelligence firm ReversingLabs, the REvil (Sodinokibi) ransomware cooperative's operation has not reduced despite Russia's recent arrest of numerous suspected members of the group. 

The Russian law enforcement agency FSB declared the takedown of the REvil organisation "at the request of US authorities" two weeks ago, yet the ransomware-as-a-service (RaaS) business is still running. 

After years of being accused of permitting malicious hackers to flourish within its borders as long as no Russian citizens or organisations are harmed, Russia appeared to be sending a distinct signal with the arrest of 14 members of the REvil group, even if some witnessed it as a political move amidst rising tensions along the Ukraine border. 

The high-profile arrests of affiliates, however, did not halt REvil operations, as ReversingLabs points out. In reality, the group is operating at the same speed as it was before the arrests. 

Europol reported the arrests of seven people engaged in the spread of REvil and GandCrab ransomware assaults in November 2021 (during seven months), at a time when ReversingLabs was seeing an average of 47 new REvil implants per day (326 per week). 

This was greater than September (43 new implants per day - 307 per week) and October (22 new daily implants - 150 per week), but far lower than July (87 per day - 608 per week) when the group went offline. Following the arrests in Russia, the number of REvil implants observed jumped from 24 per day (169 per week) to an average of 26 per day (180 per week). 

“While it's true that more time may be needed to assess the full impact of the arrests on REvil’s activity, the data so far would suggest that it is ‘business as usual’ for the ransomware gang,” ReversingLabs noted. ReversingLabs senior threat researcher Andrew Yeates stated.

“Threat groups exploit regionalised regulation and distributed organizational structure with sovereign state safe housing, all while leveraging a ‘no-rule’ borderless attack strategy. That makes it ever harder for national and international criminal policing organizations to put an end to threat groups such as REvil.” 

While synchronised action against REvil infrastructure may have had short-term repercussions on the RaaS's prevalence, much stronger action is required to truly stop the cybercrime ring's operations, especially given the group's corporation-like structure, where affiliates launch attacks and receive payments. 

As a result, removing simply affiliates does not affect the core of the RaaS, allowing it to continue operating. Affiliates, on the other hand, can either rebuild the enterprise or relocate to a new RaaS if only the core is removed, and this is relevant for other comparable cybercriminal groups as well.

Group-IB: REvil hackers detention may affect Russian companies



Experts believe that the arrest of the REvil hacker group can create temporary problems for cybercriminals in Russia, but this may affect the well-being of Russian companies. 

 "At the moment, we do not see a significant decrease in the number of ransomware attacks. As for REvil, they have not been active for several months anyway. At the same time, this situation may negatively affect Russian companies. Russian-speaking cybercriminals may attack them more actively", said Oleg Skulkin, head of Group-IB Computer Forensics Laboratory. 

The company clarified that for a long time many Russian-speaking hackers "did not work in Russia and the CIS", as it was unsafe. However, over the past two years, attacks using ransomware in Russia and the CIS have become more frequent. And the detention of REvil can spur them on because after successful international operations they can forget about the unspoken prohibitions. 

At the same time, the expert did not rule out that cybercriminals may temporarily have problems. "Of course, they may have difficulties with cashing out funds obtained illegally. Perhaps some of the partners will stop their activities for some time," Skulkin said. 

After the detention of REvil, hacker gangs in Russia may hide or slightly reduce the intensity of attacks, but they will definitely not give up on them, says Pavel Korostelev, head of the product promotion department of the Security Code company. 

"Now hackers will probably wait until the dust settles, but gangs don't have a single control center that says: 'Stop, no more attacks'. It's a way of making money, so there will always be people willing to take risks. If a business will get better, it won't be for long," the expert said. 



Lockean Multi-ransomware Hitting French Companies--CERT-FR

 

France’s Computer Emergency Response Team (CERT-FR) professionals identified details about the tools and tactics used by a ransomware affiliate group, named Lockean. Over the past two years, the cyber group is targeting French companies continuously. Reportedly, at least eight French companies’ suffered data breaches on a large scale. The group steals data and executes malware from multiple ransomware-as-a-service (RaaS) operations. 

