Search This Blog

Showing posts with label REvil. Show all posts

Russian hacker confirmed the resurrection of the most famous Russian hacker group REvil

 A Russian hacker who collaborated with the well-known REvil group confirmed that cybercriminals returned to active work after a two-month break. He named political reasons the main reason for the temporary suspension of their activities. This refutes the claims of REvil members themselves, who explained this with precautions after the disappearance of one of the community members.

An anonymous cybercriminal said that the group initially planned only to suspend its activities, but not to end it completely. According to him, this step was due to the difficult geopolitical situation.

"They told key business partners and malware developers that there was no cause for concern and that cooperation would not be suspended for long," the hacker said.  Answering the question about the influence of the Russian leadership on the decision of the most famous group of the country to hide for a while, the Russian hacker noted that such an option is hardly possible. According to him, there is no evidence to suggest any connection between REvil and the government or intelligence services of Russia or other countries. Moreover, no one discusses such a topic on a serious level on the darknet.

"It is not surprising that the hacker group responsible for high—profile attacks on American infrastructure took precautions after the conversation between the US and Russian presidents," the anonymous hacker stressed. "Geopolitical factors are always taken into account in a business of this level, although this is the first time I have encountered a situation where a group has been forced to curtail its activities relatively unexpectedly".

REvil's return was announced last week when the group's site on the darknet became active again after two months of downtime. Shortly after that, community members stated in messages on one of the Russian forums that the temporary suspension was dictated by precautionary measures. They were allegedly caused by the disappearance of one of the REvil members: "We backed up and disabled all the servers. We thought he had been arrested. We waited — he didn't show up, and we restored everything from backups."

UK Based Firms, Voip Unlimited, And Voipfone Under DDoS Attack

 

Users of Voipfone's UK business broadband and Voice-over-Internet-Protocol (VoIP) services have reported to ISPreview.co.uk that the supplier has been facing massive service interruptions for the past couple of days, that also seems to be the consequence of a Distributed Denial of Service (DDoS) attack against their system applications. 

Likewise, South Coast-based Voip Unlimited had also reported that it has been bombarded with a "colossal ransom demand" after being struck by a prolonged and large-scale DDoS attack. They believe that it was launched by the Russian cybercriminal organization REvil. 

On September 2nd, it reported that "services are operational ... however the attacks are still ongoing." 

However, at this point, it remains unclear whether any additional UK Internet Telephony Service Providers (ITSP) have also been affected or not. Nevertheless, the UK Comms Council – the industry association which represents ITSPs – has alerted customers well about cyberattacks and reminded them to implement "appropriate DDoS mitigation strategies." 

Mark Pillow, MD of Voip Unlimited, informed that the business accepts "full responsibility of the availability of our services to our clients" and that they feel "extremely sorry for all inconvenience caused." 

He further explained: "At 2 pm 31st August, Voip Unlimited's network was the victim of an alarmingly large and sophisticated DDoS attack attached to a colossal ransom demand." 

DDoS attacks usually function by flooding a target server or end-user with data requests from numerous internet-connected devices (often malware-infected machines/botnets, etc.), causing the designated destination to crash or experience substantial performance issues until the bad traffic ceases. These attacks might potentially reveal additional vulnerabilities that hackers can abuse. 

A number of VoIP Unlimited's networks suffered "intermittent or total loss of internet connectivity services" as a result of the attack, however, clients utilizing its Voip Unlimited Ethernet and Broadband services are thought to have been mostly unharmed. 

"UK Comms Council has communicated to us that other UK SIP (Session Initiation Protocol) providers are affected and identified them as a criminal hacking organization called REvil who appear to be undertaking planned and organized DDoS attacks against VoIP companies in the UK," Pillow added. 

The sheer magnitude of the attack is yet unknown, but according to an email sent by Voipfone on Tuesday and obtained by El Reg, the firm's services were "intermittently disrupted by a DDoS attack" over the Bank Holiday weekend, flooding its system with phony traffic from tens of thousands infected devices. 

