By: Denise Simon | Founders Code

Ahead of the three-day Fourth of July weekend, the REvil gang is suspected to be behind a new ransomware attack that occurred Friday and affected at least 200 companies in the U.S.

REvil, based in Russia, was likely behind the JBS Meat Packing attack in May, according to the FBI. The Flashpoint Intelligence Platform has suggested that former REvil members were involved in the recent Colonial Pipeline attack earlier this year as well, allegedly done by the DarkSide ransomware group. More here from Newsweek.

Per the FBI’s most recent statement:

Updated July 4, 2021: 

If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately and report your compromise to the FBI at ic3.gov. Please include as much information as possible to assist the FBI and CISA in determining prioritization for victim outreach. Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat.

Original statement:

The FBI is investigating this situation and working with Kaseya, in coordination with CISA, to conduct outreach to possibly impacted victims. We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities.

Additionally:

Kaseya had expected that it would be able to patch and restore its VSA software-as-a-service product by today, but technical problems its developers encountered have blocked the rollout. As of 8:00 AM EDT today, the company was still working to resolve the issues it encountered. 

Reuters quotes US President Biden as offering yesterday a relatively upbeat preliminary assessment of the consequences of the ransomware campaign: “It appears to have caused minimal damage to U.S. businesses, but we’re still gathering information,” Mr. Biden said, adding “I feel good about our ability to be able to respond.”

That said, the US Government is continuing its investigation and is signaling an intention to do something about REvil and other gangs or privateers. Among other things, the US Administration said that it has communicated very clearly to Russian authorities that the US wants the REvil operators brought to book. CBS News reported yesterday that White House press secretary Psaki said that the US had been in touch with Russian officials about the REvil operation and that if Russia doesn’t take action against its ransomware gangs, “we will” TASS is, of course, authorized to disclose that Russia not only had nothing to do with the attack, and that it knew nothing about it, and that in fact, Moscow had heard nothing from Washington about the matter.

But, outside government cyber experts have uncovered the following:

Hat tip source

Resecurity® HUNTER, cyber threat intelligence and R&D unit, identified a strong connection to a cloud hosting and IoT company servicing the domain belonging to cybercriminals.

According to the recent research published by ReSecurity on Twitter, starting January 2021 REVil leveraged a new domain ‘decoder[.]re’ in addition to a ransomware page available in the TOR network.

The domain was included within the ransom notes dropped by the recent version of REVil, it came in the form of a text file containing contact and payment instructions.

revil map

Typically, the collaboration between the victim and REVil was organized via a page in TOR, but in this case, their victim is not able to access the Onion Network, the group prepared domains available in Clearnet (WWW) acting as a ‘mirror’.

revil

TOR host

revil

WWW host (decoder[.]re)

To access the page in WWW or TOR – the victim needs to provide a valid UID (e.g.,”9343467A488841AC”). The researchers acquired a significant number of UIDs and private keys as a result of ransomware samples detonated and through the collaboration with victims globally. The private keys determine if the same functional process is available on both resources confirming, they’re delivering exactly the same content.

Like decryptor[.]cc and decryptor[.]top in previous REvil / Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations. The application hosted on it contains ‘chat’ functionality enabling interactive close to real-time communications between the victim and REVil.

The threat actors also used a disposable temporary e-mail address created via https://guerrillamail.com to anonymously register the domain name, which was later used for name servers too, this also allowed them to park other elements of their infrastructure. Such e-mails could only be used a limited number of times, for example, all communications with them would be automatically deleted within 1 hour.

Resecurity was able to collect the available and historical DNS records, then create a visual graph representing the current network infrastructure used by REVil and shared it with the cybersecurity community. According to experts, such a step may facilitate proper legal action against ransomware, as well as outline parties responsible for such malicious activity, as the uncovered details raise significant questions regarding the reaction from hosting providers and law enforcement.

revil map

Based on the network and DNS intelligence collected by experts, the IPs associated with it have been rotated at least 3 times in Q1 2021 and were related to a particular cloud hosting and IoT solutions provider located in Eastern Europe, which continues to service them.

“It’s hard to believe such malicious activity has gone unnoticed by certain governments resulting in damage to thousands of enterprises globally.” – said Gene Yoo, Chief Executive Officer of Resecurity.

President Joe Biden has ordered U.S. intelligence agencies to investigate the sophisticated ransomware attack on Kaseya presumably conducted by REVil, a notorious cybercriminal syndicate believed to have ties to Russian-speaking actors that’s previously gone after high-profile targets such as Apple and Acer.

The group is also believed to be behind last month’s successful attack on the world’s largest meat processing company, JBS, that extorted $11 million in ransom. REvil took official responsibility for the attack and released an announcement in their blog which is available in TOR network asking for $70 million payment from Kaseya – the biggest ransom payment demand known in the industry today.

The attack has already affected over 1,000 businesses globally disrupting their operations. One suspected victim of the breach, the Sweden-based retailer Coop, closed at least 800 stores over the weekend after its systems were taken offline.

The White House Press Secretary Jen Psaki said the US will take action against the cybercriminal groups from Russia if the Russian government refuses to do so.

The investigation is still ongoing.

About the author: Gene Yoo, Chief Executive Officer (Resecurity, Inc.)