According to the data, the companies that have been victimized by this group are the transportation logistics firm Gefco, the newspaper Ouest-France and the pharmaceutical groups Fareva and Pierre Fabre, among a few others. 

“Based on incidents reported to the ANSSI and their commonalities, investigations were carried out by the Agency to confirm the existence of a single cybercriminal group responsible for these incidents, understand its modus operandi and distinguish its techniques, tactics, and procedures (TTPs…” 

“…First observed in June 2020, this group named Lockean is thought to have affiliated with several Ransomware-as-a-Service (RaaS) including DoppelPaymer, Maze, Prolock, Egregor, and Sodinokibi. Lockean has a propensity to target French entities under a Big Game Hunting rationale), reads the report published by CERT-FR.” 

In 2020, Lockean was spotted for the very first time when the group targeted a French manufacturing company and executed DoppelPaymer ransomware on the network. Around June 2020 and March 2021, Lockean compromised at least seven more companies’ networks with various ransomware families including big names like Maze, Egregor, REvil, and ProLock. 

In most of the attacks, the hackers gained initial access to the victim network through Qbot/QakBot malware and post-exploitative tool CobaltStrike. Qbot/QakBot is a banking trojan that changed its role to spread other malware into the system, including ransomware strains ProLock, DoppelPaymer, and Egregor, CERT-FR officials said. 

The cybercriminal group had used the Emotet distribution service in 2020 and TA551 in 2020 and 2021 to distribute QakBot via phishing email. Additionally, the group used multiple tools for data exfiltration including AdFind, BITSAdmin, and BloodHound, and the RClone.

FBI: Ransomware Targets Firms During Mergers and Acquisitions

 

The FBI cautions that ransomware groups are targeting companies in "time-sensitive financial events" such as corporate mergers and acquisitions in order to extort their victims. 

The FBI stated in a private industry notice issued on Monday that ransomware operators would utilize financial information gathered before assaults as leverage to compel victims to pay ransom demands. 

The federal law enforcement agency stated further, "The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections." 

"During the initial reconnaissance phase, cybercriminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands. Impending events that could affect a victim's stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established." 

For example, last year, the REvil (Sodinokibi) ransomware gang stated that they were considering introducing an auto-email script that would notify stock exchanges, such as NASDAQ, that firms had been affected by ransomware, potentially affecting their stock price. REvil is also looking into stolen data after breaching firms' systems to identify destructive material that may be used to force victims to pay ransoms.

More recently, DarkSide malware declared that it will share insider information about firms operating on the NASDAQ or other stock exchanges with traders looking to short the stock price for a quick profit. The FBI also highlighted numerous examples of ransomware gangs targeting susceptible firms using inside or public information about active merger or acquisition negotiations: 
  • In early 2020, a ransomware actor using the moniker "Unknown" made a post on the Russian hacking forum "Exploit" that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating payment with a victim during a March 2020 ransomware event stated, "We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what's gonna (sic) happen with your stocks." 
  • Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations. 
  • A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim's network indicating an interest in the victim's current and near-future stock share price. These keywords included 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire. 
  • In April 2021, Darkside ransomware4 actors posted a message on their blog site to show their interest in impacting a victim's share price. The message stated, "Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in 'Contact Us' and we will provide you with detailed information." 
As per the FBI, paying a ransom to ransomware groups is not encouraged and should be avoided by organizations since there's no certainty doing so would safeguard them against data leaks or future assaults. Paying ransoms encourages the crooks behind ransomware operations to target even more victims and encourages other cybercrime groups to follow their lead and join them in unlawful activities. 

The FBI, on the other hand, realises the harm a ransomware assault can do a firm, as executives may be compelled to contemplate paying a ransomware actor to safeguard shareholders, customers, or staff. The FBI highly advises that such events be reported to their local FBI field office.

Groove Ransomware Gang Approaches other Ransomware Gangs to Strike Attacks against the US

 

Following the shutting down of REvil's networks and infrastructure last week by the law authorities, the Groove ransomware gang has called on certain other extortion organizations to strike US interests. 

