REvil Ransomware Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/revil-ransomware/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Sun, 03 Jul 2022 12:59:07 +0000 en-US hourly 1 https://wordpress.org/?v=97460 200474804 After REvil shut down, members of the hack group DarkSide hastily moved $7 million https://gridinsoft.com/blogs/members-of-the-darkside-hastily-moved-7-million/ https://gridinsoft.com/blogs/members-of-the-darkside-hastily-moved-7-million/#respond Mon, 25 Oct 2021 16:55:10 +0000 https://blog.gridinsoft.com/?p=6057 Information security specialists noticed that at the end of last week, the funds of the DarkSide hack group began to move: the attackers hastily moved about $7 million to other wallets. Moreover, with each new transaction, a smaller amount is transferred, which makes it difficult to track money. CEO and co-founder of Profero first noticed… Continue reading After REvil shut down, members of the hack group DarkSide hastily moved $7 million

The post After REvil shut down, members of the hack group DarkSide hastily moved $7 million appeared first on Gridinsoft Blog.

]]>
Information security specialists noticed that at the end of last week, the funds of the DarkSide hack group began to move: the attackers hastily moved about $7 million to other wallets.

Moreover, with each new transaction, a smaller amount is transferred, which makes it difficult to track money.

CEO and co-founder of Profero first noticed the transfer process, and announced on Twitter that 107 bitcoins (about $7 million) from the group’s wallet had moved to another wallet. He emphasized that the money is clearly controlled by the hackers themselves, since the secret services usually simply move the seized assets to a new wallet under their control, and do not try to break the funds into smaller pieces.

DarkSide moved $7 million

As the blockchain analysis company Elliptic reported a little later, the DarkSide cryptocurrency passes through different wallets, and in the process the amount has already decreased from 107.8 BTC to 38.1 BTC. This is a typical money laundering scheme that makes it difficult to track funds and it helps criminals to convert cryptocurrency to fiat. According to Elliptic, this process is still ongoing, and small amounts have already been transferred to well-known exchanges.

DarkSide moved $7 million
Withdrawal scheme

Interestingly, DarkSide funds were set in motion shortly after the media reported that law enforcement was behind the cessation of another well-known hack group, REvil, by attacking the criminals’ infrastructure.

The fact is that DarkSide has also received a lot of attention, especially last summer when it hacked one of the largest pipeline operators in the United States, Colonial Pipeline. This incident forced the American authorities to introduce an emergency regime in a number of states and became the very straw that could break the back of a camel: the attention of law enforcement agencies to ransomware increased, and on hacker forums they rushed to ban advertising of ransomware altogether.

A week after the attack, and the government’s much unwelcome attention to hackers, DarkSide announced it would cease operations. Then the group claimed that it had lost control of some servers and cryptocurrency wallets (that is, its own money). However, in July, the hackers rebranded themselves by launching a new infrastructure and malware called BlackMatter.

It looks like now, after what happened to REvil, hackers want to make sure they don’t lose their funds a second time. Moreover, a few days earlier, the American authorities issued a warning about BlackMatter’s activities, stating that the ransomware had already attacked “several critical US infrastructures.”

The post After REvil shut down, members of the hack group DarkSide hastily moved $7 million appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/members-of-the-darkside-hastily-moved-7-million/feed/ 0 6057
REvil ransomware stopped working again, now after hacking sites https://gridinsoft.com/blogs/revil-stopped-working-again/ https://gridinsoft.com/blogs/revil-stopped-working-again/#respond Mon, 18 Oct 2021 16:04:44 +0000 https://blog.gridinsoft.com/?p=6021 The REvil encryptor stopped working again – all operations were stopped, as an unknown person hacked the group’s website, through which hackers accepted payments from victims and “leaked” data stolen from companies. Bleeping Computer reports that all Tor sites of the group have been disabled, and a representative of REvil posted a message on the… Continue reading REvil ransomware stopped working again, now after hacking sites

The post REvil ransomware stopped working again, now after hacking sites appeared first on Gridinsoft Blog.

