Vitaly Kremez Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/vitaly-kremez/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 06 Dec 2022 17:24:44 +0000 en-US hourly 1 https://wordpress.org/?v=99630 200474804 Hack group REvil deceived their partners due to a backdoor https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/ https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/#respond Thu, 23 Sep 2021 21:45:42 +0000 https://blog.gridinsoft.com/?p=5952 The researchers found that the creators of REvil deceived their partners using a scheme that allowed them to decrypt any systems blocked by the ransomware and take the entire ransom for themselves. Their partners ended up with nothing. Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be… Continue reading Hack group REvil deceived their partners due to a backdoor

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

]]>
The researchers found that the creators of REvil deceived their partners using a scheme that allowed them to decrypt any systems blocked by the ransomware and take the entire ransom for themselves.

Their partners ended up with nothing.

Such rumors have been circulating on hacker forums for a long time, but recently they were confirmed by cybersecurity researchers and malware developers. the Bleeping Computer media reports.

Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be the heir of the GandCrab ransomware. The ransomware operates according to the Ransomware-as-a-Service (RaaS, ransomware-as-a-Service) scheme, that is, malware developers deal directly with malware and payment sites, and their hired partners hack victims’ networks and encrypt devices. As a result, the ransom payments are distributed between the hack group itself and its partners, with the latter usually receiving 70-80% of the total.

Evgeny Boguslavsky, a specialist at Advanced Intel, told reporters that since at least 2020, there have been rumours on hacker forums that the creators of REvil often negotiate with victims in secret chats, while their partners do not even know about it. These rumours began to appear more often after the sudden disappearance of the ransomware DarkSide and Avaddon (the operators of the latter generally published decryption keys for their victims).

People who worked with REvil took part in these discussions, for example, the group’s partners who provided hackers with access to other people’s networks, ‘penetration testing’ services, VPN specialists, and so on.the expert said.

According to Boguslavsky, REvil administrators sometimes create a second chat, identical to the one that their partners use to negotiate with the victim. When negotiations reach a critical point, the creators of REvil step in and portray a victim who supposedly abruptly breaks off negotiations, refusing to pay the ransom. In fact, the REvil authors themselves continue negotiations with the victims, take the entire ransom and leave their partners with nothing.

Recently, these rumours have become more substantiated, as the reverse engineer reported on hack forums that the REvil malware, which RaaS operators provide to their partners for deployment on victims’ networks, contains a “cryptobackdoor”. The discovery came after Bitdefender released a versatile tool to decrypt data after the REvil attacks.

Interestingly, full control over what is happening and the ability to decrypt any system is a practice that other ransomware uses as well. So, Boguslavsky says that, according to rumours, the DarkSide operators worked the same way. After rebranding to BlackMatter, the attackers openly announced this practice, making everyone understand that they reserve the right to take over negotiations at any time without giving any reason.

The head of Advanced Intelligence, Vitaly Kremez, told Bleeping Computer that the latest REvil samples that have appeared recently, after the group restored activity, no longer has a master key that would allow decrypting any system that was blocked by REvil.

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/feed/ 0 5952
Attackers Hacked OGUsers Hacking Forum Again https://gridinsoft.com/blogs/attackers-hacked-ogusers-hacking-forum-again/ https://gridinsoft.com/blogs/attackers-hacked-ogusers-hacking-forum-again/#respond Thu, 29 Apr 2021 16:10:14 +0000 https://blog.gridinsoft.com/?p=5429 Recently, the media reported that attackers hacked one of the most popular hacking forums on the Internet, OGUSERS (aka OGU) again, for the second time in the last year. Then an unknown attacker stole the data of 200,000 users, according to the official statistics of users indicated on the forum. As a result, OGUSERS was… Continue reading Attackers Hacked OGUsers Hacking Forum Again

The post Attackers Hacked OGUsers Hacking Forum Again appeared first on Gridinsoft Blog.

]]>
Recently, the media reported that attackers hacked one of the most popular hacking forums on the Internet, OGUSERS (aka OGU) again, for the second time in the last year. Then an unknown attacker stole the data of 200,000 users, according to the official statistics of users indicated on the forum.

As a result, OGUSERS was temporarily disabled and put into maintenance mode, and users were notified of a password reset, urging everyone to turn on two-factor authentication for their accounts so that the stolen data could not be used to hack accounts.

Let me remind you that another OGUSERS hack occurred in May 2019. Then the attackers entered the server through a vulnerability in one of the custom plugins and gained access to a backup dated December 26, 2018. The site was then hacked again in November 2020.

OGUSERS started out as a website selling stolen accounts on a wide variety of platforms and services.

But if it all started with ‘interesting’ social media accounts (Twitter, Instagram) with unique or short usernames, it later developed into a full-fledged resource for the sale of any accounts, including user accounts of PlayStation Network, Steam, Domino’s Pizza and etc.media talk about the forum.

In addition, Motherboard reporters turned their attention to OGUSERS back in 2018, when they were preparing a series of articles on the increasing cases of SIM card fraud. Such attacks with the capture of someone else’s phone numbers are used to steal accounts on social networks, steal large amounts of cryptocurrency, and so on. OGUSERS is one of the largest trading platforms where accounts stolen under such circumstances were sold.

As the information security company KELA now reports, the administrator of the OGUsers forum said that the site was hacked again, as unknown persons uploaded the web shell to the server. At first, the site administration doubted that the database was damaged, but soon a rival hack forum began selling the stolen OGUsers database for $3,000.

Hacked OGUsers Forum

Bleeping Computer, citing its own sources, writes that OGusers were hacked on April 11, 2021, and the attackers had full access to the database dump. The database included records of approximately 350,000 users and private messages.

A source told the publication that OGUsers uses a variety of plug-ins that contain vulnerabilities that attackers can chain together to install a web shell.

Vitaly Kremez, head of Advanced Intel, says that such leaks from criminal forums may be beneficial to law enforcements and information security researchers:

This OGUsers leak could potentially help identify cybercriminals via email and IP addresses and then link this information to their real identities. Previous OGUsers leaks contained important clues that helped uncover cybercriminal operations, especially related to fraud and hijacking of cryptocurrency accounts, as well as operations to swap SIM cards.

Let me remind you that I talked about the fact that the Netherlands police posted warnings on hacker forums.

The post Attackers Hacked OGUsers Hacking Forum Again appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/attackers-hacked-ogusers-hacking-forum-again/feed/ 0 5429