The REvil ransomware campaign was halted again during the weekend, according to Bleeping Computer, when an unidentified third party hacked its dark web domains. The Russian-led REvil ransomware syndicate was brought down by an extensive multi-country law enforcement investigation in the last week, which led to its network getting hacked and getting knocked offline again for the second time, in the latest effort taken by governments to destabilize the lucrative ecosystem. 

Whilst this takedown, a recognized REvil operator alleged that the unknown party was "looking" for them by changing configuration settings to lure the threat actor into visiting a site maintained by the mysterious entity. According to Reuters, REvil's takedown was the culmination of a multinational law enforcement effort that included FBI assistance. 

In a Russian blog post, the Groove ransomware group urged all the other ransomware organizations to target and attack US interests. 

The blog post also urges ransomware operators not to target Chinese enterprises, as organizations may need to utilize the nation as a haven if Russia takes a tougher stance against cybercriminals operating within its borders. 

The entire translated message, with some unacceptable phrases censored, read:

"In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing, unite and start xxcking up the US public sector, show this old man who is the boss here who is the boss and will be on the Internet while our boys were dying on honeypots, the nets from rude aibi squeezed their own... but he was rewarded with higher and now he will go to jail for treason, so let's help our state fight against such ghouls as cybersecurity firms that are sold to amers, like US government agencies, I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbors - the Chinese! I BELIEVE THAT ALL ZONES IN THE USA WILL BE OPENED, ALL xxOES WILL COME OUT AND xxCK THIS xxCKING BIDEN IN ALL THE CRACKS, I myself will personally make efforts to do this" - Groove ransomware. 

The possibility of assaults on US interests is consistent with previous information supplied this week to BleepingComputer by a threat intelligence analyst for a Dutch bank. 

After closing down and separating from the original Babuk Ransomware operation, a threat actor identified as 'Orange' created the RAMP hacker forum in July 2021. Because Orange still had control of Babuk's Tor site, he utilized it to build the hacker forum wherein he served as an administrator. Orange is also thought to be a symbol of the Groove ransomware attack. 

Orange recently resigned as the forum's administrator to explore a new venture, but he provided no additional details. 

In addition, a subsequent tweet implies that the malicious actor is likely launching a new ransomware campaign after actively seeking the purchase of network access to US hospitals and government entities. 

It's indeed unknown if 'Orange' would carry out these assaults on US firms as part of the Groove operation or initiate a separate ransomware campaign.

Acer Confirms Breach After Cyber Attack on Indian Servers

 

A hacker group has claimed to have hacked Acer India's servers, with about 60GB of confidential information belonging to several million of the company's customers. 

According to a post on a prominent hacker site noticed by Privacy Affairs researchers, the group known as Desordern claimed to have acquired consumer information, business data, financial data, and information linked to recent company audits. 

According to the hackers, the breach includes information on several million Acer customers, the majority of which are from India. It appears to have happened on October 5, according to the most current date stated in the leaked databases. Desordern also stated that it will provide Acer with access to the database in order to substantiate the data and show the breach is legitimate. 

A sample of the data released for free which included information on over 10,000 people, was confirmed to be accurate and real by Privacy Affairs researchers, who were able to contact some of those impacted. Data belonging to millions more Acer customers will be available for a fee at a later date, as per the group. 

An Acer spokesperson told IT Pro, “We have recently detected an isolated attack on our local after-sales service system in India.” 

“Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India.” 

The issue has been reported to local law enforcement and the Indian Computer Emergency Response Team, according to the spokesman, and there has been no substantial impact on the company's activities or business continuity. 

In March of this year, Acer was the victim of a $50 million ransomware assault carried out by the notorious ransomware group REvil. The group disclosed the Acer breach on its website, where it displayed photos of allegedly stolen information such as financial spreadsheets, bank communications, and bank balances. The vulnerability was thought to be connected to a Microsoft Exchange cyber-attack conducted by at least 10 hacker groups.

