Destructive hacking group REvil could be back from the dead

There was a period in 2021 when the computing world was gripped by fear of a dizzyingly effective hacking group fittingly named REvil — until its website was seized by the FBI and its members arrested by Russia’s security services, that is. Yet like a malevolent curse that just can’t be dispelled, it now seems the group’s websites are back online. Has the group returned to spread discord and wreak havoc once again?

In case you missed them the first time around, REvil came to global attention by hacking into various high-profile targets, pilfering secret documents, then threatening their release unless a ransom was paid. In a notable case, the group stole and published files from Apple supplier Quanta Computer, including some that spilled the beans on unreleased product designs.

Now, it looks like REvil’s sites on the dark web are back in action. According to Bleeping Computer, REvil’s websites are up and running and filled with information new and old, including a list of previous hacking victims alongside a couple of new ones. The hacking group’s domains are accessible through the Tor Browser, which masks URLs to facilitate user privacy.

Security researchers became aware of the new activity while monitoring the hacking forum RuTOR, where they saw an advertisement promoting REvil’s services with a new website that redirects to its old domain. The group’s updated services include an apparently improved version of the REvil ransomware, along with an 80/20 revenue-sharing model.

Does this mean that the original REvil crew has somehow been resurrected for another round of high-profile hacks and mischief? Well, that’s not entirely clear. Aside from the fact that the group was gutted by multiple law enforcement investigations around the world, there are other reasons to be suspicious.

For one thing, the website’s code is littered with references to other hacking groups, which might imply that a different malware gang has somehow taken control of REvil’s website. Another possibility is that the new site is a “honeypot” maintained by law enforcement or some other group and designed to capture information about potential clients of REvil.

For now, the mystery remains unsolved. But if REvil is indeed back from the grave — or another hacking group has decided to take it over — it doesn’t bode particularly well for the future, especially considering the havoc caused by hacking group LAPSUS$ in recent months. If you want to stay safe, you can start by ensuring you’re protected by one of the best antivirus apps available and avoid clicking suspicious links on the web or in your emails.

Editors’ Choice

Repost: Original Source and Author Link


An alleged member of the REvil ransomware gang was arrested in Poland

The Justice Department has announced the arrest and indictment of an alleged member of the REvil hacking group, linked to ransomware attacks on IT firm Kaseya, an Apple supplier, and more. According to the department, Ukrainian national Yaroslav Vasinskyi is facing extradition to the US after Polish authorities detained him in October and after the US indicted him for cybercrimes in August, as revealed by a now-unsealed court document. The arrest, along with the government seizing assets it says are linked to REvil’s operations, is another step in the fight against ransomware, which has been a growing issue for US-based companies.

The DOJ also says it has seized $6.1 million in assets from the FTX crypto trading exchange, allegedly linked to REvil ransomware. The money belonged to Russian national Yevgeniy Polyanin, who has also been indicted for allegedly working with REvil to attack corporate and government targets. Polyanin was also indicted in August, though CNN and the DOJ report he hasn’t been caught yet.

You can read both indictments below, which detail REvil’s alleged process of breaking into computer networks, gaining control over them, and then stealing companies’ data, locking the rightful owners out by encrypting data and deleting any backups. Companies would, however, be able to gain access back to the data if they paid a ransom — otherwise, their data could be sold or posted to the web. This happened to Apple supplier Quanta, whose documents detailing Apple’s new MacBooks were posted to REvil’s blog well before any official information was released.

The indictments don’t explicitly say what roles Vasinskyi and Polyanin allegedly played in the attacks, only accusing them of being involved and working with other team members to carry out attacks. The Department of Justice says that Vasinskyi and Polyanin could each face over 100 years in prison if convicted on all counts levied against them. Two other people involved with REvil were also arrested. The government is also willing to spend big on catching more alleged members — it’s offering an up to $10 million reward for info that leads to the arrest of REvil leadership and up to $5 million for info about people trying to work for the group.

The arrest and hunt for REvil operators is just part of the government’s work against the ransomware outfit — reports started surfacing in October that the FBI, Secret Service, Cyber Command had taken REvil’s website offline using some of the group’s own tactics against it. The Treasury Department named it in a report as one of the biggest ransomware groups when measuring by payout size.

As ransomware attacks have hit major targets in the US over the past few years, they’ve loomed larger on the US government’s radar — it’s created a ransomware task force and set up a team to investigate crimes relating to cryptocurrencies. President Joe Biden said in a statement that the government is using its “full strength” to “disrupt malicious cyber activity and actors” and that the arrests and financial seizures were part of its efforts to “hold accountable those that threaten our security.” Acting US Attorney Chad E. Meacham said that the Justice Department “will delve into the darkest corners of the internet and the furthest reaches of the globe to track down cyber criminals.”

Unsealed Vasinskyi Indictment:

Unsealed Polyanin Indictment:

Repost: Original Source and Author Link


Feds reportedly take down top ransomware hacker group REvil with a hack of their own

The government has successfully hacked the hacking group REvil, the entity behind the ransomware that’s been linked to leaked Apple leaks, attacks on enterprise software vendors, and more, according to a report from Reuters. The outlet’s sources tell it that the FBI, Secret Service, Cyber Command, and organizations from other countries have worked together to take the group’s operations offline this month. The group’s dark web blog, which exposed information gleaned from its targets, is also reportedly offline.

