It’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don’t go away so much as reinvent themselves under a new name, with new rules, targets and weaponry. Indeed, some of the most destructive and costly ransomware groups are now in their third incarnation over as many years.
Reinvention is a basic survival skill in the cybercrime business. Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity. A key goal of such subterfuge is to throw investigators off the scent or to temporarily direct their attention elsewhere.
Cybercriminal syndicates also perform similar disappearing acts whenever it suits them. These organizational reboots are an opportunity for ransomware program leaders to set new ground rules for their members — such as which types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a ransom payment an affiliate should expect for bringing the group access to a new victim network.
Read More Ransomware Gangs and the Name Game Distraction
A new ransomware group that calls itself BlackMatter is claiming to be a successor to now-defunct Darkside and REvil, two other notorious ransomware threat actors responsible for the cyberattacks on Colonial Pipeline and Kaseya. The “newcomers” have la…
Read More BlackMatter Ransomware Claims to Be a Successor to DarkSide and REvil
Earlier this month REvil ransomware operation launched a massive attack by exploiting a zero-day vulnerability in Kaseya VSA remote management application and encrypting about sixty managed service providers and an estimated of 1,500 businesses. After …
Read More Kaseya Managed to Obtain the Universal Decryptor After the REvil Ransomware Attack
REvil ransomware, aka Sodinokibi, operates via several clear web and dark web sites used as ransom negotiation sites, data leak sites, and backend infrastructure. Researchers reported that the threat actors’ payment site, the public site, the ‘he…
Read More REvil Ransomware Websites Mysteriously Gone Offline
The infrastructure and leak sites used by the REvil ransomware gang for its operations went offline last night. Starting last night, the infrastructure and the websites used by the REvil ransomware gang were mysteriously unreachable, BleepingComputer first reported. “The REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as […]
The post The infrastructure and websites used by REvil ransomware gang are not reachable appeared first on Security Affairs.
Read More The infrastructure and websites used by REvil ransomware gang are not reachable
Kaseya released a patch for the vulnerabilities that were used by REvil in what seems to be one of the largest ransomware attacks, in which the ransomware gang, also known as Sodinokibi, targeted MSPs with thousands of customers. Back in April, the Dut…
Read More Kaseya Patches the Vulnerabilities Used in REvil Ransomware Attack
The REvil ransomware group managed to conduct one of the largest ransomware attacks that we’ve seen recently when it attacked MSPs and their customers in an operation that should have been extremely successful. However, the ransomware group changed the…
Read More The Victims of REvil Ransomware Attack Are Refusing to Pay the Ransom
Threat actors are trying to capitalize on the Kaseya ransomware attack by targeting potential victims in spam campaigns that are pushing Cobalt Strike payloads disguised as Kaseya VSA security updates in what seems to be a Kaseya malspam campaign. Coba…
Read More A Fake Kaseya Security Update Is ‘Backdooring’ Networks Using Cobalt Strike
Resecurity® HUNTER, cyber threat intelligence and R&D unit, identified a strong connection to a cloud hosting and IoT company servicing the domain belonging to cybercriminals. According to the recent research published by ReSecurity on Twitter, starting January 2021 REVil leveraged a new domain ‘decoder[.]re’ in addition to a ransomware page available in the TOR network. […]
The post Researchers uncovered the network infrastructure of REVil – The notorious ransomware group that hit Kaseya appeared first on Security Affairs.
Read More Researchers uncovered the network infrastructure of REVil – The notorious ransomware group that hit Kaseya
Last weekend, a ransomware attack was launched against Wiregrass Electric Cooperative, a utility company serving more than 25,000 meters in Hartford, Alabama. Officials have recently verified and confirmed that no data have been compromised. Brad Kimbr…
Read More Officials Confirm No Data Have Been Compromised in the Wiregrass Electric Cooperative Attack
On Tuesday, White House Press Secretary Jen Psaki declared that while the massive REvil ransomware attack on Kaseya VSA servers is not imputed to anyone so far, the Biden administration will take action if the Russian president doesn’t suppress the cyb…
Read More Following the Kaseya Attack, US Says It Will Take Action Against Ransomware Hackers If Russia Won’t
Kaseya confirmed that the REvil supply-chain ransomware attack hit fewer than 60 of its customers and their customers. Software provider Kaseya announced that fewer than 60 of its customers and less than 1,500 businesses have been impacted by the recent supply-chain ransomware attack. Up to 1,500 downstream organizations, which were customers of MSPs using Kaseya VSA management […]
The post Approximatively 1,500 businesses impacted by the ransomware attack that hit Kaseya appeared first on Security Affairs.