Russian Organizations Targeted By Outdated Threat Actors

 

Currently, European and American organizations top the list in ransomware from Russian state sponsored hackers, however, organizations from these countries are not ready for managing file encryption and double extortion problems on their own. Threat actors troubling CIS and Russian based companies are generally LockBit, REvil, DarkSide and many more criminal groups that target high profile victims with critical infrastructure cyberattacks. According to Kaspersky's report on first half of 2021, the Commonwealth of Independent States (CIS) was also targeted by threat actors which attack Russian organizations monthly, meanwhile no such attacks are reported. 

These groups, under unnoticed subcategory of ransomware actors are generally less sophisticated, and mostly use leaked malware or outdated strains, and build their own hacking access instead of buying access to the victims. Some of these famous ransomware families that were used earlier this year against the Russian targets are as followed: XMRLocker, Thanos/Hakbit, Limbozar/VoidCrypt, Fonix/XINOF, CryptConsole, Cryakl/CryLock, Phobos/Eking, Crysis/Dharma, /BigBobRoss. The most effective older strains include Phobos and Dharma. 

Phobos first surfaced in 2017 and reached its final stage in 2020. The threat actors had unauthorised RDP access as the main entry point. It consists of a C++/C malware having similar contextual technicalities to Dharma strain, but has no relation. Dharma came out in the open in 2016 by the name of Crysis, even though outdated, it has one of the most effective encryption schemes. Like Phobos, Dharma has similar unauthorised RDP access following brute-force of credentials and manual planting of malware. 

As per Kaspersky, such attacks come and go, however, they can't be left unnoticed. Kaspersky says these strains are still under development, with threat actors constantly making their strains effective, therefore, they are not without firepower. "Russian companies can prevent many of these threats by simply blocking RDP access, using strong passwords for domain accounts that are changed regularly, and accessing corporate networks through VPN," reports Bleeping Computers.

Two-Thirds of Organizations are Targets of at Least One Ransomware Attack

Every year there are a number of studies getting published on cybersecurity issues and recently 2021 Global State of Ransomware Report got published by Fortinet, a cybersecurity organization. The key finding of the report is that more than two-thirds of organizations are being targeted for at least one Ransomware attack in recent years and that’s why organizations are way more concerned about ransomware attacks compared to other forms of cybercrime. 

Before this report, a study showcased that the number of ransomware victims grew by almost 100%, while 60% of the attacks were performed by only three ransomware groups – Conti, Avaddon, and Revil. However, the research also revealed that the majority of organizations are well prepared against ransomware attacks, including, risk assessment plans, employee cyber training, and cybersecurity insurance. 

Research also discloses that the companies were most focused on remote workers and devices. The topmost priority of companies regarding a ransomware attack was how to secure data from the attack. In addition, 84% of organizations reported having an incident response plan, and cybersecurity insurance was a part of 57% of those plans. 

Regarding paying the ransom if attacked, the procedure for 49% was to pay the ransom outright, and for another 25%, it depends on how expensive the ransom is. Along with this, one-third of organizations that paid the ransom got their data back. 

John Maddison, EVP of products and CMO at Fortinet, said: “According to a recent FortiGuard Labs Global Threat Landscape report, ransomware grew 1070% year-over-year. Unsurprisingly, organizations cited the evolving threat landscape as one of the top challenges in preventing ransomware attacks…”

“…As evidenced by our ransomware survey, there is a huge opportunity for the adoption of technology solutions like segmentation, SD-WAN, ZTNA, as well as EDR, to help protect against the methods of access most commonly reported by respondents…” 

"…The high amount of attacks demonstrates the urgency for organizations to ensure their security addresses the latest ransomware attack techniques across networks, endpoints, and clouds. The good news is that organizations are recognizing the value of a platform approach to ransomware defense”, he added.

Russian hacker confirmed the resurrection of the most famous Russian hacker group REvil

 A Russian hacker who collaborated with the well-known REvil group confirmed that cybercriminals returned to active work after a two-month break. He named political reasons the main reason for the temporary suspension of their activities. This refutes the claims of REvil members themselves, who explained this with precautions after the disappearance of one of the community members.

An anonymous cybercriminal said that the group initially planned only to suspend its activities, but not to end it completely. According to him, this step was due to the difficult geopolitical situation.