It is quite noticeable that the users have now become extremely upset as a result of their inability to access vital digital telecommunication services upon their return to work following the August Bank Holiday weekend. 

In a statement, chair of Comms Council UK Eli Katz told, "Comms Council UK is aware of the Denial of Service attacks currently targeting IP-based communications service providers in the UK and that a small number of our members have been impacted. We have communicated the issue to our membership and are continuing to liaise closely with them to share further information and support as the situation develops." 

Likewise, an alleged DDoS attack on Iran's telecommunications networks in February caused a substantial disturbance, wiping out around 25% of the country's internet connectivity and triggering an early outage of mobile and fixed-line services.

Master Key for Decryption of Kaseya, Leaked on Hacking Forum

 

The universal decryption key for Kaseya has been leaked on a Russian hacking forum by hackers. An Ekranoplan-named user shared the screenshot for REvil infected files that look to be a universal decrypter. The tweet was also retweeted by a security researcher titled pancak3. 

The Kaseya customers have been utilizing the tool for ransomware Universal Decryption to get files held hostage by the REvil. The very same media organization previously thought that all encrypted REvil files are the key works. The website has nevertheless reported that the other attacks of the renowned gang are not being carried out. The tool works rather only on the files of the Kaseya users. 

The REvil ransomware organization has infiltrated the zero-day vulnerability, which encrypted Documents of roughly 1,500 enterprises, in the cyberattack on the VSA remote management application of Kaseya. The major attack paralyzed Kaseya customers' operation. Kaseya is the software automation supplier for the information technology industry with remote management tools. 

The renowned ranking gang then asked for an incredible $70 million ransom to return the encrypted data through a universal decrypter tool. The key is to neutralize the threat actors' activities towards the victims by making the files available again. After this whooping demand, the gang suddenly disappeared. 

On the web, the organization had left no record, as of July 13. The group is said to be 42 percent behind the new ransomware attacks. 

It is important to mention that the abrupt disappearance of the renowned gang was carried out one day before the United States involving high authorities from the White House. and Russia discussed the surge in the ransomware cases. 

Meanwhile, on July 22, Kaseya eventually got the decryption tool, to reverse its customer file encryption. 

The Verge states that there are three ways in which Kaseya can get hold of the decryption tool: the US, Russia, or REvil itself. Nevertheless, these assumptions were neither confirmed nor denied by the IT business. Conversely, the Florida-based IT company said that it received the key from a "trusted third party." 

In addition, Kaseya has provided its customers with the universal decryption tool but there is a twist - the corporation requires its customers to sign a non-disclosure agreement. While NDAs are routinely employed in cyberattacks, incorporating them in this process makes the incident a complete secret.

Ransomware Groups Never Perish, They Reincarnate

 

It is no longer a matter of shock that ransomware attacks have surged over the past few years,  the technological advancements have proved to be a boon for them. Ransomware is indeed a malware type that encodes the files of the victim. The offender subsequently asks the victim to make payment in order to regain access to the encrypted information as he explains the directions to make payment and receive the decryption key. 

Several ransomware organizations are now in the phase of their third incarnation. In the cybercrime sphere, reinvention is a key survival technique. The earliest techniques include the fake death or retirement and then subsequently the invention of a new identity. A fundamental objective of such a ruse is to make researchers focus their attention temporarily elsewhere. 

The DarkSide, which collected a $5 million payment from the Colonial Pipeline earlier last year, is only one of the most intriguing and newest reinventions to see much of this crushed by the U.S. Department of Justice. Once someone noticed that their Internet servers had indeed been seized, DarkSide stated that it was collapsing. However, just over a couple of months later, BlackMatter was created, a new affiliate ransomware operation, and specialists immediately found out that BlackMatter was using the same unique form of encryption used by DarkSide. 

The downfall of DarkSide occurred closely with that of REvil, a long-term ransomware gang claiming more than 100 million dollars from victims. Kaseya, a Miami-based corporation, was REvil's last major victim. This exploit allowed REvil to disseminate ransomware to as many as 1500 Kaseya using organizations. REvil called upon all victims of Kaseya's attack to pay a $70 million amount for decryption. 