]]>
The REvil encryptor stopped working again – all operations were stopped, as an unknown person hacked the group’s website, through which hackers accepted payments from victims and “leaked” data stolen from companies.

Bleeping Computer reports that all Tor sites of the group have been disabled, and a representative of REvil posted a message on the XSS hacker forum that someone had taken over the attacker’s domains.

REvil stopped working again

Recorded Future specialist Dmitry Smilyanets was the first to notice this message. He reported that an unknown person had seized onion domains of hackers using the same private keys as the REvil websites. As have been said, the unknown person seemed to have access to the backups of the hack group’s sites.

Since today, someone brought up the hidden services of the landing page and blog with the same keys as ours, so my fears were confirmed. The third party has backups with keys from onion-services.writes a REvil representative under the nickname 0_neday on the forum.

The fact is that to start an onion domain, user needs to generate a pair of private and public keys, which is used to initialize the service. The private key must be protected and only available to administrators, as anyone who has access to it can use it to run the same onion service on their own server. Since the third party was able to take over the REvil domains, this means that it also had access to the group’s private keys.

Although at first the hackers did not find any signs of compromising the servers, they still decided to stop the operations. The group’s partners were asked to contact the REvil operators through Tox to obtain decryption keys.

This is done so that the partners can continue the extortion on their own and provide the victims with a decoder if they pay the ransom.

Later, 0_neday reported that the grouping server had been compromised, and an unknown attacker was targeting REvil.

REvil stopped working again

Bleeping Computer notes that this time, REvil has probably stopped working completely. The fact is that recently the ransomware has already “disappeared from the radar” after scandalous attacks on clients of the well-known MSP solution provider Kaseya and JBS, the world’s largest supplier of beef and poultry, as well as the second largest pork producer.

Although REvil eventually returned a few months later, some cybercriminals and information security experts believed that the FBI or other law enforcement agencies had gained access to the group’s servers and controlled them since the restart. After all, while REvil was inactive, Kaseya somehow obtained a universal key to decrypt its customers’ data.

Then, many believed that Russian law enforcement officers received the decryption key from the attackers themselves and handed it over to the FBI as a gesture of goodwill. But it seems that this is not so: the FBI said that they have no evidence that in Russia they are somehow fighting cyber intruders.

In addition, in the past, a member of the group known as Unknown or UNKN has posted advertisements or the latest news about REvil operations on hacker forums. After restarting the operations of the ransomware, he disappeared, and the hackers themselves wrote that Unknown was probably arrested. What happened to him is still not known for certain; according to journalists, the current hack may be associated with Unknown and his attempts to regain control.

It is also important that after the restart, REvil’s reputation suffered, and the ransomware operators tried to attract new partners by any means. It got to the point that they offered a commission increase of up to 90%, just to encourage other attackers to work with them.

The post REvil ransomware stopped working again, now after hacking sites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/revil-stopped-working-again/feed/ 0 6021
Hack group REvil deceived their partners due to a backdoor https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/ https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/#respond Thu, 23 Sep 2021 21:45:42 +0000 https://blog.gridinsoft.com/?p=5952 The researchers found that the creators of REvil deceived their partners using a scheme that allowed them to decrypt any systems blocked by the ransomware and take the entire ransom for themselves. Their partners ended up with nothing. Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be… Continue reading Hack group REvil deceived their partners due to a backdoor

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

]]>
The researchers found that the creators of REvil deceived their partners using a scheme that allowed them to decrypt any systems blocked by the ransomware and take the entire ransom for themselves.

Their partners ended up with nothing.

Such rumors have been circulating on hacker forums for a long time, but recently they were confirmed by cybersecurity researchers and malware developers. the Bleeping Computer media reports.

Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be the heir of the GandCrab ransomware. The ransomware operates according to the Ransomware-as-a-Service (RaaS, ransomware-as-a-Service) scheme, that is, malware developers deal directly with malware and payment sites, and their hired partners hack victims’ networks and encrypt devices. As a result, the ransom payments are distributed between the hack group itself and its partners, with the latter usually receiving 70-80% of the total.

Evgeny Boguslavsky, a specialist at Advanced Intel, told reporters that since at least 2020, there have been rumours on hacker forums that the creators of REvil often negotiate with victims in secret chats, while their partners do not even know about it. These rumours began to appear more often after the sudden disappearance of the ransomware DarkSide and Avaddon (the operators of the latter generally published decryption keys for their victims).

People who worked with REvil took part in these discussions, for example, the group’s partners who provided hackers with access to other people’s networks, ‘penetration testing’ services, VPN specialists, and so on.the expert said.

According to Boguslavsky, REvil administrators sometimes create a second chat, identical to the one that their partners use to negotiate with the victim. When negotiations reach a critical point, the creators of REvil step in and portray a victim who supposedly abruptly breaks off negotiations, refusing to pay the ransom. In fact, the REvil authors themselves continue negotiations with the victims, take the entire ransom and leave their partners with nothing.

Recently, these rumours have become more substantiated, as the reverse engineer reported on hack forums that the REvil malware, which RaaS operators provide to their partners for deployment on victims’ networks, contains a “cryptobackdoor”. The discovery came after Bitdefender released a versatile tool to decrypt data after the REvil attacks.

Interestingly, full control over what is happening and the ability to decrypt any system is a practice that other ransomware uses as well. So, Boguslavsky says that, according to rumours, the DarkSide operators worked the same way. After rebranding to BlackMatter, the attackers openly announced this practice, making everyone understand that they reserve the right to take over negotiations at any time without giving any reason.

The head of Advanced Intelligence, Vitaly Kremez, told Bleeping Computer that the latest REvil samples that have appeared recently, after the group restored activity, no longer has a master key that would allow decrypting any system that was blocked by REvil.

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/feed/ 0 5952
FBI Kept Secret Key To Decrypt Data After REvil Attacks https://gridinsoft.com/blogs/fbi-kept-secret-key-to-decrypt-data-after-revil-attacks/ https://gridinsoft.com/blogs/fbi-kept-secret-key-to-decrypt-data-after-revil-attacks/#respond Wed, 22 Sep 2021 16:11:48 +0000 https://blog.gridinsoft.com/?p=5948 Journalists of The Washington Post found out how the FBI obtained the key to decrypt the data, which was affected in the attacks of the REvil ransomware. First, should be recalled that the background of what is happening: last week Bitdefender published a universal utility for decrypting files affected by the attacks of the ransomware… Continue reading FBI Kept Secret Key To Decrypt Data After REvil Attacks

The post FBI Kept Secret Key To Decrypt Data After REvil Attacks appeared first on Gridinsoft Blog.

]]>
Journalists of The Washington Post found out how the FBI obtained the key to decrypt the data, which was affected in the attacks of the REvil ransomware.

First, should be recalled that the background of what is happening: last week Bitdefender published a universal utility for decrypting files affected by the attacks of the ransomware REvil (Sodinokibi). The tool works for any data encrypted before July 13, 2021.

At the time, experts reported that the tool was created in collaboration with “trusted law enforcement partners,” but the company declined to disclose any details, citing an ongoing investigation. According to people familiar with the matter, the partner was not the FBI.

July 13 is mentioned above for a reason, as on this day the entire REvil infrastructure went offline without explanation. The hacker group completely “disappeared from the radar” for a while, and as a result, many companies were left without the ability to recover their data, even if they were willing to pay the hackers a ransom.

It is important that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks, and law enforcement agencies and authorities became very interested in hackers.

Then, when the group had already “disappeared”, representatives of the injured Kaseya unexpectedly announced that they had a universal key to decrypt customer data. Then the company refused to disclose where this tool came from, limiting itself to a vague “from a trusted third party.”