"They told key business partners and malware developers that there was no cause for concern and that cooperation would not be suspended for long," the hacker said.  Answering the question about the influence of the Russian leadership on the decision of the most famous group of the country to hide for a while, the Russian hacker noted that such an option is hardly possible. According to him, there is no evidence to suggest any connection between REvil and the government or intelligence services of Russia or other countries. Moreover, no one discusses such a topic on a serious level on the darknet.

"It is not surprising that the hacker group responsible for high—profile attacks on American infrastructure took precautions after the conversation between the US and Russian presidents," the anonymous hacker stressed. "Geopolitical factors are always taken into account in a business of this level, although this is the first time I have encountered a situation where a group has been forced to curtail its activities relatively unexpectedly".

REvil's return was announced last week when the group's site on the darknet became active again after two months of downtime. Shortly after that, community members stated in messages on one of the Russian forums that the temporary suspension was dictated by precautionary measures. They were allegedly caused by the disappearance of one of the REvil members: "We backed up and disabled all the servers. We thought he had been arrested. We waited — he didn't show up, and we restored everything from backups."

UK Based Firms, Voip Unlimited, And Voipfone Under DDoS Attack

 

Users of Voipfone's UK business broadband and Voice-over-Internet-Protocol (VoIP) services have reported to ISPreview.co.uk that the supplier has been facing massive service interruptions for the past couple of days, that also seems to be the consequence of a Distributed Denial of Service (DDoS) attack against their system applications. 

Likewise, South Coast-based Voip Unlimited had also reported that it has been bombarded with a "colossal ransom demand" after being struck by a prolonged and large-scale DDoS attack. They believe that it was launched by the Russian cybercriminal organization REvil. 

On September 2nd, it reported that "services are operational ... however the attacks are still ongoing." 

However, at this point, it remains unclear whether any additional UK Internet Telephony Service Providers (ITSP) have also been affected or not. Nevertheless, the UK Comms Council – the industry association which represents ITSPs – has alerted customers well about cyberattacks and reminded them to implement "appropriate DDoS mitigation strategies." 

Mark Pillow, MD of Voip Unlimited, informed that the business accepts "full responsibility of the availability of our services to our clients" and that they feel "extremely sorry for all inconvenience caused." 

He further explained: "At 2 pm 31st August, Voip Unlimited's network was the victim of an alarmingly large and sophisticated DDoS attack attached to a colossal ransom demand." 

DDoS attacks usually function by flooding a target server or end-user with data requests from numerous internet-connected devices (often malware-infected machines/botnets, etc.), causing the designated destination to crash or experience substantial performance issues until the bad traffic ceases. These attacks might potentially reveal additional vulnerabilities that hackers can abuse. 

A number of VoIP Unlimited's networks suffered "intermittent or total loss of internet connectivity services" as a result of the attack, however, clients utilizing its Voip Unlimited Ethernet and Broadband services are thought to have been mostly unharmed. 

"UK Comms Council has communicated to us that other UK SIP (Session Initiation Protocol) providers are affected and identified them as a criminal hacking organization called REvil who appear to be undertaking planned and organized DDoS attacks against VoIP companies in the UK," Pillow added. 

The sheer magnitude of the attack is yet unknown, but according to an email sent by Voipfone on Tuesday and obtained by El Reg, the firm's services were "intermittently disrupted by a DDoS attack" over the Bank Holiday weekend, flooding its system with phony traffic from tens of thousands infected devices. 

It is quite noticeable that the users have now become extremely upset as a result of their inability to access vital digital telecommunication services upon their return to work following the August Bank Holiday weekend. 

In a statement, chair of Comms Council UK Eli Katz told, "Comms Council UK is aware of the Denial of Service attacks currently targeting IP-based communications service providers in the UK and that a small number of our members have been impacted. We have communicated the issue to our membership and are continuing to liaise closely with them to share further information and support as the situation develops." 

Likewise, an alleged DDoS attack on Iran's telecommunications networks in February caused a substantial disturbance, wiping out around 25% of the country's internet connectivity and triggering an early outage of mobile and fixed-line services.

