Tag Archives: REvil

US

Russia takes down REvil hacking group at U.S. request – FSB

Leave a comment

MOSCOW, Jan 14 (Reuters) – Russia has dismantled ransomware crime group REvil at the request of the United States in an operation in which it detained and charged the group’s members, the FSB domestic intelligence service said on Friday.

The arrests were a rare apparent demonstration of U.S.-Russian collaboration at a time of high tensions between the two over Ukraine. The announcement came as Ukraine was responding to a massive cyber attack that shut down government websites, though there was no indication the incidents were related. read more

The United States welcomed the arrests, according to a senior admininstration official, adding “we understand that one of the individuals who was arrested today was responsible for attack against Colonial Pipeline last spring.”

Register now for FREE unlimited access to Reuters.com

Register

A May cyberattack on the Colonial Pipeline that led to widespread gas shortages on the U.S. East Coast used encryption software called DarkSide, which was developed by REvil associates.

A police and FSB operation searched 25 addresses, detaining 14 people, the FSB said, listing assets it had seized including 426 million roubles, $600,000, 500,000 euros, computer equipment and 20 luxury cars.

A Moscow court identified two of the men as Roman Muromsky and Andrei Bessonov and remanded them in custody for two months. Muromsky could not be reached for comment and his phone was off. Reuters could not immediately reach Bessonov.

Two Muscovites told Reuters Muromsky was a web developer who had helped them with websites for their businesses.

Russia told Washington directly of the moves it had taken against the group, the FSB said. The U.S. Embassy in Moscow said it could not immediately comment.

“The investigative measures were based on a request from the … United States,” the FSB said. “… The organised criminal association has ceased to exist and the information infrastructure used for criminal purposes was neutralised.”

The REN TV channel aired footage of agents raiding homes and arresting people, pinning them to the floor, and seizing large piles of dollars and Russian roubles.

The group members have been charged and could face up to seven years in prison, the FSB said.

A source familiar with the case told Interfax the group’s members with Russian citizenship would not be handed over to the United States.

The United States said in November it was offering a reward of up to $10 million for information leading to the identification or location of anyone holding a key position in the REvil group.

The United States has been hit by a string of high-profile hacks by ransom-seeking cybercriminals. A source with direct knowledge of the matter told Reuters in June that REvil was suspected of being the group behind a ransomware attack on the world’s biggest meat packing company, JBS SA (JBSS3.SA).

Washington has repeatedly accused the Russian state in the past of malicious activity on the internet, which Moscow denies.

REvil has not been associated with any major attacks for months.

John Shier, a threat researcher at the UK-based Sophos cybersecurity company, said there was no independent confirmation the self-identified leaders of the “defunct” group had been arrested.

“If nothing else, it serves as a warning to other criminals that operating out of Russia might not be the safe harbor they thought it was,” he said.

‘NORMAL PROGRAMMER’

A former client of Muromsky who only gave the name Sergei described him as a regular worker who did not appear wealthy.

Sergei runs a shop called Motohansa selling motorcycle spare parts. Muromsky created its website and supported it for some time charging him around 15,000 roubles ($196) per month, he said.

“He is a smart person and I can imagine that if he wanted to do it (hacking) he could, but he charged very little money for his services. Several years ago he had a Rover car. That’s not an expensive car at all,” Sergei said.

Muromsky is in his thirties and was born in Anapa in Russia’s south, he said. “He worked as a normal programmer.”

Another client, Adam Guzuyev, described Muromsky as “a regular normal worker” who proved unable to install all the features Guzuyev wanted on his website.

“He earned no more than 60,000 roubles. I can’t say he has genius abilities,” he said, adding Muromsky spent three months working on his website.

Register now for FREE unlimited access to Reuters.com

Register

Reporting by Gabrielle Tétrault-Farber and Maria Tsvetkova; additional reporting by Anton Zverev and Polina Nikolskaya; writing by Tom Balmforth; Editing by Alison Williams, Peter Graff, Mark Potter and Richard Chang

Our Standards: The Thomson Reuters Trust Principles.

Read original article here

Business

Kaseya Makes Customers Sign NDAs to Obtain Ransomware Decryptor

Leave a comment

Photo: Jack Guez / AFP (Getty Images)

Kaseya is requiring customers affected by the massive REvil ransomware attack to sign non-disclosure agreements in order to obtain the decryption key, a move that could shroud the incident in further mystery. Although the decryption key will no doubt bring relief to some victims, others are stating that it will have minimal impact.