However, the company assured that it is universal and suitable for all affected MSPs and their clients. Moreover, before sharing the tool with clients, Kaseya required them to sign a non-disclosure agreement.

As the Washington Post now reports, the assumptions of many cybersecurity experts were correct: Kaseya really received the key from the FBI representatives. Law enforcement officials say they infiltrated the servers of the hack group and extracted a key from there, which ultimately helped to decrypt data and 1,500 networks, including in hospitals, schools and enterprises.

However, the FBI did not immediately share the key with the victims and the company. For about three weeks, the FBI kept the key secret, intending to carry out an operation to eliminate the hack group and not wanting to reveal their cards to the criminals. But the law enforcement officers did not have time: as a result, the REvil infrastructure went offline before the operation began. Then Kaseya was given the key to decrypt the data, and Emsisoft experts prepared a special tool for the victims.

We make these decisions collectively, not unilaterally. These are challenging decisions designed to have maximum impact, and fighting such adversaries takes time, which we spend on mobilizing resources not only across the country but around the world.FBI Director Christopher Ray told Congress.

Journalists note that due to the resulting delay, it was already too late for many of the victims. For example, the publication quotes a representative of JustTech, which is one of the clients of MSP Kaseya.

The company spent more than a month restoring the systems of its customers, as restoring from backups or replacing the system is an expensive and time-consuming process:

There were more and more people who cried on the phone, asking how to continue their work. One person said, “Should I just retire? Should I just fire all my employees?.

Swedish grocery chain Coop, also affected by the attack, said it still does not know how much it would cost to temporarily close its stores:

We had to close about 700 stores and it took six days for all of them to reopen. The financial impact of what happened depends on several factors, including lost sales, as well as insurance, and the extent to which it will cover what happened.

The post FBI Kept Secret Key To Decrypt Data After REvil Attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fbi-kept-secret-key-to-decrypt-data-after-revil-attacks/feed/ 0 5948
Added utility for decrypting data after REvil attacks https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/ https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/#respond Fri, 17 Sep 2021 16:13:51 +0000 https://blog.gridinsoft.com/?p=5934 The Romanian company Bitdefender has published a universal utility for decrypting data affected by REvil (Sodinokibi) ransomware attacks. The tool works for any data encrypted before July 13, 2021. However, the company has so far refused to provide any details, citing an ongoing investigation. Let me remind you that on July 13 of this year… Continue reading Added utility for decrypting data after REvil attacks

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.

]]>
The Romanian company Bitdefender has published a universal utility for decrypting data affected by REvil (Sodinokibi) ransomware attacks.

The tool works for any data encrypted before July 13, 2021.

However, the company has so far refused to provide any details, citing an ongoing investigation.

Let me remind you that on July 13 of this year the entire REvil infrastructure went offline without explanation. Then it was a question of shutting down an entire network of regular and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks. In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

As a result, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

Shortly thereafter, REvil went offline for several months, and only returned to service on September 7, 2021. According to information security companies, REvil operators re-activated their old sites, created new profiles on the forums.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil has fully resumed its activity. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/feed/ 0 5934
REvil ransomware resumed attacks https://gridinsoft.com/blogs/revil-ransomware-resumed-attacks/ https://gridinsoft.com/blogs/revil-ransomware-resumed-attacks/#respond Mon, 13 Sep 2021 16:21:31 +0000 https://blog.gridinsoft.com/?p=5918 Last week, the infrastructure of REvil (Sodinokibi) returned online after months of downtime, and now the ransomware has resumed attacks. The fact is that in July 2021, the hack group went offline without giving any reason. Then it was a question of shutting down an entire network of conventional and darknet sites that were used… Continue reading REvil ransomware resumed attacks

The post REvil ransomware resumed attacks appeared first on Gridinsoft Blog.

]]>
Last week, the infrastructure of REvil (Sodinokibi) returned online after months of downtime, and now the ransomware has resumed attacks.