REvil too is commonly regarded as a boost-up for GandCrab, a prominent ransomware group with over $2 billion in extortion for 12 months before it shut down in June 2019. 

The latest ransomware start-up "Grief" was only the current DoppelPaymer paintwork, which matched most of its code with a previous iteration named BitPaymer in 2016. All three were created by a renowned cybercriminal organization, known as TA505, 'Indrik Spider' and Evil Corp.

Mark Arena, CEO of cyber threat intelligence company Intel 471, stated that whether BlackMatter is a new name for the REvil group, or merely a rebirth of DarkSide, is uncertain. “Likely we will see them again unless they’ve been arrested,” Arena further added. 

Cobalt Strike Payloads: Hackers Capitalizing on Ongoing Kaseya Ransomware Attacks

 

Cyberattack actors are trying to monetize off the currently ongoing Kaseya ransomware attack incident by attacking probable victims in a spam campaign attack forcing Cobalt Strike payloads acting as Kaseya VSA security updates. Cobalt Strike is a genuine penetration testing software and threat detection tool which is also used by attackers for post-cyberattack tasks and plant beacons that lets them to gain remote access to hack into compromised systems. The primary goal of such attacks is either stealing data (harvesting)/exfiltrating sensitive information, or deploying second-stage malware payloads. 

Cisco Talos Incident Response (CTIR) team in a September report said that "interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans." The malware spam campaign discovered by Malwarebytes Threat Intelligence experts use two distinct approaches to plant the Cobalt Strike payloads. Emails sent as a part of this spam campaign comes with an infected attachment and an attached link built to disguised as a Microsoft patch for Kaseya VSA zero-day compromised in the Revil ransomware attack. 

Malwarebytes Threat Intelligence team said that a malspam campaign is taking advantage of the Kaseya VSA ransomware attack to drop CobaltStrike. It contains an attachment named 'SecurityUpdates.exe' as well as a link pretending to be a security update from Microsoft to patch Kaseya vulnerability, the report said. The hackers gain persistent remote access to attack systems after running malicious attachments/downloads and launching fake Microsoft updates on their devices. 

Bleeping Computer reports "just as with this month's malspam campaign, the June phishing campaign was also pushing malicious payloads designed to deploy the Cobalt Strike penetration testing tool, which would have allowed the attackers to compromise the recipients' systems. The payload download pages were also customized using the target company's graphics to make them appear trustworthy." These two campaigns highlight that threat actors in the phishing business keep track of the latest news for pushing lures relevant to recent events to boost their campaigns rates of success, said Bleeping Computers.

1,500 Businesses Globally were Affected by Kaseya Cyberattack

 

Kaseya, a Miami-based software provider to over 40,000 businesses, reported on July 2 that it was looking into a possible hack. The IT solutions provider for managed service providers (MSPs) and enterprise clients revealed a day later that it had been targeted by a "sophisticated cyberattack." According to CEO Fred Voccola, the ransomware attack has hit between 800 and 1,500 organizations throughout the world. In an interview with Reuters, he said it was impossible to determine the exact impact of the hack because the firms affected were Kaseya's clients. 

REvil, a hacking organization linked to Russia, published a blog on the dark web on Sunday claiming its involvement in the attack. REvil sought $70 million for the data to be restored. REvil has become one of the most well-known ransomware creators in the world. In the last month, it demanded an $11 million payment from the U.S. subsidiary of the world's largest meatpacking company, a $5 million payment from a Brazilian medical diagnostics company, and launched a large-scale attack on dozens, if not hundreds, of companies that use IT management software from Kaseya VSA. 

Kaseya is a company that provides its comprehensive integrated IT management platform to other businesses. It also provides organizations with tools such as VSA (Virtual System/Server Administrator) and other remote monitoring and management solutions for network endpoints. Kaseya also offers compliance systems, service desks, and a platform for service automation. 

According to the FBI, a vulnerability in Kaseya VSA software was used against many MSPs and their clients in the recent supply-chain ransomware campaign. VSA allows a company to control servers and other hardware, as well as software and services, from a remote location. Large enterprises and service providers who manage system administration for companies without their own IT staff utilize the software. 