Master Key for Decryption of Kaseya, Leaked on Hacking Forum

 

The universal decryption key for Kaseya has been leaked on a Russian hacking forum by hackers. An Ekranoplan-named user shared the screenshot for REvil infected files that look to be a universal decrypter. The tweet was also retweeted by a security researcher titled pancak3. 

The Kaseya customers have been utilizing the tool for ransomware Universal Decryption to get files held hostage by the REvil. The very same media organization previously thought that all encrypted REvil files are the key works. The website has nevertheless reported that the other attacks of the renowned gang are not being carried out. The tool works rather only on the files of the Kaseya users. 

The REvil ransomware organization has infiltrated the zero-day vulnerability, which encrypted Documents of roughly 1,500 enterprises, in the cyberattack on the VSA remote management application of Kaseya. The major attack paralyzed Kaseya customers' operation. Kaseya is the software automation supplier for the information technology industry with remote management tools. 

The renowned ranking gang then asked for an incredible $70 million ransom to return the encrypted data through a universal decrypter tool. The key is to neutralize the threat actors' activities towards the victims by making the files available again. After this whooping demand, the gang suddenly disappeared. 

On the web, the organization had left no record, as of July 13. The group is said to be 42 percent behind the new ransomware attacks. 

It is important to mention that the abrupt disappearance of the renowned gang was carried out one day before the United States involving high authorities from the White House. and Russia discussed the surge in the ransomware cases. 

Meanwhile, on July 22, Kaseya eventually got the decryption tool, to reverse its customer file encryption. 

The Verge states that there are three ways in which Kaseya can get hold of the decryption tool: the US, Russia, or REvil itself. Nevertheless, these assumptions were neither confirmed nor denied by the IT business. Conversely, the Florida-based IT company said that it received the key from a "trusted third party." 

In addition, Kaseya has provided its customers with the universal decryption tool but there is a twist - the corporation requires its customers to sign a non-disclosure agreement. While NDAs are routinely employed in cyberattacks, incorporating them in this process makes the incident a complete secret.

Ransomware Groups Never Perish, They Reincarnate

 

It is no longer a matter of shock that ransomware attacks have surged over the past few years,  the technological advancements have proved to be a boon for them. Ransomware is indeed a malware type that encodes the files of the victim. The offender subsequently asks the victim to make payment in order to regain access to the encrypted information as he explains the directions to make payment and receive the decryption key. 

Several ransomware organizations are now in the phase of their third incarnation. In the cybercrime sphere, reinvention is a key survival technique. The earliest techniques include the fake death or retirement and then subsequently the invention of a new identity. A fundamental objective of such a ruse is to make researchers focus their attention temporarily elsewhere. 

The DarkSide, which collected a $5 million payment from the Colonial Pipeline earlier last year, is only one of the most intriguing and newest reinventions to see much of this crushed by the U.S. Department of Justice. Once someone noticed that their Internet servers had indeed been seized, DarkSide stated that it was collapsing. However, just over a couple of months later, BlackMatter was created, a new affiliate ransomware operation, and specialists immediately found out that BlackMatter was using the same unique form of encryption used by DarkSide. 

The downfall of DarkSide occurred closely with that of REvil, a long-term ransomware gang claiming more than 100 million dollars from victims. Kaseya, a Miami-based corporation, was REvil's last major victim. This exploit allowed REvil to disseminate ransomware to as many as 1500 Kaseya using organizations. REvil called upon all victims of Kaseya's attack to pay a $70 million amount for decryption. 

REvil too is commonly regarded as a boost-up for GandCrab, a prominent ransomware group with over $2 billion in extortion for 12 months before it shut down in June 2019. 

The latest ransomware start-up "Grief" was only the current DoppelPaymer paintwork, which matched most of its code with a previous iteration named BitPaymer in 2016. All three were created by a renowned cybercriminal organization, known as TA505, 'Indrik Spider' and Evil Corp.

Mark Arena, CEO of cyber threat intelligence company Intel 471, stated that whether BlackMatter is a new name for the REvil group, or merely a rebirth of DarkSide, is uncertain. “Likely we will see them again unless they’ve been arrested,” Arena further added. 