A new CNN report published on Friday revealed the non-disclosure agreements, citing several cybersecurity experts working with victims of the attack. The outlet notes that these agreements are not unusual in the cybersecurity industry, but that they could make it harder to understand how the attack occurred. The revelation is the latest step in Kaseya’s tight-lipped response since it announced it had obtained a “universal decryptor” from a “trusted third party” on Thursday.

It is still unknown where Kaseya got the decryptor from and whether it paid the mind-blowing $70 million ransom the REvil cybercriminal gang asked for in exchange for providing the universal key for all the roughly 1,500 victims worldwide in early July. To add another twist to the saga, days after claiming credit for the attack, the REvil gang disappeared from the internet.

The company declined to comment on whether it paid for the key in a statement to Gizmodo on Friday. However, some experts say it’s possible the Russian government could have given Kaseya the key after pressure from the Biden administration. Others claim Kaseya might have paid REvil’s ransom early on, after which the criminals went into hiding.

Cybersecurity experts that spoke with CNN pointed out that some of Kaseya’s clients were frustrated when the company announced it had obtained a universal decryptor because they had already spent time and resources trying to restore their systems on their own, albeit with mixed success. The news about the decryptor came three weeks after the attack.

G/O Media may get a commission

Andrew Kaiser, vice president of sales at Huntress Labs, told the outlet that a service provider hit by REvil’s attack had spent thousands of hours trying to recover and would have made different decisions if they knew Kaseya was working on getting a decryptor.

“I talked with a service provider yesterday,” Kaiser told CNN, “who said, ‘Hey listen, we’re a 10-to-20-person company. We’ve spent over 2,500 man-hours restoring from this across our business. If we had known there was the potential to get this decryptor a week or 10 days ago, we would have made very different decisions. Now, we’re down to only 10 or 20 systems that could benefit from this.’”

Gizmodo reached out to Kaseya on Saturday to ask for comment on whether it was requiring customers to sign NDAs. We also asked Kaseya if they had a response to victims that expressed frustration over the news regarding the universal decryptor. In an emailed response, the company said it had no comment.

Read original article here

Business

REvil ransomware gang inexplicably vanishes from the internet

Leave a comment

Websites and other infrastructure belonging to the cybercriminal gang, which is believed to operate from Eastern Europe or Russia, went dark on Tuesday as close observers of the group found they were unable to connect to REvil’s web page listing its victims.
Others said they were unable to connect to the sites REvil uses to communicate with victims and collect ransom payments.

“All REvil sites are down, including the payment sites and data leak site,” tweeted Lawrence Abrams, creator of the information security blog BleepingComputer. “The public ransomware gang represenative [sic], Unknown, is strangely quiet.”

The reasons for REvil’s disappearance were not immediately clear, but it follows a raft of high-profile hackings by the group that seized control of computers around the world. It also comes after President Joe Biden said he warned his Russian counterpart Vladimir Putin there would be consequences if Moscow failed to address the ransomware attacks emanating from within its borders.
The Biden administration has increasingly identified ransomware as a threat to national and economic security, highlighting its potential to disrupt critical infrastructure that Americans depend on.

Ransomware works by locking down a computer network, stealing and encrypting data until victims agree to pay a fee.

Those who refuse can find their information leaked online. In recent years, ransomware gangs have gone after hospitals, universities, police departments, city governments, and a wide range of other targets.

A source familiar told CNN the House Intelligence Committee has not been briefed on what caused REvil to go dark. An aide with the Senate Intelligence Committee said “no comment” when asked if that committee had been briefed on the situation.

Over the July 4 holiday weekend, cybersecurity experts said REvil was responsible for an attack on Kaseya, an IT software company that indirectly supports countless small businesses including accounting firms, restaurants and dentists’ offices.
REvil claimed credit for the attack, demanding an eye-popping $70 million ransom to release the affected machines. US officials have also said REvil was behind the attack on JBS, one of the world’s largest meatpacking companies.

REvil has obtained $11 million from victims in the course of its operation, according to the cryptocurrency payments tracker Ransomwhere.