According to Kevin Beaumont, a security specialist, the REvil ransomware was distributed through an apparent automatic bogus software update in the product. Because the malware had administrator access down to client systems, the MSPs who were attacked were able to infect the systems of their clients.

The attacker quickly disabled administrator access to VSA, according to Beaumont, and then inserted a task called "Kaseya VSA Agent Hot-fix." This phoney update was then pushed out to the entire estate, including MSP client systems. The management agent update was actually REvil ransomware, and non-Kaseya customers were still encrypted. The ransomware allowed hackers to disable antivirus software and run a phoney Windows Defender app, after which the computer's files were encrypted and couldn't be viewed without a key.

REvil Hits Brazilian Healthcare Giant Grupo Fleury

 

São Paulo-based medical diagnostic firm Grupo Fleury has suffered a ransomware attack that has impaired business operations after the company shut down its systems. On the 22nd of June, the company website began displaying an alert message, alerting to the fact that its systems were suffering an attack and are no longer accessible.

Brazilian healthcare giant provides medical laboratory services across the nation with over 200 service centers and more than 10,000 employees. The company performs approximately 75 million clinical exams in a year.

"Please be advised that our systems are currently unavailable and that we are prioritizing the restoration of services. The causes of this unavailability originated from the attempted external attack on our systems, which are having operations reestablished with all the resources and technical efforts for the rapid standardization of our services," read the message translated into English. 

With their systems being knocked down, patients are unable to book appointments for labs and other medical examinations online. Since the announcement, multiple cybersecurity sources have confirmed that Grupo Fleury suffered an attack by the ransomware operation known as REvil, also known as Sodinokibi. 

“The Healthcare industry and healthcare supply chain are both one of the top three targeted sectors worldwide. Additionally, REvil are launching a lot of attacks at the moment, having hit a maritime organization in Brazil earlier this month,” Andy Norton, European cyber risk officer at Armis, stated.

The fact that Grupo Fleury's data is of significant concern as it contains enormous amounts of personal and medical data of patients, REvil is demanding $5 million for the decryptor key and the assurance that no vital information will be leaked online. REvil is known for exfiltrating data before encrypting devices and then using the stolen information as leverage to extort money from the company.

“In a previous statement made to the Russian-OSINT Telegram channel, a REvil representative stated that they were targeting Brazil for revenge. However, it is not known what that revenge is for. REvil is known for exfiltrating data and the data could include personally identifiable information and sensitive medical information of their patients and staff, which could be detrimental for the organization,” Jamie Hart, cyber threat intelligence analyst at digital risk protection company Digital Shadows Ltd, said.

Prior to this attack, JBS Foods, the world’s largest meat producer, was the victim of a REvil ransomware attack. JBS paid a ransom of $11 million in order to keep their stolen information from being leaked online. REvil has targeted numerous high-profile organizations, including Brazil's the Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens.

Objectives for Ransomware Attack Against Nuclear Contractor Sol Oriens Remain Unknown

 

New Mexico-based government contractor Sol Oriens was attacked by the Russian REvil ransomware group that sparked worries in the national security community, because of the company's work with the Department of Energy's National Nuclear Security Administration.

However, the motives for the attack remain unknown. Sol Oriens confirmed it was targeted in May, according to CNBC's Eamon Javers, and the corporation stated no sensitive or important security-related material was compromised. The company's website remained down as of Friday, and Mother Jones reported that it had been down since June 3. Sol Oriens has yet not confirmed if the attack was ransomware. 

According to Michael DeBolt, senior vice president of intelligence at Intel 471, Sol Oriens was targeted by REvil, the same group that was accused of targeting meat manufacturer JBS. 

“From the REvil blog, all indications are that Sol Oriens was a target of opportunity, and not of design tied to some state-sponsored entity,” DeBolt stated. 

“However the sensitive nature of this particular victim did not elude the REvil operators and affiliates responsible for the attack. In fact, they explicitly threatened to reveal ‘documentation and data to military agencies of our choice [sic]’ and shared proof by way of screenshots on their name and shame blog. Even so, these actors primarily remain financially motivated.” 