The fact is that in July 2021, the hack group went offline without giving any reason. Then it was a question of shutting down an entire network of conventional and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Let me remind you that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure hackers were able to encrypt approximately 800-1500 corporate networks.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States. At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil was fully resumed. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The publication also notes that in the past, a representative of the group, known under the nicknames Unknown or UNKN, published advertisements or the latest news about REvil operations on hacker forums. Now a new representative of the ransomware, who registered on these sites as REvil, returned to these publications and explained that, according to the hack group, Unknown was arrested and the group’s servers were compromised.

However, Bleeping Computer’s own sources told the media that REvil’s disappearance came as a surprise to law enforcement. For example, the publication provides a screenshot of a chat between an information security researcher and a representative of REvil, where the latter says that the ransomware operators simply took a break.

REvil resumed attacks

Let me also remind you that we wrote that REvil operators blackmailed Apple.

The post REvil ransomware resumed attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/revil-ransomware-resumed-attacks/feed/ 0 5918
Servers of the hack group REvil are back online https://gridinsoft.com/blogs/servers-of-the-revil-are-back-online/ https://gridinsoft.com/blogs/servers-of-the-revil-are-back-online/#respond Wed, 08 Sep 2021 22:11:31 +0000 https://blog.gridinsoft.com/?p=5904 In July 2021, the infrastructure of REvil (Sodinokibi) was turned off without explanation, but now the information security specialists have noticed that the REvil servers are back online. It was about a whole network of conventional and darknet sites that were used to negotiate a ransom, leak data stolen from victims, as well as the… Continue reading Servers of the hack group REvil are back online

The post Servers of the hack group REvil are back online appeared first on Gridinsoft Blog.

]]>
In July 2021, the infrastructure of REvil (Sodinokibi) was turned off without explanation, but now the information security specialists have noticed that the REvil servers are back online.

It was about a whole network of conventional and darknet sites that were used to negotiate a ransom, leak data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July of this year, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure the hackers were able to encrypt approximately 800-1500 corporate networks.the media reported.

After this attack, the hackers demanded a ransom of $70 million, and then promised to publish a universal decryptor that can unlock all computers. The group soon “lowered the bar” to $50 million.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world. And also REvil attacked the electronics manufacturer Acer.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation asked Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now, almost two months after the shutdown, experts at Recorded Future and Emsisoft have noticed that the group’s blog and site where REvil operators used to post lists of victims who refused to negotiate and pay the ransom are back online.

REvil servers back online

The last update on the site was dated July 8, 2021, that is, no new data and messages were published. It is currently unknown if this means that the hack group is back to work, the servers were turned on again by mistake, or if it has something to do with the actions of law enforcement agencies.

Let me also remind you that I talked about the fact that REvil spokesman boasts that hackers have access to ballistic missile launch systems.

The post Servers of the hack group REvil are back online appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/servers-of-the-revil-are-back-online/feed/ 0 5904
Criminals threaten to leak new Apple logo, if the company doesn’t pay the ransom https://gridinsoft.com/blogs/criminals-threaten-to-leak-new-apple-logo/ https://gridinsoft.com/blogs/criminals-threaten-to-leak-new-apple-logo/#respond Tue, 27 Apr 2021 16:23:51 +0000 https://blog.gridinsoft.com/?p=5416 Last week it became known that the operators of the ransomware REvil are trying to blackmail Apple, and now the criminals threaten to leak the company’s new logo into the network, if the company doesn’t pay the ransom. The hackers claim to have obtained data on Apple products after the Taiwanese company Quanta Computer was… Continue reading Criminals threaten to leak new Apple logo, if the company doesn’t pay the ransom

The post Criminals threaten to leak new Apple logo, if the company doesn’t pay the ransom appeared first on Gridinsoft Blog.

]]>
Last week it became known that the operators of the ransomware REvil are trying to blackmail Apple, and now the criminals threaten to leak the company’s new logo into the network, if the company doesn’t pay the ransom.

The hackers claim to have obtained data on Apple products after the Taiwanese company Quanta Computer was hacked.

