Tuesday, May 7, 2024

Vogon Today

Selected News from the Galaxy

StartMag

What happens to REvil, the Russian hackers behind the attacks on the US

3 years ago babelfish

What happens to REvil, the Russian hackers behind the attacks on the US

The REvil gang seems to have disappeared and the web infrastructures of these cybercriminals are offline. Michele Scarpa's analysis

The REvil cybercriminals continue to be talked about.

As if the attack on JBS and Kaseya were not enough to gain global notoriety for the cyber gang, their sudden disappearance has raised doubts and perplexities among analysts. To get to the disappearance you need to be clear about what happened with the last attack. So one step at a time.

After the latest blatant hit of the Kaseya-style REvil ransomware, the criminal group has raised a fuss attracting the attention of many governments and their respective security apparatuses.

The attack on the American company caused a sensation because it took place by exploiting an unknown vulnerability, or a "zero day" (so called because once the vulnerability is discovered, the software producers have zero days to fix it), in Kaseya VSA, a IT infrastructure management. Subsequently, the ransomware has spread to all customers of the American company, more than a thousand companies are victims, about 1500. It is an attack on the supply chain that reaches the end users, a real disaster.

There is talk of an attack comparable to WannaCray and NotPetya for propagation and damage caused, but at the same time it presents the characteristics of the attack on SolarWinds for the modus operandi.

In addition to the damage, the ransom requested was exorbitant, about 70 million dollars, a figure so high that some analysts doubt the seriousness of the ransom.

WHO IS REVIL?

The group, whose name is the union of the words "ransomware" and "evil", also known as Sodinokibi, seems to have become one of the major players in the world of cybercrime.

The acronym appears to be relatively new in the criminal landscape but some of the hackers that make it up are not. In fact, some researchers have found links between the creators of the REvil / Sodinokibi malware and the authors of the previous GandCrab ransomware.

The creators of GandCrab ransomware, probably of Russian origin, were leaders in the malware market until a couple of years ago, so much so that Kaspersky estimated that in 2019 40% of the ransomware market was held by GrandCrab.

GrandCrab, like now REvil, is a ransomware as a service (RaaS), that is, a ransomware developed by some hackers who instead of using the malware directly to attack a particular system, rent it to other cybercriminals who use it for their illicit purposes. The ransomware mechanism basically consists of encrypting the data of the infected computers and then requesting the payment of a ransom, usually in Bitcoin, in exchange for a decryption tool. In 2019, the hackers behind GrandCrab closed the shack, announcing the withdrawal of their product after having managed to earn, they say, about 2 billion dollars thanks to the ransoms paid.

After the closure of GrandCrab the REvil ransomware has established itself as one of the most important ransomware as a service. From the analysis of the hacking techniques and the comparison of the type of victims of the two ransomware, however, it emerged that some of the GrandCrab hackers may now be behind REvil. A further element that accredits this hypothesis is the geographical area of ​​origin of REvil which, as for GrandCrab, is the former Soviet area. In fact, a feature of this ransomware is that it collects information about the machine (user name, computer name, domain or workgroup and reads the free space and volumes present) disarming itself if the keyboard layout or system language corresponds to a country. ex-USSR or Syria. thus suggesting the area that the criminals intend to safeguard.

THE SHOT OF SCENE

Since Tuesday, the REvil gang seems to have disappeared: websites, infrastructures and computers attributable to these cybercriminals are offline. The reasons are unknown but the hypotheses are essentially three.

After the maxi ransom requested from Kaseya, the criminals may have closed their doors and decided to disappear, a plausible tactic as it is already used by the criminals of the group behind the attack on SolarWinds. Or the other hypotheses concern an external intervention, such as a force intervention made by the United States or its allied governments (which is unlikely even if a more reactive US policy following cyber attacks is actually in practice) or pressure from countries. benevolent with these criminals, the attentions are therefore for Russia.

The hypothesis of Putin's intervention in the disappearance of the cyber gang is plausible especially if we look at the time data.

On Friday 9th there was a phone call between US President Biden and Russian President Putin, where the US President clearly reported that he expects the Russians to commit to stopping hacker attacks from their territory by stating : "we expect them to act ". The closing on Tuesday was therefore linked by some analysts more to political pressure than to specific forms of retaliation by some agency.

It is difficult to determine at the moment the real reasons behind this division, it is very likely, however, that this closure will not sanction the end of the criminal group (which could return after new acronyms) nor does it mark a turning point in the fight against cybercrime, now one of the largest dangers to our societies.

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/mondo/revil-attacchi-hacker-stati-uniti-cosa-succede/ on Sun, 18 Jul 2021 07:59:29 +0000.