According to Gary Kinghorn, senior director of marketing and alliances at Tempered Networks, the vulnerability of the information in this breach appears to be less than catastrophic if it was restricted to personal information and contacts, but there's no way of knowing if it went further than that. The goals of this attack, according to Kinghorn, are clearly useful to geopolitical opponents, and enterprises must be aware of the immense sophistication and resources behind these operations, regardless of purpose. 

Kinghorn added, “Organizations, particularly those holding DoE-class information and secrets, have to realize that yesterday’s security tools are no longer enough and are too error-prone to justify.” 

“The National Security Agency has already strongly suggested that government agencies move to zero trusts and even ensure encryption of all data in motion. These advanced steps can effectively make networks unhackable. However, right now, organizations are still weighing the costs and ROI until they get exposed like this to make changes.”

Business Operation Gets Shut Down as FujiFilm Suffers An Attack

 

On Wednesday 2nd June, Fujifilm released a short statement to reveal the illegitimate infiltration of its server by foreign parties. However, it did not specify that whether the ransomware component used in the attack was recognized, whether any information was exfiltrated from its Internet, or whether attackers approached them for a ransom. 

Earlier on 4th June, Japan's global Fujifilm group formally announced that perhaps a ransomware attack that impacted corporate operational activities had been committed earlier in this week. 

“FUJIFILM Corporation is currently carrying out an investigation into possible unauthorized access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence,” stated Fujifilm. 

In various interactions with Fujifilm employees though, it looked internally that ransomware was responsible for the attack and that the business had to disconnect pieces of its network around the world. 

Fujifilm advised their staff to shut down their laptops and all other servers immediately at roughly 10:00 AM EST on Tuesday. The network failure also blocked the email, the billing system, and the reporting system from being accessed. Fujifilm has also incorporated warning to its consumers of disruption of their operation to alert their customers. 

Whereas the ransomware gang behind the attack has still not been named, the REvil ransomware campaign is thought to be the case. The REvil ransomware gang will infiltrate a system and steadily expand to several other machines while collecting unencrypted data via the remote access offered by the Trojan. 

Once they get access to a domain admin account in the Windows domain and collect valuables, then they can use the ransomware to encrypt devices across the system. 

Operation DarkSide ransomware targeted last month the largest US petroleum pipeline, the Colonial Pipeline. In certain States it caused the pipeline to be shut down.

Last month, the Conti ransomware group attacked the HSE, the public health service in Ireland, and the Department of Health, leading to a major disturbance in health care services. 

"It will be a topic of discussion in direct, one-on-one discussions — or direct discussions with President Putin and President Biden happening in just a couple of weeks," Psaki said at the press briefing.

DarkSide Affiliates Claim Gang's Bitcoin Deposit

 

Multiple associates have protested about not being charged for past services since the DarkSide ransomware operation was shut down a week ago, and have filed a petition for bitcoins in escrow on a hacker forum. Escrow systems are popular in Russian-language cybercriminal cultures to prevent scams between sellers and buyers. The deposit is a direct message from ransomware operations that they mean business. 

DarkSide is a ransomware vulnerability that has been active since at least August 2020, when it was used in a cyberattack against the Colonial Pipeline in Georgia, causing a significant fuel supply disruption along the US East Coast. The malware is distributed as a service to various cybercriminals through an affiliate scheme and, like other well-known ransomware threats, uses double extortion, combining file encryption with data theft, and is installed on compromised networks through manual hacking techniques. 

DarkSide deposited 22 bitcoins on the famous hacker forum XSS to gain the confidence of potential partners and expand the operation. The wallet is administered by the site's administrator, who also serves as a guarantor for the gang and an arbitrator in the event of a dispute. 

Many analysts believe the group used an escape scam to retain the ransom money they received from their network of affiliates. DarkSide operators, on the other hand, claim to have halted operations as a result of US government pressure following the assault on the Colonial Pipeline. 

