Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

REvil Ransomware is Back in Full Attack Mode and Leaking Data

REvil Ransomware is Back in Full Attack Mode and Leaking Data

The REvil ransomware gang has fully returned and is once again attacking new victims and publishing stolen files on a data leak site.

Since 2019, the REvil ransomware operation, aka Sodinokibi, has been conducting attacks on organizations worldwide where they demand million-dollar ransoms to receive a decryption key and prevent the leaking of stolen files.

While in operation, the gang has been involved in numerous attacks against well-known companies, including JBSCoopTravelexGSMLawKenneth ColeGrupo Fleury, and others.

REvil’s disappearance act

REvil shut down their infrastructure and completely disappeared after their biggest caper yet – a massive attack on July 2nd that encrypted 60 managed service providers and over 1,500 businesses using a zero-day vulnerability in the Kaseya VSA remote management platform.

REvil then demanded $50 million for a universal decryptor for all Kaseya victims, $5 million for an MSP’s decryption, and a $44,999 ransom for individual file encryption extensions at affected businesses.

REvil ransom demand for an encrypted MSP
REvil ransom demand for an encrypted MSP

This attack had such wide-ranging consequences worldwide that it brought the full attention of international law enforcement to bear on the group.

Likely feeling pressure and concerns about being apprehended, the REvil gang suddenly shut down on July 13th, 2021, leaving many victims in a lurch with no way of decrypting their files.

The last we had heard of REvil, was that Kaseya received a universal decryptor that victims could use to decrypt files for free. It is unclear how Kaseya received the decryptor but stated it came from a “trusted third party.”

Also Read: How COVID-19 Contact Tracing in Singapore Applies at Workplace

REvil returns with new attacks

After their shutdown, researchers and law enforcement believed that REvil would rebrand as a new ransomware operation at some point.

However, much to our surprise, the REvil ransomware gang came back to life this week under the same name.

On September 7th, almost two months after their disappearance, the Tor payment/negotiation and data leak sites suddenly turned back on and became accessible. A day later, it was once again possible to log in to the Tor payment site and negotiate with the ransomware gang.

All prior victims had their timers reset, and it appeared that their ransom demands were left as they were when the ransomware gang shut down in July.

However, there was no proof of new attacks until September 9th, when someone uploaded a new REvil ransomware sample compiled on September 4th to VirusTotal.

Today, we have seen further proof of their renewed attacks as the ransomware gang has published screenshots of stolen data for a new victim on their data leak site.

If you have first-hand information about REvil’s return, you can confidentially contact us on Signal at +16469613731, Wire at @lawrenceabrams-bc, or Jabber at [email protected].

New REvil representative emerges

In the past, REvil’s public representative was a threat actor known as ‘Unknown‘ or ‘UNKN,’ who frequently posted at hacking forums to recruit new affiliates or post news about the ransomware operation.

Forum post by REvil's UNKN
Forum post by REvil’s UNKN

On September 9th, after the return of the ransomware operation, a new representative simply named ‘REvil’ had begun posting at hacking forums claiming that the gang briefly shut down after they though Unknown was arrested and servers were compromised.

REvil post to Russian-speaking hacking forum
REvil post to Russian-speaking hacking forum
Source: Advanced Intel

This translation of these posts can be read below:

“As Unknown (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. Thought that he was arrested. We tried to search, but to no avail. We waited – he did not show up and we restored everything from backups.

After UNKWN disappeared, the hoster informed us that the Clearnet servers were compromised and they deleted them at once. We shut down the main server with the keys right afterward. 

Kaseya decryptor, which was allegedly leaked by the law enforcement, in fact, was leaked by one of our operators during the generation of the decryptor.” – REvil

Based on these claims, Kaseya’s universal decryptor was obtained by law enforcement after they gained access to some of REvil’s servers.

However, BleepingComputer has been told by numerous sources that REvil’s disappearance surprised law enforcement as much as everyone else.

Also Read: The Role of A DPO During Work From Home

A chat between what is believed to be a security researcher and REvil, paints a different story, with an REvil operator claiming they simply took a break.

Chat between a researcher and REvil about their disappearance
Chat between a researcher and REvil about their disappearance

While we may never know the real reason for the disappearance or how Kaseya obtained the decryption key, what is most important is to know that REvil is back to targeting corporations worldwide.

With their skilled affiliates and ability to perform sophisticated attacks, all network admins and security professionals must become familiar with their tactics and techniques.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us