It is the world’s largest laptop manufacturer and also one of the few companies that assembles Apple products based on designs and circuits provided to them (including the Watch, Apple Macbook Air, and Apple Macbook Pro).

As representatives of the affected company refused to pay the hackers, REvil operators began to publish diagrams and drawings of Apple products on their website. Apparently, the hackers decided that it might be more profitable to blackmail one of Quanta Computer’s main customers.

According to media reports, the company had to pay $50,000,000 by April 27, or $100,000,000 after that date.

In total, 21 screenshots of Macbook diagrams were posted on the attacker’s website, and the hackers promised to release new data every day until Apple or Quanta Computer agreed to pay the ransom.

We recommend that Apple buy out the data we have before May 1.the criminals threatened.

According to the Bleeping Computer journalists, in a new private chat created for negotiations between REvil and Quanta Computer, the hackers reported that in order to continue negotiations, they hid the page with the “leak” of data, and also stopped communicating with the press.

REvil representatives say that by starting a dialogue with them, the company “can count on a good discount”: the ransom will be reduced from $50 to $20 million, and the deadline for payment has been postponed to May 7, 2021.

new Apple logo

The hackers also warned that if they did not receive an answer again, they would soon begin to publish drawings of the new iPad and sketches of new Apple logos.

new Apple logo

Journalists write that, according to their information, Quanta Computer never responded to this “generous offer.”

Let me remind you that this is not the first time that Apple has been attacked, as I wrote that Shlayer malware bypassed Apple security checks, and, for example, Google experts talked about vulnerabilities in Apple operating systems.

The post Criminals threaten to leak new Apple logo, if the company doesn’t pay the ransom appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/criminals-threaten-to-leak-new-apple-logo/feed/ 0 5416
REvil ransomware operators attacked Acer and demand $50,000,000 https://gridinsoft.com/blogs/revil-ransomware-attacked-acer/ https://gridinsoft.com/blogs/revil-ransomware-attacked-acer/#respond Mon, 22 Mar 2021 16:56:15 +0000 https://blog.gridinsoft.com/?p=5283 The REvil ransomware attacked the Taiwanese company Acer (the sixth-largest computer manufacturer in the world, accounting for about 6% of all sales). Cybercriminals are demanding from the manufacturer $50,000,000, which is the largest ransom in history. At the end of last week, the hackers posted a message on their website that they had hacked Acer,… Continue reading REvil ransomware operators attacked Acer and demand $50,000,000

The post REvil ransomware operators attacked Acer and demand $50,000,000 appeared first on Gridinsoft Blog.

]]>
The REvil ransomware attacked the Taiwanese company Acer (the sixth-largest computer manufacturer in the world, accounting for about 6% of all sales). Cybercriminals are demanding from the manufacturer $50,000,000, which is the largest ransom in history.

At the end of last week, the hackers posted a message on their website that they had hacked Acer, and as proof of this statement, they shared screenshots of the files allegedly stolen from the company. Published images include documents, financial spreadsheets, bank balances, and messages.

ransomware REvil attacked Acer

Acer representatives have already commented on what is happening, but so far they avoid talking openly about the ransomware attack. Instead, the company said it had already reported the “emergency” to law enforcement agencies, but they cannot disclose details while the investigation continues.

Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries. We have continuously enhanced our cybersecurity infrastructure to protect business continuity and information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices and be vigilant to any network activity abnormalities. reported Acer representatives.

The Record reports that analysts at Malwarebytes were able to track down another hacker site on the darknet, where victims are negotiating a ransom with attackers. Here you can see that the Acer representative was shocked by the demand of $50 million, and the negotiations were at an impasse. Journalists note that at some point, REvil operators turned to threats and vaguely advised Acer “not to repeat the fate of SolarWinds”.

ransomware REvil attacked Acer

The $50,000,000 ransom is the largest to date. The previous “record” was $30,000,000: the same REvil operators demanded the same amount from the hacked Dairy Farm company.