Last year, the REvil ransomware deposited $1 million in Bitcoin to a separate hacking website in order to recruit new members. This action demonstrated that they trusted the forum administrator with the money and that there was plenty to be made. 

Researchers discovered a series of allegations made by members of a hacking forum who claimed to have played various roles in the DarkSide ransomware gang's operations. Some associates assisted in the pentesting of threats or organizational breaches. According to Elliptic, a blockchain research company, the Darkside ransomware gang has received over $90 million in ransom payments from its victims since October 2020. 

“In total, just over $90 million in Bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets.” reads the report published by the Elliptic. “According to DarkTracer, 99 organizations have been infected with the DarkSide malware – suggesting that approximately 47% of victims paid a ransom and that the average payment was $1.9 million.”

Court of Justice of the State of Rio Grande do Sul, Brazil Hit by REvil Ransomware

 

REvil ransomware group on 28th April 2021, had attacked the Tribunal de Justiça do Estado do Rio Grande do Sul (Court of Justice of the State of Rio Grande do Sul) in Brazil, which compromised the staff data and also obligated the courts to disable their network. Also labeled as Sodinokibi, REvil is a private service for the ransomware-as-a-service operations which rose in 2019. 

The Tribunal de Justiça do estado do rio Grande do Sul (TJRS), is a legal framework of the Brazilian state of Rio Grande do Sul. The attack started on April 28th, after personnel unexpectedly found that they are not able to access any of their documentation and photographs anymore, and also that ransom notices were displayed on Windows. 

Relatively soon after the intrusion was started, the verified TJRS Twitter account alerted staff not to sign into local and remote TJ network systems. 

“The TJRS reports that it faces instability in computer systems. The systems security team advises internal users not to access computers remotely, nor to log into computers within TJ’s network,” tweeted the TJRS judicial system. 

A Brazilian security analyst named Brute Bee took a screenshot and shared it with the staff of Bleeping Computer including ransom notes and talked about the attack. These ransom notices are there for the REvil service as they were the ones responsible for the attack, which is also autonomously verified by Bleeping Computer. 

“Files of TJRS could've been lost forever unless backups are available! DDoS attacks are yet to come if its victims refuse to cooperate”, added Brute Bee. 

Bleeping Computer further added that the threat actors have demanded a $5,000,000 ransom for the REvil Ransomware project to decrypt documents and further not to leak any of their data. 

One individual characterized the incident as "horrible," and "the worst thing happened there," in an interpreted audio recording that has been exchanged with Bleeping Computer, and also the IT workers experienced a "hysterical stress attack" while they scrambled to restore thousands of computers. 

The Superior Court of Justice of Brazil was targeted by the RansomEXX ransomware community last November as well, which started encrypting computers in the center of conference call tribunals. At the very same moment, the domains of several other Federal government departments in Brazil went down, but whether they were shut down or were under attack wasn't visible.

Hackers Demand $50 Million Ransom From Apple

 

A Russian hacking group claims to have obtained schematics for some yet-to-be-released Apple products. The hackers have demanded a $50 million ransom in exchange for not leaking any of the designs they have on hand. 

According to a report by Bloomerg, the group gained access to sensitive data by hacking into Quanta, an Apple supplier that produces MacBooks and other products. The Taiwan-based third-party manufacturer has reported the data leak. 

The threat actors from the hacking group called REvil, first tried to extort money from Quanta in exchange for the stolen data. When Quanta declined to pay to recover the stolen data, the hackers turned their attention to Apple, the company's largest customer. According to a report by The Record, the group announced their intentions in a message posted on a dark website. 

REvil started sharing stolen photographs of Apple products as proof before Apple’s Spring Loaded event that was hosted virtually earlier this week. The hacking group shared 21 screenshots of the newly released iMac's schematics, which had not been made public before the launch. The post thus came as a testament to the legitimacy of the stolen data. 

Aside from iMac pictures, the group also shared images of the M1 MacBook Air, which was released in 2020, and manufacturing diagrams for an unreleased laptop. Notably, all of the diagrams included a disclaimer that read, “This is Apple's property, and it must be returned.” 

