Justice Department Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/justice-department/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 09 Nov 2021 18:03:44 +0000 en-US hourly 1 https://wordpress.org/?v=69877 200474804 US authorities arrest Kaseya hacker and attacker associated with REvil and GandCrab https://gridinsoft.com/blogs/us-authorities-arrest-kaseya-hacker/ https://gridinsoft.com/blogs/us-authorities-arrest-kaseya-hacker/#respond Tue, 09 Nov 2021 18:03:44 +0000 https://blog.gridinsoft.com/?p=6098 Law enforcement agencies, as well as European and American authorities, have taken up the fight against ransomware in earnest and the other day they arrested a Kaseya hacker. However, over the past few days, several important events have taken place at once. Operation Cyclone, which was carried out by Interpol, the law enforcement agencies of… Continue reading US authorities arrest Kaseya hacker and attacker associated with REvil and GandCrab

The post US authorities arrest Kaseya hacker and attacker associated with REvil and GandCrab appeared first on Gridinsoft Blog.

]]>
Law enforcement agencies, as well as European and American authorities, have taken up the fight against ransomware in earnest and the other day they arrested a Kaseya hacker.

However, over the past few days, several important events have taken place at once.

Operation Cyclone, which was carried out by Interpol, the law enforcement agencies of Ukraine and the United States, lasted more than 30 months and was aimed at fighting Clop ransomware (aka Cl0p). As part of this operation, six Ukrainian citizens were arrested in June 2021.

The US Department of Justice has also indicted Yaroslav Vasinsky, a 22-year-old citizen of Ukraine, who is suspected of organizing a ransomware attack on Kaseya’s servers in July this year.

The suspect was detained last month under a US warrant. He was arrested by the Polish authorities at the border between Ukraine and Poland.

Let me remind you that in early July, customers of the MSP solution provider Kaseya suffered from a large-scale attack by the ransomware REvil (Sodinokibi). Then the hackers used 0-day vulnerabilities in the company’s product (VSA) and through them attacked Kaseya’s customers. Currently, patches have already been released for these vulnerabilities.

The main problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks. According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure hackers were able to encrypt approximately 800-1500 corporate networks.

As the authorities now say, Vasinsky was known on the network under the nickname MrRabotnik (as well as Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) and since 2019 has hacked companies around the world (having made at least 2,500 attacks), implementing to their infrastructure REvil malware.

To recover their files, the victims had to pay a ransom to the REvil hack group, and Vasinsky received a significant portion of this “profit”. The Justice Department said the hacker “earned” $2.3 million, demanding more than $760 million from companies in total.

arrest a Kaseya hacker

In addition to Vasinsky, the US Department of Justice also indicted the second suspect, who also collaborated with the REvil hack group. In court documents, this person appears as a 28-year-old citizen of Russia Yevgeny Polyanin (aka LK4D4, Damnating, damn2Life, Noolleds, Antunpitre, Affiliate 23). He also reportedly worked with REvil as a partner, hacking companies on behalf of the group.

According to authorities, Polyanin hacked into the network of TSM Consulting, a managed service provider based in Texas, from where he deployed REvil malware on the intranets of at least 20 local government agencies on August 16, 2019.

Although Polyanin is still at large and wanted by the FBI, the Justice Department says that specialists managed to seize $6.1 million worth of cryptocurrency that the suspect had kept in an FTX account.

arrest a Kaseya hacker

This week, Europol announced the arrest of seven suspects who worked as partners of the REvil (Sodinokibi) and GandCrab ransomware, and have helped carry out more than 7,000 ransomware attacks since the beginning of 2019. Experts from Bitdefender, KPN and McAfee also took part in the operation.

Let me remind you that, according to information security specialists, REvil and GandCrab are run by the same people who created the malware and offered it to other criminals for rent.

As we previously reported, the US government has also offered a $10,000,000 reward for any information that could lead to the identification or arrest of members of the DarkSide hack group.

The post US authorities arrest Kaseya hacker and attacker associated with REvil and GandCrab appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/us-authorities-arrest-kaseya-hacker/feed/ 0 6098
FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners https://gridinsoft.com/blogs/fbi-removed-web-shells/ https://gridinsoft.com/blogs/fbi-removed-web-shells/#respond Wed, 14 Apr 2021 16:59:48 +0000 https://blog.gridinsoft.com/?p=5375 The US Department of Justice reported that a court in early April granted the FBI special powers and the bureau removed web shells previously installed by hackers on vulnerable Exchange servers in the United States. The FBI also had the power to remove other malware (without notification of the server owners). The FBI did not… Continue reading FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners

The post FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners appeared first on Gridinsoft Blog.

]]>
The US Department of Justice reported that a court in early April granted the FBI special powers and the bureau removed web shells previously installed by hackers on vulnerable Exchange servers in the United States. The FBI also had the power to remove other malware (without notification of the server owners).

The FBI did not say how many web shells were removed, but “the operation was successful”

FBI removed web shells
The warrant

Let me remind you that the root of the problem lies in the fact that in early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities, which the researchers gave the general name ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).

These vulnerabilities can be chained together and exploited to allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data. As a result, attacks on vulnerable servers were carried out by more than 10 hacker groups, deploying web shells, miners and ransomware on the servers.

According to the US authorities and information security experts, Chinese “government” hackers actively used ProxyLogon bugs back in January and February 2021, and after the vulnerabilities were made public, other criminals also joined them.

As reported now, some of these web shells were not properly secured and reused the same password. The FBI officers took advantage of this circumstance to remove the malware.

Today’s court-sanctioned deletion of malicious web shells demonstrates the Justice Department’s commitment to suppress hacking by using all available legal tools, not just prosecution.the Justice Department said.

It is emphasized that during the operation, the FBI did not patch vulnerable Exchange servers and did not try to detect and remove other malicious programs that could have been installed on the system using web shells.

Based on my training and experience, most victims are unlikely to delete the remaining web shells on their own, because they are difficult to find due to the unique file names and paths, and because the victims do not have the technical ability to delete them on their own.An FBI official said under oath when the Bureau asked the court for a warrant.

The FBI is currently notifying victims whose Exchange servers were compromised and discovered during the operation.

The post FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fbi-removed-web-shells/feed/ 0 5375