The group’s sudden disappearance has prompted widespread speculation about what may have occurred. Theories range from planned system downtime to a coordinated governmental strike. But at this stage, experts are still guessing. The FBI and US Cyber Command declined to comment on whether they may have been involved.

“This outage could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise — we don’t know,” said Steve Moore, chief security strategist at the cybersecurity firm Exabeam.

Dmitri Alperovitch, co-founder of the cybersecurity firm CrowdStrike, hypothesized that western governments may be pressuring internet infrastructure companies not to complete web browser requests for REvil’s sites.

Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, cautioned that while an inability to connect to REvil’s sites may be a potential indicator of law enforcement involvement, it doesn’t prove it conclusively.

“Last week REvil’s site was down for a bit as well,” he said in a statement to CNN.

REvil is among the most prolific ransomware attackers, according to the cybersecurity firm CheckPoint. In the last two months alone, REvil conducted 15 attacks per week, CheckPoint spokesman Ekram Ahmed said.

Given the attention it has generated, REvil may have voluntarily chosen to lay low for a while, Ahmed added. “We recommend not jumping to any immediate conclusions as it’s early, but REvil is, indeed, one of the most ruthless and creative ransomware gangs we’ve ever seen.”

Anne Neuberger, the top White House cyber official, was traveling with Biden on Tuesday, though her reasons for accompanying the president to Philadelphia were not clear. A White House spokesperson didn’t immediately respond to a request for comment.

Read original article here

Business

REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom

Leave a comment

Amidst the massive supply-chain ransomware attack that triggered an infection chain compromising thousands of businesses on Friday, new details have emerged about how the notorious Russia-linked REvil cybercrime gang may have pulled off the unprecedented hack.

The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday revealed it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. The non-profit entity said the company was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place.

More specifics about the flaws were not shared, but DIVD chair Victor Gevers hinted that the zero-days are trivial to exploit. At least 1,000 businesses are said to have been affected by the attacks, with victims identified in at least 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya, according to ESET.

Kaseya VSA is a cloud-based IT management and remote monitoring solution for managed service providers (MSPs), offering a centralized console to monitor and manage endpoints, automate IT processes, deploy security patches, and control access via two-factor authentication.

REvil Demands $70 Million Ransom

Active since April 2019, REvil (aka Sodinokibi) is best known for extorting $11 million from the meat-processor JBS early last month, with the ransomware-as-a-service business accounting for about 4.6% of attacks on the public and private sectors in the first quarter of 2021.

The group is now asking for a $70 million ransom payment to publish a universal decryptor that can unlock all systems that have been crippled by file-encrypting ransomware.

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,” the REvil group posted on their dark web data leak site.

Kaseya, which has enlisted the help of FireEye to help with its investigation into the incident, said it intends to “bring our SaaS data centers back online on a one-by-one basis starting with our E.U., U.K., and Asia-Pacific data centers followed by our North American data centers.”

On-premises VSA servers will require the installation of a patch prior to a restart, the company noted, adding it’s in the process of readying the fix for release on July 5.

CISA Issues Advisory

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory, urging customers to download the Compromise Detection Tool that Kaseya has made available to identify any indicators of compromise (IoC), enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

“Less than ten organizations [across our customer base] appear to have been affected, and the impact appears to have been restricted to systems running the Kaseya software,” said Barry Hensley, Chief Threat Intelligence Officer at Secureworks, told The Hacker News via email.

“We have not seen evidence of the threat actors attempting to move laterally or propagate the ransomware through compromised networks. That means that organizations with wide Kaseya VSA deployments are likely to be significantly more affected than those that only run it on one or two servers.”

By compromising a software supplier to target MSPs, who, in turn, provide infrastructure or device-centric maintenance and support to other small and medium businesses, the development once again underscores the importance of securing the software supply chain, while also highlighting how hostile agents continue to advance their financial motives by combining the twin threats of supply chain attacks and ransomware to strike hundreds of victims at once.

“MSPs are high-value targets — they have large attack surfaces, making them juicy targets to cybercriminals,” said Kevin Reed, the chief information security officer at Acronis. “One MSP can manage IT for dozens to a hundred companies: instead of compromising 100 different companies, the criminals only need to hack one MSP to get access to them all.”

'+n+'...
'+a+"...
"}s+="",document.getElementById("result").innerHTML=s}}),t=!0)})}); //]]>

Read original article here