Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label REvil Hacker group. Show all posts

The Reaction of Russian Hackers to the Arrests of REvil Became Known


Russian hackers have made their own security issues a priority after the arrests of other cybercriminals, including from the REvil group. Dmitry Volkov, CEO, and founder of Group-IB spoke about this reaction of the darknet to the events taking place. "Security and anonymity have become priorities after the precedents with the shutdown of REvil servers, the arrests of members of the group, as well as the detention in Russia of criminals who helped to cash out the incomes of cybercriminals. Another catalyst for this was the release of the fight against ransomware to the state level,” Mr. Volkov said. 

At the same time, partner programs that distribute ransomware on the dark web have become more closed. Now only those who are personally acquainted with its organizer can take part in such a project. According to Group-IB analysts, all this is happening against the background of the consolidation of the darknet around ransomware and the groups involved in it. 

"The entire criminal underground unites around ransomware. Everyone found a job: both those who sell access to hacked companies, those who attack them, and those who negotiate for ransom or post stolen data on the darknet. New groups will constantly appear in this market, reassembled from previous associations," Mr. Volkov is sure. 

According to Group-IB, the main list of victims at the country level, as well as the industry preferences of hackers remained unchanged. Globally, almost half of ransomware attacks are in the US (49.2 percent in 2021). Canada (5.6 percent) and France (5.2 percent) followed closely behind. Manufacturing enterprises are most often attacked (9.6 percent of attacks), the real estate sector (9.5 percent), and the transport industry (8.2 percent). 

"This became apparent after the ransomware attack on a hospital in Germany, which killed a person, and also after the attack on the Colonial Pipeline, which attracted the attention of US authorities. At the same time, individual groups, of course, can violate these unspoken prohibitions,” Mr. Volkov concluded.

BlackCat Ransomware Gang Employing Novel Techniques to Target Organizations

 

Last year in December, malware researchers from Recorded Future and MalwareHunterTeam unearthed ALPHV (aka BlackCat), the first professional ransomware strain that was designed in the Rust programming language. In this post, we will explore some of the methodologies employed by ransomware developers to target organizations.

According to an analysis published last month by Varonis, BlackCat was observed recruiting operators from multiple ransomware organizations, offering to allow affiliates to leverage the ransomware and keep 80-90% of the ransom payment.

“The group’s leak site, active since early December 2021, has named over twenty victim organizations as of late January 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is likely greater,” Varonis’s Jason Hill explained. 

The attackers leveraging BlackCat, often referred to as the "BlackCat gang,” employ multiple tactics that are becoming increasingly commonplace in the ransomware space. Notably, they use several extortion techniques in some cases, including the siphoning of victim data before ransomware deployment, threats to release data if the ransom is not paid, and distributed denial-of-service (DDoS) attacks.

According to cybersecurity researchers at Recorded Future, the ALPHV/BlackCat developer was previously involved with the REvil ransomware gang. Last month, the Russian government disclosed that at the United States’ request it arrested 14 individuals in Russia linked to the REvil ransomware gang.

Still, REvil rolls on despite these actions, according to Paul Roberts at ReversingLabs. “The recent arrests have NOT led to a noticeable change in detections of REvil malicious files,” Roberts wrote. “In fact, detections of files and other software modules associated with the REvil ransomware increased modestly in the week following the arrests by Russia’s FSB intelligence service.” 

Meanwhile, the U.S. State Department has a standing $10 million reward for information leading to the identification or location of any individuals holding key leadership positions in REvil. 

As of December 2021, BlackCat has the seventh-largest number of victims listed on their leak site among ransomware groups tracked by Unit 42 researchers. While Conti (ranked second) has been around in various guises for almost two years, it is surrounded at the top of the chart by emerging families.

Group-IB: REvil hackers detention may affect Russian companies



Experts believe that the arrest of the REvil hacker group can create temporary problems for cybercriminals in Russia, but this may affect the well-being of Russian companies. 

 "At the moment, we do not see a significant decrease in the number of ransomware attacks. As for REvil, they have not been active for several months anyway. At the same time, this situation may negatively affect Russian companies. Russian-speaking cybercriminals may attack them more actively", said Oleg Skulkin, head of Group-IB Computer Forensics Laboratory. 

The company clarified that for a long time many Russian-speaking hackers "did not work in Russia and the CIS", as it was unsafe. However, over the past two years, attacks using ransomware in Russia and the CIS have become more frequent. And the detention of REvil can spur them on because after successful international operations they can forget about the unspoken prohibitions. 

At the same time, the expert did not rule out that cybercriminals may temporarily have problems. "Of course, they may have difficulties with cashing out funds obtained illegally. Perhaps some of the partners will stop their activities for some time," Skulkin said. 

After the detention of REvil, hacker gangs in Russia may hide or slightly reduce the intensity of attacks, but they will definitely not give up on them, says Pavel Korostelev, head of the product promotion department of the Security Code company. 

"Now hackers will probably wait until the dust settles, but gangs don't have a single control center that says: 'Stop, no more attacks'. It's a way of making money, so there will always be people willing to take risks. If a business will get better, it won't be for long," the expert said. 



REvil hacker group activity stopped in Russia

The Federal Security Service of Russia stopped the activities of the hacker group REvil, which was engaged in the theft of money using malware.

The operation was carried out in cooperation with the Investigative Department of the Ministry of Internal Affairs throughout Russia. According to the FSB, hackers developed malicious software, organized the theft of money from foreign bank accounts, and cashed them, including by purchasing expensive goods on the Internet.

"The appeal of the competent US authorities served as the basis for the search activities that reported the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies," the FSB said.

The FSB of Russia has established the full composition of the REvil criminal community and the involvement of its members in the illegal turnover of payment funds, documentation of illegal activities has been carried out.

REvil has ceased to exist. According to the FSB, at 25 addresses of the places of residence of 14 members of the organized criminal community, over 426 million rubles ($5.5 million) were seized, including in cryptocurrency, $600 thousand, €500 thousand, as well as computer equipment, crypto wallets used to commit crimes, 20 premium cars purchased with funds obtained by criminal means.

"As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community has ceased to exist, the information infrastructure used for criminal purposes has been neutralized. Representatives of the competent US authorities have been informed about the results of the operation," the FSB reported.

The REvil group is considered one of the most active hacker groups in the world. It has committed several major attacks, including against Apple and the Texas government.

It is worth noting that in the summer of 2021, according to The New York Times, after a conversation about REvil, which took place between US President Joe Biden and Russian leader Vladimir Putin at a summit in Switzerland, hackers disappeared from the darknet. Then the American president called on the Russian Federation to take measures to suppress the activities of cyber criminals operating on its territory.