Cobalt Strike Payloads: Hackers Capitalizing on Ongoing Kaseya Ransomware Attacks

 

Cyberattack actors are trying to monetize off the currently ongoing Kaseya ransomware attack incident by attacking probable victims in a spam campaign attack forcing Cobalt Strike payloads acting as Kaseya VSA security updates. Cobalt Strike is a genuine penetration testing software and threat detection tool which is also used by attackers for post-cyberattack tasks and plant beacons that lets them to gain remote access to hack into compromised systems. The primary goal of such attacks is either stealing data (harvesting)/exfiltrating sensitive information, or deploying second-stage malware payloads. 

Cisco Talos Incident Response (CTIR) team in a September report said that "interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans." The malware spam campaign discovered by Malwarebytes Threat Intelligence experts use two distinct approaches to plant the Cobalt Strike payloads. Emails sent as a part of this spam campaign comes with an infected attachment and an attached link built to disguised as a Microsoft patch for Kaseya VSA zero-day compromised in the Revil ransomware attack. 

Malwarebytes Threat Intelligence team said that a malspam campaign is taking advantage of the Kaseya VSA ransomware attack to drop CobaltStrike. It contains an attachment named 'SecurityUpdates.exe' as well as a link pretending to be a security update from Microsoft to patch Kaseya vulnerability, the report said. The hackers gain persistent remote access to attack systems after running malicious attachments/downloads and launching fake Microsoft updates on their devices. 

Bleeping Computer reports "just as with this month's malspam campaign, the June phishing campaign was also pushing malicious payloads designed to deploy the Cobalt Strike penetration testing tool, which would have allowed the attackers to compromise the recipients' systems. The payload download pages were also customized using the target company's graphics to make them appear trustworthy." These two campaigns highlight that threat actors in the phishing business keep track of the latest news for pushing lures relevant to recent events to boost their campaigns rates of success, said Bleeping Computers.

1,500 Businesses Globally were Affected by Kaseya Cyberattack

 

Kaseya, a Miami-based software provider to over 40,000 businesses, reported on July 2 that it was looking into a possible hack. The IT solutions provider for managed service providers (MSPs) and enterprise clients revealed a day later that it had been targeted by a "sophisticated cyberattack." According to CEO Fred Voccola, the ransomware attack has hit between 800 and 1,500 organizations throughout the world. In an interview with Reuters, he said it was impossible to determine the exact impact of the hack because the firms affected were Kaseya's clients. 

REvil, a hacking organization linked to Russia, published a blog on the dark web on Sunday claiming its involvement in the attack. REvil sought $70 million for the data to be restored. REvil has become one of the most well-known ransomware creators in the world. In the last month, it demanded an $11 million payment from the U.S. subsidiary of the world's largest meatpacking company, a $5 million payment from a Brazilian medical diagnostics company, and launched a large-scale attack on dozens, if not hundreds, of companies that use IT management software from Kaseya VSA. 

Kaseya is a company that provides its comprehensive integrated IT management platform to other businesses. It also provides organizations with tools such as VSA (Virtual System/Server Administrator) and other remote monitoring and management solutions for network endpoints. Kaseya also offers compliance systems, service desks, and a platform for service automation. 

According to the FBI, a vulnerability in Kaseya VSA software was used against many MSPs and their clients in the recent supply-chain ransomware campaign. VSA allows a company to control servers and other hardware, as well as software and services, from a remote location. Large enterprises and service providers who manage system administration for companies without their own IT staff utilize the software. 

According to Kevin Beaumont, a security specialist, the REvil ransomware was distributed through an apparent automatic bogus software update in the product. Because the malware had administrator access down to client systems, the MSPs who were attacked were able to infect the systems of their clients.

The attacker quickly disabled administrator access to VSA, according to Beaumont, and then inserted a task called "Kaseya VSA Agent Hot-fix." This phoney update was then pushed out to the entire estate, including MSP client systems. The management agent update was actually REvil ransomware, and non-Kaseya customers were still encrypted. The ransomware allowed hackers to disable antivirus software and run a phoney Windows Defender app, after which the computer's files were encrypted and couldn't be viewed without a key.