The hacking group has threatened to release new data every day before Apple or Quanta pays the $50 million ransom. The group is attempting to receive the ransom by May 1. Besides Apple, Quanta Computer has a long list of clients, including some of the most well-known names in the laptop industry. HP, Dell, Microsoft, Toshiba, LG, Lenovo, and other companies are among them. 

REvil has hinted in a post on the dark web that it has data from other companies as well. The REvil operators wrote, “Our team is negotiating the sale of vast quantities of classified drawings and gigabytes of personal data with many major brands.” 

The implications of the cyber-attack and the resulting data leak are still unclear.

Ransomware Attack by REvil on Apple, Demands $50 Million

 

While Apple was working on the preparations for the 'Spring Loaded' event that went live on Tuesday, 20th April, the company requested a settlement to prevent its next-gen equipment data from being leaked. The REvil Group, also identified as SODINOKIBI, said that it had been able to access the computer network of Apple's Quanta Computer, and has requested $50 million to decrypt its systems, via the Dark Web. Quanta Computer is a major MacBook Air, MacBook Pro supplier. 

The operator of REvil published a blog on its dark website that goes by the name – 'Happy Blog' claiming that Quanta Computer is being a target of a ransomware attack. 

Even though the Hacker Group initially tried to negotiate an agreement with the company, the team allegedly posted details of the upcoming Apple devices before the Spring-Loaded event, following the refusal by Quanta Computer to pay the ransom, as per a blog post. 

Some of the schematic seemingly aligned with the current iMac as well as some new version details were shared by hackers. The Ransomware Operator warned Apple, to repurchase the existing data until 1st May to avoid further leakage. Each day, before Apple buckles up, hackers attempt to threaten to post new files to their site. The organization also said that it is dealing with many big suppliers on the sale of large amounts of classified drawings and gigabytes of personal information. 

“Quanta Computer's information security team has worked with external IT experts in response to cyberattacks on a small number of Quanta servers,” a Quanta Computer spokesperson stated. “We've reported to and kept seamless communications with the relevant law enforcement and data protection authorities concerning recent abnormal activities observed. There's no material impact on the Company's business operation.” 

The representative further stated that the information security defense system was triggered instantly while performing a comprehensive inquiry. The organization has also said its cybersecurity level was revamped and its current infrastructure is improved. 

Quanta also said that they were working on the issue with law enforcement authorities and data protection authorities

New REvil Ransomware Version Automatically Logs Windows into Safe Mode

 

The REvil Ransomware is unstoppable when it comes to ingenious hacking tactics and techniques. The well-known ransomware has escalated its attack vector once again, this time by changing the victim's login password in order to reboot the computer into Windows Safe Mode. 

While malicious groups are constantly upgrading their attack strategies in order to fight security measures, the threat actors behind the REvil ransomware are especially skilled at honing their malware in order to make their attack campaigns more effective.

Last month, security researcher R3MRUM discovered a new sample of the REvil ransomware that improves the new Safe Mode encryption method by changing the logged-on user’s password and setting Windows to automatically login on reboot. The ransomware would update the user's password to ‘DTrump4ever’ if the -smode statement is used. 

Afterward, the ransomware configures the following Registry values for Windows to automatically log in with the new account information. It is currently unknown whether new REvil ransomware encryptor samples will continue to use the ‘DTrump4ever' password, but at least two samples submitted to VirusTotal in the last two days have done so. 

This latest strategy exemplifies how ransomware groups are actively refining their tactics in order to effectively encrypt users' devices and demand a ransom payment. 

Asteelflash, a world-leading French EMS company, confirmed last week that it has been the target of a cybersecurity incident, identifying the involvement of REvil ransomware. After initially setting the ransom at $12 million in Monero crypto, the attackers demanded Asteelflash pay a whopping $24 million ransom. However, as the negotiations didn’t reach a point of agreement in time, the actors raised the ransom to double the amount and leaked the first sample of the exfiltrated files. 

Acer, a computer manufacturer, was also hit by the REvil ransomware. REvil has demanded a ransom of $50 million, which may be the highest ever demanded ransom.