According to Bleeping Computer, specialist Vitaly Kremez discovered that some time ago, the REvil hack group was targeting a Microsoft Exchange server in the Acer domain.

Recently, the attackers behind the DearCry ransomware have already exploited ProxyLogon vulnerabilities to deploy the ransomware on vulnerable systems of small companies. Probably the REvil operators could have gone the same way.

Let me remind you that REvil spokesman boasts that hackers have access to ballistic missile launch systems.

The post REvil ransomware operators attacked Acer and demand $50,000,000 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/revil-ransomware-attacked-acer/feed/ 0 5283
REvil Operators Demand $7.5 Million Ransom from Argentine Internet Provider https://gridinsoft.com/blogs/revil-operators-demand-7-5-million-ransom-from-argentine-internet-provider/ https://gridinsoft.com/blogs/revil-operators-demand-7-5-million-ransom-from-argentine-internet-provider/#respond Tue, 21 Jul 2020 16:25:02 +0000 https://blog.gridinsoft.com/?p=4079 Last weekend, one of Argentina’s largest internet providers, Telecom Argentina, suffered from REvil (Sodinokibi) ransomware attack. Malware has infected about 18,000 computers, and now REvil operators demand $7.5 million from the company. The ZDNet magazine writes that the attackers managed to gain domain administrator rights, thanks to which the ransomware quickly spread to 18,000 workstations.… Continue reading REvil Operators Demand $7.5 Million Ransom from Argentine Internet Provider

The post REvil Operators Demand $7.5 Million Ransom from Argentine Internet Provider appeared first on Gridinsoft Blog.

]]>
Last weekend, one of Argentina’s largest internet providers, Telecom Argentina, suffered from REvil (Sodinokibi) ransomware attack. Malware has infected about 18,000 computers, and now REvil operators demand $7.5 million from the company.

The ZDNet magazine writes that the attackers managed to gain domain administrator rights, thanks to which the ransomware quickly spread to 18,000 workstations.

“Oddly enough, this incident did not lead to problems with the Internet connection for the provider’s customers and did not affect the operation of telephony and cable TV services. However, due to the consequences of the attack, a number of Telecom Argentina’s official websites are still not working”, – according to journalists ZDNet.

Several employees of the affected company share on social media how the provider is coping with the crisis. It seems that immediately after the attack was detected, the company began to warn employees about what was happening, asking them to limit interaction with the corporate network, not to connect to the internal VPN network, and not to open emails with archives in attachments.

Reporters think that responsibility o the attack lies on the REvil hack group, based on a tweeted post that showed a screenshot of the ransomware site. Based on this image, the attackers demanded a ransom 109,345.35 Monero (approximately $7.53 million) from the company. The hackers promised that in case of non-payment, this amount would double in three days, making this ransom demand one of the largest this year.

REvil demand $7.5 million

Telecom Argentina officials have not yet commented on the situation, and it is not known whether the company intends to pay the cybercriminals.

Interestingly, according to local media reports, the ISP considers a malicious attachment from a letter received by one of its employees to be the starting point of this attack.

“This is not entirely consistent with regular REvil attacks, as the group usually penetrates companies’ networks through unprotected network equipment. In particular, attackers are actively exploiting vulnerabilities in Pulse Secure and Citrix VPN”, – reported in ZDNet.

However, the specialists of the information security company Bad Packets told ZDNet journalists that Telecom Argentina not only worked with Citrix VPN servers, but among them there were systems vulnerable to the CVE-2019-19781 problem (although the patch was released many months ago).

let me remind you that, information security specialists of the Danish provider KPN applied sinkholing to REvil (Sodinokibi) cryptographic servers and studied the working methods of one of the largest ransomware threats today. A very interesting analysis – I recommend it.

The post REvil Operators Demand $7.5 Million Ransom from Argentine Internet Provider appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/revil-operators-demand-7-5-million-ransom-from-argentine-internet-provider/feed/ 0 4079