Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label REvil Ransomware. Show all posts

BlackCat Ransomware Gang Employing Novel Techniques to Target Organizations

 

Last year in December, malware researchers from Recorded Future and MalwareHunterTeam unearthed ALPHV (aka BlackCat), the first professional ransomware strain that was designed in the Rust programming language. In this post, we will explore some of the methodologies employed by ransomware developers to target organizations.

According to an analysis published last month by Varonis, BlackCat was observed recruiting operators from multiple ransomware organizations, offering to allow affiliates to leverage the ransomware and keep 80-90% of the ransom payment.

“The group’s leak site, active since early December 2021, has named over twenty victim organizations as of late January 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is likely greater,” Varonis’s Jason Hill explained. 

The attackers leveraging BlackCat, often referred to as the "BlackCat gang,” employ multiple tactics that are becoming increasingly commonplace in the ransomware space. Notably, they use several extortion techniques in some cases, including the siphoning of victim data before ransomware deployment, threats to release data if the ransom is not paid, and distributed denial-of-service (DDoS) attacks.

According to cybersecurity researchers at Recorded Future, the ALPHV/BlackCat developer was previously involved with the REvil ransomware gang. Last month, the Russian government disclosed that at the United States’ request it arrested 14 individuals in Russia linked to the REvil ransomware gang.

Still, REvil rolls on despite these actions, according to Paul Roberts at ReversingLabs. “The recent arrests have NOT led to a noticeable change in detections of REvil malicious files,” Roberts wrote. “In fact, detections of files and other software modules associated with the REvil ransomware increased modestly in the week following the arrests by Russia’s FSB intelligence service.” 

Meanwhile, the U.S. State Department has a standing $10 million reward for information leading to the identification or location of any individuals holding key leadership positions in REvil. 

As of December 2021, BlackCat has the seventh-largest number of victims listed on their leak site among ransomware groups tracked by Unit 42 researchers. While Conti (ranked second) has been around in various guises for almost two years, it is surrounded at the top of the chart by emerging families.

REvil Ransomware Operations Seem Unaffected by Recent Arrests

 

According to threat intelligence firm ReversingLabs, the REvil (Sodinokibi) ransomware cooperative's operation has not reduced despite Russia's recent arrest of numerous suspected members of the group. 

The Russian law enforcement agency FSB declared the takedown of the REvil organisation "at the request of US authorities" two weeks ago, yet the ransomware-as-a-service (RaaS) business is still running. 

After years of being accused of permitting malicious hackers to flourish within its borders as long as no Russian citizens or organisations are harmed, Russia appeared to be sending a distinct signal with the arrest of 14 members of the REvil group, even if some witnessed it as a political move amidst rising tensions along the Ukraine border. 

The high-profile arrests of affiliates, however, did not halt REvil operations, as ReversingLabs points out. In reality, the group is operating at the same speed as it was before the arrests. 

Europol reported the arrests of seven people engaged in the spread of REvil and GandCrab ransomware assaults in November 2021 (during seven months), at a time when ReversingLabs was seeing an average of 47 new REvil implants per day (326 per week). 

This was greater than September (43 new implants per day - 307 per week) and October (22 new daily implants - 150 per week), but far lower than July (87 per day - 608 per week) when the group went offline. Following the arrests in Russia, the number of REvil implants observed jumped from 24 per day (169 per week) to an average of 26 per day (180 per week). 

“While it's true that more time may be needed to assess the full impact of the arrests on REvil’s activity, the data so far would suggest that it is ‘business as usual’ for the ransomware gang,” ReversingLabs noted. ReversingLabs senior threat researcher Andrew Yeates stated.

“Threat groups exploit regionalised regulation and distributed organizational structure with sovereign state safe housing, all while leveraging a ‘no-rule’ borderless attack strategy. That makes it ever harder for national and international criminal policing organizations to put an end to threat groups such as REvil.” 

While synchronised action against REvil infrastructure may have had short-term repercussions on the RaaS's prevalence, much stronger action is required to truly stop the cybercrime ring's operations, especially given the group's corporation-like structure, where affiliates launch attacks and receive payments. 

As a result, removing simply affiliates does not affect the core of the RaaS, allowing it to continue operating. Affiliates, on the other hand, can either rebuild the enterprise or relocate to a new RaaS if only the core is removed, and this is relevant for other comparable cybercriminal groups as well.