WebProNews

Tag: REvil

  • Government Agencies Hack REvil Ransomware Group, Taking It Offline

    Government Agencies Hack REvil Ransomware Group, Taking It Offline

    A group of government agencies have gone on the offensive against the REvil ransomware gang.

    REvil is one of the most notorious and prolific ransomware gangs. The gang is responsible for the Kaseya attack, believed to be the largest ransomware attack in history. REvil was also behind the JBS Foodsattack, and its associates were responsible for the Colonial Pipeline attack. The group went dark shortly after the Kaseya hack, before reappearing some time later.

    According to Reuters, a group of US agencies, in cooperation with other countries, have hacked REvil, significantly disrupting its operations.

    “The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Tom Kellermann, VMWare head of cybersecurity strategy and adviser to the U.S. Secret Service. “REvil was top of the list.”

    One of REvil’s leaders, “0_neday,” confirmed the group had been attacked.

    “The server was compromised, and they were looking for me,” 0_neday wrote on a cybercrime forum. “Good luck, everyone; I’m off.”

    Reuters reports that 0_neday is notable as one of the individuals who helped the group resume operations after the Kesaya attack, and inadvertently led to its demise. Following the Kesaya attack, law enforcement was able to obtain a decryption key and gain access to some of the group’s servers. After REvil’s websites went offline, 0_neday evidently restored the websites from backups, unaware the backups were made after the group’s servers had been compromised. This once again opened the door for law enforcement to mount their offensive.

    It’s too soon to know if REvil has been dealt a fatal blow, but the disruption is certain to be a welcome respite.

  • REvil Is Back!

    REvil Is Back!

    REvil, one of the most notorious ransomware gangs, is back after its servers went offline two months ago.

    REvil is a gang of hackers, believed to be operating from Russia, that specializes in ransomware attacks. The group was behind the Kaseya attack, the biggest ransomware in history.

    Two months ago REvil went dark, with their servers going offline. Even their “leak site” went down. While servers for ransomware gangs often go down, as we pointed out then, it’s unusual for all of them to go down at once. Some experts believed the gang may have shut down operations in response to increased pressure after the Kaseya attack.

    Despite the seeming good news, experts warned organizations not to become complacent, and that REvil’s operators would likely show up somewhere, one way or another.

    According to security researchers, it appears that’s exactly what’s happened, as the group’s servers are once again active on the Dark Web.

    The revelation is bad news for organizations around the world, and underscores the importance of continued vigilance.

  • FBI Has More Than 100 Ransomware Groups on its Radar

    FBI Has More Than 100 Ransomware Groups on its Radar

    The FBI is currently keeping tabs on more than 100 ransomware groups in the wake of multiple, high-profile attacks.

    Bryan Vorndran, assistant director of the FBI’s cyber division, was testifying before a Senate Judiciary Committee hearing when he divulged the statistic, according to NBC News. Ransomware gangs have already cost untold damage in recent times. Hackers targeted managed software provider Kaseya; shut down JBS, one of the world’s largest meat processors; and crippled fuel supplies on the US East Coast by attacking Colonial Pipeline.

    Some ransomware gangs have gone dark, most notably REvil, the gang behind the Kaseya attack. Similarly, the gang behind the Colonial Pipeline attack have disbanded their Ransomware as a Service (SaaS) operations.

    Assistant Director Vorndran’s revelation echoes what other experts have said, warning that organizations should not get complacent just because some gangs have shut down.

  • Kaseya Has Obtained Ransomware Unlock Key

    Kaseya Has Obtained Ransomware Unlock Key

    The target of the largest ransomware attack in history has obtained the key to unlock impacted systems.

    Kaseya makes IT management software used by companies around the world. As a result, it’s a tempting target for hackers, since compromising its software can potentially compromise thousands of its clients and their clients. This most recent attack compromised as many as 1,500 customers around the world.

    REvil, the gang believed to be behind the ransomware, went dark in the aftermath of the attack. According to The Washington Post, Kaseya has now received the unlock key from a “trusted third party.” The company has verified the universal decryptor key works, and is rolling it out to customers.

    The news is a welcome relief to the victims of the attack, and should speed up their recovery.

  • Experts Warn of Ongoing Danger Despite REvil Going Dark

    Experts Warn of Ongoing Danger Despite REvil Going Dark

    Ransomware gang REvil may have gone dark, with its sites offline, but experts are warning against becoming complacent.

    REvil has been behind two recent, high-profile ransomware attacks. The group was behind the attack that crippled JBS, one of the world’s leading meat processors. They were also behind the largest-ever ransomware attack on Kaseya.

    REvil appears to have gone dark, with all of its websites going offline. Some believe the group may have received a subpoena, prompting the group to erase their servers in an effort to avoid prosecution.

    Despite the apparent good news, cybersecurity experts are warning against becoming complacent, as it’s only a matter of time before the group, or at least its members, resurface.

    Toshihiro Koike, CEO of Cyber Security Cloud Inc. (CSC), the provider of the only service on the market that automatically builds, tests and tunes AWS rules and continuously defends against zero-day threats, on the recent news that the REvil hacking group disappeared this afternoon. 

    “It doesn’t matter if REvil’s sites have gone dark; the threat of ransomware attacks is constant and the players will just re-emerge elsewhere,” Toshihiro Koike, CEO of Cyber Security Cloud Inc, told WebProNews. “Now is the time for companies to re-evaluate their systems and become proactive about cybersecurity. Every company on Earth is vulnerable to a debilitating ransomware attack, so what are you going to do about it?”

    Koike’s warning should be a sobering reminder to companies large and small to continue securing their networks and services.