Read More Approximatively 1,500 businesses impacted by the ransomware attack that hit Kaseya
CISA and the FBI published guidance for the victims impacted by the REvil supply-chain ransomware attack against Kaseya. CISA and the Federal Bureau of Investigation (FBI) have published guidance for the organizations impacted by the massive REvil supply-chain ransomware attack that hit Kaseya ‘s cloud-based MSP platform. The US agencies provides instructions to affected MSPs and their customers […]
The post CISA, FBI share guidance for MSPs and their customers impacted in Kaseya attack appeared first on Security Affairs.
Read More CISA, FBI share guidance for MSPs and their customers impacted in Kaseya attack
The Coop supermarket chain had to close its stores after the REvil ransomware gang had targeted managed service providers (MSPs) and their customers in the massive supply-chain attack in which they exploited a vulnerability of Kaseya VSA. Source It see…
Read More Coop Supermarket Had to Close 500 Stores Following the Kaseya Ransomware Attack
Revil ransomware gang hit Spanish telecom giant MasMovil and claims to have stolen sensitive data from the group. MasMovil is one of the largest Spanish telecom operators, last week the group was hit by the REvil ransomware gang that claims to have stolen sensitive data from the company. “We have downloaded databases and other important […]
The post Revil ransomware gang hit Spanish telecom giant MasMovil appeared first on Security Affairs.
Read More Revil ransomware gang hit Spanish telecom giant MasMovil
As my colleague Miriam reported, the REvil ransomware gang, also known as Sodinokibi, targeted MSPs with thousands of customers, through what appears to be a Kaseya ransomware attack. Kaseya’s VSA product has unfortunately been the victim of a sophisti…
Read More Revil Ransomware Attacked When Kaseya Was Fixing the Zero-Day Vulnerability
REvil ransomware is demanding $70 million for decrypting all systems locked during the Kaseya supply-chain ransomware attack. REvil ransomware is asking $70 million worth of Bitcoin for decrypting all systems impacted in the Kaseya supply-chain ransomware attack. On Friday the REvil ransomware gang hit the Kaseya cloud-based MSP platform impacting MSPs and their customers. The […]
The post REvil ransomware gang demanded $70M for universal decryptor for Kaseya victims appeared first on Security Affairs.
Read More REvil ransomware gang demanded $70M for universal decryptor for Kaseya victims
Kaseya was addressing the zero-day vulnerability that REvil ransomware gang exploited to breach on-premise Kaseya VSA servers. A new supply chain attack made the headlines, on Friday the REvil ransomware gang hit the Kaseya cloud-based MSP platform impacting MSPs and their customers. The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out […]
The post REvil gang exploited a zero-day in the Kaseya supply chain attack appeared first on Security Affairs.
Read More REvil gang exploited a zero-day in the Kaseya supply chain attack
Swedish supermarket chain Coop is the first company to disclose the impact of the recent supply chain ransomware attack that hit Kaseya. The supermarket chain Coop shut down approximately 500 stores as a result of the supply chain ransomware attack that hit the provider Kaseya. The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, […]
The post Coop supermarket closes hundreds of stores after Kaseya supply chain ransomware attack appeared first on Security Affairs.
Read More Coop supermarket closes hundreds of stores after Kaseya supply chain ransomware attack
A supply attack by REvil ransomware operators against Kaseya VSA impacted multiple managed service providers (MSPs) and their clients. A new supply chain attack made the headlines, this afternoon, the REvil ransomware gang hit the cloud-based MSP platform impacting MSPs and their customers. Kaseya has 40,000 customers, not all use the VSA tool which is […]
The post Kaseya VSA supply-chain ransomware attack hit hundreds of companies appeared first on Security Affairs.
