Tag Archive for: “REvil”

Kaseya fixes VSA. REvil disappears. Facebook takes down Iranian hacking campaign.

/in


Kaseya fixes VSA (and the US wants Russian action against REvil).

Kaseya this past Sunday afternoon pushed fixes for VSA’s on-premises and SaaS versions. At 8:00 AM the company’s update indicated that patching was proceeding quickly:

“As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target. The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch.”

The general consensus is that REvil operates with at the least the knowledge of, and probably with the tacit approval and encouragement, of the Russian government. The joint enforcement action the US has requested of Russia has not materialized, GovInfoSecurity notes. Moscow is standing on ceremony as it expresses its commitment to the rule of law (as the Register puts it, “with a straight face”) but so far there are few if any signs of Russian authorities taking action against the gangs that operate with impunity from its territory.

In an hour-long phone call on Friday, July 9th, US President Biden communicated his expectations concerning ransomware operations to Russian President Putin. Reuters reports that in President Biden’s estimation the call “went well,” and that he expects Russian cooperation against gangs like REvil. Should expected Russian cooperation not be forthcoming, President Biden said the US was prepared to take certain actions on its own. He and Administration officials declined to say what such actions might be. At the White House daily press conference on Friday, Press Secretary Psaki said President Biden “underscored the need for President Putin to take action to disrupt these ransomware groups.”

The CyberWire’s coverage of the incident so far may be found here:

REvil disappears.

REvil’s disappearance early Tuesday morning from its usual online haunts (including the HappyBlog) remains unexplained. The New York Times and others note that the vanishing followed a US request that Russia do something about ransomware gangs operating from its territory, but it’s…

Source…

Russia fails to deny takedown of ReVil hacking group is connected to Biden’s pressure on Putin

/in


The Kremlin has failed to deny that the takedown of Russian-based hacking group ReVil is tied to US President Joe Biden’s pressure on Russian President Vladimir Putin.

Press secretary of the President of the Russian Federation Dmitry Peskov said Wednesday the state doesn’t have any information about REvil’s sudden disappearance from the internet and insisted Russia wants to ‘cooperate’ with the US in taking down cybercriminals.

REvil’s dark web data-leak site and ransom-negotiating portals have both been unreachable since about 1am on Tuesday. 

The timing of the takedown raised eyebrows coming just days after Biden demanded Putin took action following a series of devastating ransomware attacks by the Russia-based group on US businesses.

REvil, also known as ‘Ransomware evil’, was responsible for the Memorial Day ransomware attack on the meat processor JBS and the supply-chain attack this month targeting the Miami-based software company Kaseya that crippled well over 1,000 businesses globally.   

The Kremlin has failed to deny that the takedown of the websites used by Russian-based hacking group ReVil is tied to US President Joe Biden's pressure on Russian President Vladimir Putin. Biden and Putin pictured meeting at the Geneva Summit on June 16

The Kremlin has failed to deny that the takedown of the websites used by Russian-based hacking group ReVil is tied to US President Joe Biden’s pressure on Russian President Vladimir Putin. Biden and Putin pictured meeting at the Geneva Summit on June 16 

When asked Wednesday by reporters if Russia was behind REvil’s takedown from the darknet, Peskov denied having any knowledge of what had happened.  

‘I cannot answer your question, because I do not have such information. I do not know which group, where it disappeared from,’ he said, according to Russian News Agency TASS.

He said Russia believes cybercriminals ‘should be punished’ but doubled down that he was not aware if the ransomware gang had been deliberately been targeted by authorities.  

‘We believe that [cybercriminals] should be punished,’ he said. 

‘On the international level, we believe that we should all cooperate. In this case, Russia and the United States should cooperate in order to suppress such manifestations. 

‘As for the particulars about this group, I, unfortunately, with such information I don’t have it, ‘he added.

Peskov said the US and Russia had begun talks on how to work together to tackle cyber crime.

Source…

The REvil Ransomware Hackers Have Gone Offline

/in


The hacking crew behind damaging attacks on meat supplier JBS and customers of tech provider Kaseya has disappeared from the internet.

The so-called REvil group’s dark web site, dubbed the “Happy Blog,” has been down since early this morning. Repeated attempts by Forbes to access the page today have failed with a notice saying: “The most likely cause is that the onionsite is offline.” REvil’s other pages, including its ransom payment page, are also currently inaccessible, and its representatives have been quiet on hacking forums since late last week, according to numerous cybersecurity researchers.

There’s no information as to why REvil, believed to be operating out of Russia, may have disappeared. It could be due to law enforcement action, though no agency has yet claimed success in taking the group down. (The FBI declined to comment.) Last month, President Biden and Russian leader Vladimir Putin discussed cybersecurity issues, including the potential for the Kremlin to be more supportive of efforts to counter cybercriminals launching devastating attacks on U.S. businesses. 

REvil may also have bailed due to the attention from its recent attacks. Or its sites may have simply gone down because of a technical issue. As Brett Callow, a ransomware tracker at cybersecurity firm Emsisoft, notes, the Happy Blog has gone down before and come back up, making it “too early to read anything into this.”

In a similar recent case, the DarkSide ransomware hackers disappeared from the web not long after its malware was used in the huge hack of Colonial Pipeline, which led to the shutdown of gas lines across the east coast of the U.S. In that case, some of the funds handed over in the $4 million ransom, paid in Bitcoin, were recovered by the Justice Department.

Outside of the hack of JBS, which led to an $11 million payment, REvil claimed a big scalp in an attack that exploited an unpatched “zero-day” vulnerability in tech made by Kaseya. By…

Source…

REvil ransomware attack illustrates IT systems need for epidemiological investigation

/in


The recent REvil ransomware attack has revealed that our computer systems are vulnerable to unknown and surprising pathogens, similar to our vulnerability to Covid-19. The hackers claim that the attack penetrated more than a million workstations, and demanded about $70 million to unlock them. However, the most important question is how the damage could have been reduced or prevented.

 

Let’s take a step back. Antivirus software comprises the first defense line (the IT immune system, if you will). The antivirus operating principle is simple: if malicious code is detected, it is signed by the various antivirus manufacturers and its hash is distributed as an update to the local antivirus installation. Thus, antivirus software can identify most malware and prevent them from damaging the computer.

 

Tomer Shemer, VP of Portnox. Photo: Courtesy Tomer Shemer, VP of Portnox. Photo: Courtesy

 

Nevertheless, similarly to biological systems, some viruses and vulnerabilities are unrecognizable by antivirus software. About 30-50 IT companies, including many Israeli ones, work to discover the meager number of yet undiscovered malware and yet unabused vulnerabilities. This activity is expensive and carries large premiums, but numerous organizations around the world would pay for such protective measures. Think about it – if a security operation is attacked by 1,000 different malware a month, the damage of even a single penetration would be catastrophic. Therefore, an antivirus that prevents 99.9% of attacks will not suffice.

 

However, systems identifying unrecognized threats are prone to false alarms. No wonder – anyone trying to find a new type of threat is likely to be sensitive to any anomaly or change. Yet the high number of false alarms that these systems provide causes many to ignore them or to disable the systems, quite similar to muting the sound of a cardiac monitor, thus remaining unprotected yet again.

 

One of the methods of containing the damage might sound familiar in the post-COVID world – isolation. For example, in the latest REvil attack, Kaseya software, serving as part of the supply chain, was damaged. The company warned customers over the weekend to disconnect their devices from the internet to…

Source…