  • REvil Ransomware Gang Goes Dark, Puzzling Experts

    REvil Ransomware Gang Goes Dark, Puzzling Experts

    The REvil ransomware gang, behind the Kaseya attack, has gone dark and its websites have gone offline.

    REvil successfully pulled off the biggest ransomware attack in history, targeting Kaseya’s software used in managed services around the world. The gang originally demanded a $70 million ransom, later lowering it to $50 million in private talks.

    Despite the gang’s success, or perhaps because of it, the REvil gang appears to have gone dark. Its websites, including the one used as its “leak site,” have all shut down.

    As BleepingComputer points out, it’s not uncommon for some REvil servers to go down, but it’s highly irregular for all of them to go down at once. BleepingComputer also cites evidence to suggest REvil may have shut down and erased their servers in response to a government subpoena.

    It’s believed REvil has been operating out of Russia, and the code in its ransomware seems to specifically avoid computer systems where Russian languages are primary. Nonetheless, President Joe Biden has been putting additional pressure on Vladimir Putin to take action against cybercriminals operating within Russia’s borders.

    “I made it very clear to him that the United States expects when a ransomware operation is coming from his — even though it’s not sponsored by the state — we expect him to act if we give him enough information to act on who that is,” Biden told reporters, regarding a call he had with Putin.

  • Kaseya Had a History of Security Issues Before Ransomware Attack

    Kaseya Had a History of Security Issues Before Ransomware Attack

    Software firm Kaseya had a history of security issues long before the latest one that allowed the biggest ransomware attack in history to occur.

    Kaseya went from relative obscurity to being one of the most well-known software firms in the world, thanks to being ground zero for the worst ransomware attack in history. Kaseya makes software used for managed services. As such, it made for a prime target, since compromising its software would open the door to compromising all the companies that rely on its services. Indeed, as many as 1,500 customers were believed to have been impacted.

    What has become more apparent since the attack, however, is that Kaseya had a history of security issues, issues that likely made it an even more appealing target. According to The Seattle Times, hackers managed to plant “cryptojacking” software in Kaseya’s tool in 2018, hijacking affected computers for crypto mining.

    In 2019, the company’s software was used in another ransomware attack. Experts believe the perpetrators included individuals that later went on to form REvil, the group behind the latest attack. Their experience successfully compromising Kaseya two years ago may very well have played a part in their recent decision-making.

    In 2014, the company’s founders sued the company over a dispute about who was responsible for another cryptocurrency scheme.

    To make matters worse, none of the security issues Kaseya experienced were some obscure, hard-to-predict issues. In fact, they were all well-understood issues that could have been easily addressed sooner.

    “Kaseya needs to shape up, as does the entire software industry,” Katie Moussouris, the founder and CEO of Luta Security, told The Seattle Times. “This is a failure to incorporate the lessons the bugs were teaching you. Kaseya, like a lot of companies, is failing to learn those lessons.”

    As more companies continue to rely on cloud services, a single vulnerability can have profound repercussions, impacting thousands of companies. As a result, companies that provide managed services will need to make security their number one priority if they wish to avoid Kaseya’s pitfalls.

  • Kaseya Has Fully Restored Servers Following Ransomware Attack

    Kaseya Has Fully Restored Servers Following Ransomware Attack

    Software company Kaseya, at the heart of the largest ransomware attack in history, says its services have now been fully restored.

    Kaseya’s software was the target of a ransomware attack by the REvil group. Because Kaseya’s software is used in managed services around the world, as many as 1,500 customers were believed to have been impacted.

    The company has been working hard to restore services, and today announced they have succeeded.

    The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch.

    We will continue to post updates as new information becomes available.

    The attack on Kaseya illustrates the growing cybersecurity issues involved in an ever-connected software industry, where thousands of companies rely on common frameworks, services and applications. Rather than attack each company one-by-one, attacking a common service allowed REvil to cripple far more companies than could be realistically targeted in the same time.

  • Code Behind Kaseya Ransomware Attack Avoiding Russian Systems

    Code Behind Kaseya Ransomware Attack Avoiding Russian Systems

    Researchers have discovered that the code behind the Kaseya ransomware attack is designed to avoid Russian-language systems.

    REvil is the hacker group behind the Kaseya attack. While it’s known the individuals behind REvil are Russian-speaking, it is not known whether they enjoy the protection of the Russian government, nor is their exact location known.

    The latest research by Trustwave SpiderLabs, which NBC News obtained exclusively, shows that the code behind the ransomware attack is specifically written to avoid computer systems that use Russian and related languages.

    “They don’t want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way,” Ziv Mador, Trustwave SpiderLabs’ vice president of security research, told NBC News.

    The revelation will no doubt contribute to the delicate relations between the US and Russia, as pressure mounts to try to force Russia to do more to fight cybercrime.

  • Kaseya Ransomware Victims May Reach 1,500

    Kaseya Ransomware Victims May Reach 1,500

    Kaseya has acknowledged as many as 1,500 businesses may have been impacted by the ransomware attack targeting its software.

    On July 2, Kaseya began learning of a coordinated attack against its software. Kaseya makes IT management software, and its customers provide managed IT services to somewhere between 800,000 and 1,000,000 small businesses.

    The company says it immediately shut down the software being targeted, although an estimated 800 to 1,500 businesses have been compromised.

    “Our global teams are working around the clock to get our customers back up and running,” said Fred Voccola, CEO, Kaseya. “We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved.”

    The perpetrators appear to be the REvil gang, most recently responsible for the ransomware attack on meat processor JBS. That attack resulted in JSB paying an $11 million ransom to prevent excessive strain on the world’s meat supply.

    In this case, the group initially demanded a $70 million ransom. According to CNBC, REvil has privately lowered the demand to $50 million.