REvil Hits Brazilian Healthcare Giant Grupo Fleury

 

São Paulo-based medical diagnostic firm Grupo Fleury has suffered a ransomware attack that has impaired business operations after the company shut down its systems. On the 22nd of June, the company website began displaying an alert message, alerting to the fact that its systems were suffering an attack and are no longer accessible.

Brazilian healthcare giant provides medical laboratory services across the nation with over 200 service centers and more than 10,000 employees. The company performs approximately 75 million clinical exams in a year.

"Please be advised that our systems are currently unavailable and that we are prioritizing the restoration of services. The causes of this unavailability originated from the attempted external attack on our systems, which are having operations reestablished with all the resources and technical efforts for the rapid standardization of our services," read the message translated into English. 

With their systems being knocked down, patients are unable to book appointments for labs and other medical examinations online. Since the announcement, multiple cybersecurity sources have confirmed that Grupo Fleury suffered an attack by the ransomware operation known as REvil, also known as Sodinokibi. 

“The Healthcare industry and healthcare supply chain are both one of the top three targeted sectors worldwide. Additionally, REvil are launching a lot of attacks at the moment, having hit a maritime organization in Brazil earlier this month,” Andy Norton, European cyber risk officer at Armis, stated.

The fact that Grupo Fleury's data is of significant concern as it contains enormous amounts of personal and medical data of patients, REvil is demanding $5 million for the decryptor key and the assurance that no vital information will be leaked online. REvil is known for exfiltrating data before encrypting devices and then using the stolen information as leverage to extort money from the company.

“In a previous statement made to the Russian-OSINT Telegram channel, a REvil representative stated that they were targeting Brazil for revenge. However, it is not known what that revenge is for. REvil is known for exfiltrating data and the data could include personally identifiable information and sensitive medical information of their patients and staff, which could be detrimental for the organization,” Jamie Hart, cyber threat intelligence analyst at digital risk protection company Digital Shadows Ltd, said.

Prior to this attack, JBS Foods, the world’s largest meat producer, was the victim of a REvil ransomware attack. JBS paid a ransom of $11 million in order to keep their stolen information from being leaked online. REvil has targeted numerous high-profile organizations, including Brazil's the Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens.

Objectives for Ransomware Attack Against Nuclear Contractor Sol Oriens Remain Unknown

 

New Mexico-based government contractor Sol Oriens was attacked by the Russian REvil ransomware group that sparked worries in the national security community, because of the company's work with the Department of Energy's National Nuclear Security Administration.

However, the motives for the attack remain unknown. Sol Oriens confirmed it was targeted in May, according to CNBC's Eamon Javers, and the corporation stated no sensitive or important security-related material was compromised. The company's website remained down as of Friday, and Mother Jones reported that it had been down since June 3. Sol Oriens has yet not confirmed if the attack was ransomware. 

According to Michael DeBolt, senior vice president of intelligence at Intel 471, Sol Oriens was targeted by REvil, the same group that was accused of targeting meat manufacturer JBS. 

“From the REvil blog, all indications are that Sol Oriens was a target of opportunity, and not of design tied to some state-sponsored entity,” DeBolt stated. 

“However the sensitive nature of this particular victim did not elude the REvil operators and affiliates responsible for the attack. In fact, they explicitly threatened to reveal ‘documentation and data to military agencies of our choice [sic]’ and shared proof by way of screenshots on their name and shame blog. Even so, these actors primarily remain financially motivated.” 

According to Gary Kinghorn, senior director of marketing and alliances at Tempered Networks, the vulnerability of the information in this breach appears to be less than catastrophic if it was restricted to personal information and contacts, but there's no way of knowing if it went further than that. The goals of this attack, according to Kinghorn, are clearly useful to geopolitical opponents, and enterprises must be aware of the immense sophistication and resources behind these operations, regardless of purpose. 

Kinghorn added, “Organizations, particularly those holding DoE-class information and secrets, have to realize that yesterday’s security tools are no longer enough and are too error-prone to justify.” 

“The National Security Agency has already strongly suggested that government agencies move to zero trusts and even ensure encryption of all data in motion. These advanced steps can effectively make networks unhackable. However, right now, organizations are still weighing the costs and ROI until they get exposed like this to make changes.”