Read More Kaseya VSA supply-chain ransomware attack hit hundreds of companies
Update: Since the initial Kaseya ransomware attack took place, the company has secured a universal ransomware decryptor and offered it to all its impacted customers that still had their files locked. There is some doubt regarding the source of this dec…
Read More Massive Kaseya VSA Supply Chain Attack Infects Businesses with Revil Ransomware
The REvil ransomware (aka Sodinokibi) threat actors are now employing a Linux encryptor that targets and encrypts Vmware ESXi virtual computers. Discovered in April 2019, Revil, also known as Sodinokibi, is a highly evasive and upgraded ransomware, whi…
Read More Vmware ESXi Virtual Computers Targeted by the REvil Ransomware’s New Linux Encryptor
In a press release, the Brazil-based healthcare company Grupo Fleury has disclosed that this Tuesday its online systems were targeted in a REvil ransomware attack that led to the disruption of its operations. The company’s systems remained down since t…
Read More Grupo Fleury Becomes the Latest Victim of a REvil Ransomware Attack
The LV ransomware operators repurposed a REvil binary to create their own strain and launch a ransomware-as-a-service (RaaS). A threat actor known as LV ransomware gang is trying to enter the cybercrime arena, it repurposed a REvil binary almost to create their own strain and launch a ransomware-as-a-service (RaaS). The Sodinokibi/REvil is one of the […]
The post LV ransomware operators repurposed a REvil binary to launch a new RaaS appeared first on Security Affairs.
Read More LV ransomware operators repurposed a REvil binary to launch a new RaaS
The REvil ransomware gang made the headlines again, the group hit the US nuclear weapons contractor Sol Oriens and stole the victim’s data. US nuclear weapons contractor Sol Oriens was hit by a cyberattack carried out by the REvil ransomware operators, which claims to have stolen data. Sol Orien provides consultant services to the National Nuclear […]
The post REvil ransomware gang hit US nuclear weapons contractor Sol Oriens appeared first on Security Affairs.
Read More REvil ransomware gang hit US nuclear weapons contractor Sol Oriens
Sol Oriens, a small U.S. nuclear weapons contractor, has confirmed it has been affected by a cyberattack that specialists say came from the tenacious REvil aka Sodinokibi Ransomware-as-a-Service (RaaS) group and resulted in data theft. The subcontracto…
Read More Nuclear Contractor Sol Oriens Hit by REvil Ransomware Attack
Prometheus ransomware uses the branding of REvil in an attempt to piggyback on the fame of one of the most successful ransomware groups ever. An emerging ransomware operation might be linked to the veteran cyber-criminal group while also attempting to …
Read More A New Ransomware Group Claims it Breached Over 30 Organizations
JBS Foods, the world’s largest meatpacking enterprise, declared this week that it paid an $11 million ransom to REvil ransomware threat actors following a cyberattack that forced the company to shut down production at several sites worldwide, affecting…
Read More Meatpacking Organization JBS Pays $11 Million to REvil Ransomware Hackers
Ransomware is defined as a type of malware (malicious software) that encrypts all the data on a PC or mobile device, blocking the data owner’s access to it. After the infection happens, the victim receives a message that tells him/her that a certain am…
Read More Stolen Data Belonging to 2,100 Companies Leaked in Ransomware Attacks
It seems that the Cuba Ransomware gang is teaming up with the spam operators of the Hancitor malware in an attempt to gain easier access to compromised corporate networks. What Do We Know about Hancitor? The Hancitor (Chancitor) downloader is operating…
Read More Cuba Ransomware and Its Partnership With Hancitor
It may be that the growth of double blackmail is the organic evolution of ransomware: at the beginning from customer attacks to targeted enterprise attacks, and now with the added double danger of data extortion. “Double extortion” refers t…
Read More Ransomware’s New Normal: Double Extortion Ascending as Threat Actors Test New Tricks
After disclosing on April 26 that it had suffered a cyberattack which affected its hospitals and aged care homes, UnitingCare Queensland has now identified the hackers behind the attack as one of the most notorious cyber ransom gang in the world –…
Read More REvil Ransomware Responsible for the UnitingCare Queensland’s Attack
It looks like the attackers have taken a different approach from the ransomware-as-a-business (RaaS) model in which the hackers are stealing data before deploying the encryption stage, in order to use it as leverage in negotiations for a ransom payment…
Read More Babuk Focuses On Data-Theft Extortion