Reports about the group going offline started surfacing earlier this week, with TechCrunch writing that its Tor website was no longer available on Monday. There was speculation of a hack, fueled by a forum post from one of the group’s suspected leaders saying that its server was “compromised,” but at the time, it was unclear who was responsible. Reuters cites sources that say the government’s operation against ransomware hackers, including REvil, is still ongoing.

The US is slowly turning the screws on groups associated with ransomware, as the attacks become more and more costly for companies (one company reportedly paid a $40 million ransom to restore its operations). The Treasury pushed sanctions that make it harder to turn hacked machines into cash, and the Department of Justice created a team for investigating crimes committed by cryptocurrency exchanges, citing the impact of ransomware several times in its announcement.

REvil has had plenty of heat on it due to the high-profile or high-impact nature of the attacks it’s linked to. It’s blamed for an attack on an Apple supplier that leaked schematics of the MacBooks that launched this week, as well as attacks on massive meat processor JBS, IT management software developer Kaseya, Travelex, and Acer. The group was named by the US Treasury’s Financial Crimes Enforcement Network as one of the biggest ransomware groups in terms of reported payouts.

REvil has gone offline before — its site disappeared from the dark web in July, just a month after the FBI said the group was responsible for bringing down JBS, a company responsible for a fifth of the world’s meat supply.

It’s always possible that the group could come back, though trying to recover from going down in July is reportedly what opened it up to attacks from the US in the first place. According to Reuters’ sources, one of the group’s members restored a backup and unwittingly included systems compromised by law enforcement. A Russian security expert tells Reuters that infecting backups is a tactic commonly used by REvil itself.

Repost: Original Source and Author Link


REvil ransomware attacks systems using Kaseya’s remote IT management software

Just in time to ruin the holiday weekend, ransomware attackers have apparently used Kaseya — a software platform designed to help manage IT services remotely — to deliver their payload. Sophos director and ethical hacker Mark Loman tweeted about the attack earlier today, and now reports that affected systems will demand $44,999 to be unlocked. A note on Kaseya’s website implores customers to shut off their VSA servers for now “because one of the first things the attacker does is shutoff administrative access to the VSA.”

According to a report from Bleeping Computer, the attack targeted six large MSPs and has encrypted data for as many as 200 companies.

At DoublePulsar, Kevin Beaumont has posted more details about how the attack seems to work, with REvil ransomware arriving via a Kaseya update and using the platform’s administrative privileges to infect systems. Once the Managed Service Providers are infected, their systems can attack the clients that they provide remote IT services for (network management, system updates, and backups, among other things).

In a statement, Kaseya told The Verge that “We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only.” A notice claims that all of its cloud servers are now in “maintenance mode,” a move that the spokesperson said is being taken due to an “abundance of caution.” Later on Friday evening, Kaseya CEO Fred Voccola issued a statement saying they estimate the number of MSPs affected is fewer than 40, and are preparing a patch to mitigate the vulnerability.

Today’s attack has been linked to the notorious REvil ransomware gang (already linked to attacks on Acer and meat supplier JBS earlier this year), and The Record notes that, collecting incidents under more than one name, this may be the third time Kaseya software has been a vector for their exploits.

Beginning around mid-day (EST/US) on Friday July 2, 2021, Kaseya’s Incident Response team learned of a potential security incident involving our VSA software.

We took swift actions to protect our customers:

Immediately shut down our SaaS servers as a precautionary measure, even though we had not received any reports of compromise from any SaaS or hosted customers;

Immediately notified our on-premises customers via email, in-product notices, and phone to shut down their VSA servers to prevent them from being compromised.

We then followed our established incident response process to determine the scope of the incident and the extent that our customers were affected.

We engaged our internal incident response team and leading industry experts in forensic investigations to help us determine the root cause of the issue;

We notified law enforcement and government cybersecurity agencies, including the FBI and CISA.

While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability. We have received positive feedback from our customers on our rapid and proactive response.

While our investigation is ongoing, to date we believe that:

Our SaaS customers were never at-risk. We expect to restore service to those customers once we have confirmed that they are not at risk, which we expect will be within the next 24 hours;

Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.

We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running.

I am proud to report that our team had a plan in place to jump into action and executed that plan perfectly today. We’ve heard from the vast majority of our customers that they experienced no issues at all, and I am grateful to our internal teams, outside experts, and industry partners who worked alongside of us to quickly bring this to a successful outcome.

Today’s actions are a testament to Kaseya’s unwavering commitment to put our customers first and provide the highest level of support for our products.

— Fred Voccola, CEO of Kaseya

Update July 2nd, 10:40PM ET: Added statement from Kaseya CEO.

Repost: Original Source and Author Link


FBI names REvil as the group behind meat supplier cyberattack

The FBI has said that cybercriminal group REvil (also known as Sodinokibi) was behind the recent attack on meat supplier JBS (via The Record). This follows a statement from White House deputy press secretary Karine Jean-Pierre, which indicated that the attack likely came from a Russian-based organization.

REvil has previously been implicated in the recent Apple and Acer ransomware attacks, as well as last year’s Travelex attack. The JBS intrusion, however, could have wide-ranging effects: the company is the world’s largest meat processor, and the incident shut down some of the largest slaughterhouses in the US.

This is the second major attack on US infrastructure by suspected Russian cybercriminals that we’ve seen in as many months — the group behind the Colonial pipeline attack that occurred last month was also believed to have been carried out by a group based in the country. While JBS is headquartered in Brazil, the company says the affected plants were in the US, Canada, and Australia.

Repost: Original Source and Author Link