REvil has released a service for contact to news media, companies for the best pressure at no cost, and DDoS (L3, L7) as a paid service. Threat actors, or associated partners, will perform voice-scrambled VoIP calls to the media and victim’s business partners with information about the attack.

REvil Ransomware Gang Introduces New Malware Features which can Reboot Infected Devices

 

The ransomware gang REvil introduced a special malware feature that allows attackers to reboot infected devices after encryption. REvil emerged in April 2019 and is also recognized by the names Sodinokibi and Sodin. The ransomware gang was linked to many important attacks, including attacks in May 2020 on popular law firm Grubman Shire Meiselas and Sacks and also an attack in April 2020 on Travelex, a London-based currency exchange that paid a $2.3 million ransom for recovering its data. 

The MalwareHunter team researchers recently tweeted that the REvil operators have introduced two new command lines named 'AstraZeneca' and 'Franceisshit,' in Windows Safe Mode, which is utilized to reach the initialization screen for Windows devices. 

"'AstraZeneca' is used to run the ransomware sample itself in the safe mode, and 'Franceisshit' is used to run a command in the safe mode to make the PC run in normal mode after the next reboot," team of MalwareHunter tweeted. 

However it is not special, but the strategy is definitely uncommon, said the analysts. REvil implements this feature most likely as it will help the Ranking software to avoid detection by certain security devices because these functions allow attackers to encrypt the files in windows safe mode. 

"Causing a Windows computer to reboot in safe mode can disable software, potentially even antivirus or anti-ransomware software, that is working to keep your computer safe," says Erich Kron, security awareness advocate at the security firm KnowBe4. "This would then allow the attackers to make changes that may otherwise not be allowed in normal running mode." 

By tracking computers for unusual rebooting activities and by implementing successful data loss protection checks, organizations can deter malicious acts. Since REvil mainly uses compromised RDPs and mail phishing for distribution, it is essential for organizations, ideally through multi-factor authentication, to ensure that all Internet-accessible RDP instances are protected and that their employees are trained on high-quality security sensitives which can help them identify and track phishing attacks. 

Lately, the gang allegedly attacked Taiwan PC maker ‘Acer’ in an on-site version of Microsoft Exchange server, exploiting the unpatched ProxyLogon defect. 

The REvil Gang has gradually strengthened its malware and adapted various new methods of extortion. As of now, it frequently aims at bigger companies looking for significantly greater pay-outs, names, and shames via its devoted leak and targets cyber-insurance victims.

Electronics Giant Acer Hit by $50 MIllion Ransomware Attack

 

The ransomware gang known as ‘REvil’ stole confidential files from computer giant Acer and demanded an unprecedented ransom of US$50 million. The group also posted online images of allegedly stolen spreadsheets, bank balances, and bank texts, in order to prove their claims of having hacked into the Taiwan company’s network.

According to security researchers, hackers may have exploited a Microsoft Exchange vulnerability to gain entry into the company’s network. The $50 million demand of Acer is the largest-ever ransom demand to become publicly known, Callow said, larger than the $42 million REvil wanted from celebrity law firm Grubman Shire Mieselas & Sacks, who counted Nicki Minaj, Mariah Carey, and Lebron James among its clients. 

When asked about the situation, Acer wouldn’t admit that it was a ransomware attack, only telling Bleeping Computer in a statement that it has “reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.” In the request for  further details, Acer replied, “there is an ongoing investigation and for the sake of security, we are unable to comment on details.” 

According to the Record’s report, Acer’s name appeared on the REvil ransomware group’s list of companies that do not pay extortion fees. With the help of malware intelligence analyst Marcelo Rivero, The Record managed to track down the gang’s other dark web portal, which clearly displayed the $50 million ransom the gang demands from Acer and the online chat the gang was using to communicate to the company’s representatives.

Before the attack, Advanced Intel’s Andariel cyberintelligence platform detected that the REvil gang recently targeted a Microsoft Exchange server on Acer’s domain and used the ProxyLogon vulnerability to install their ransomware.