Change is a part of life, and nothing stays the same for too long, even with hacking groups, which are at their most dangerous when working in complete silence. The notorious REvil ransomware gang, linked to the infamous JBS and Kaseya, has resurfaced three months after the arrest of its members in Russia.
The Russian domestic intelligence service, the FSB, had caught 14 people from the gang. In this apprehension, the 14 members of the gang were found in possession of 426 million roubles, $600,000, 500,000 euros, computer equipment, and 20 luxury cars were brought to justice.
REvil Ransomware Gang- The Context
The financially-motivated cybercriminal threat group Gold Southfield controlled ransomware group known as REvil emerged in 2019 and spread like wildfire after extorting $11 million from the meat-processor JBS.
REvil would incentivize its affiliates to carry out cyberattacks for them by giving a percentage of the ransom pay-outs to those who help with infiltration activities on targeted computers.
In July 2021, hackers working under REvil exploited zero-day vulnerabilities in Managed Service Provider (MSP)service developed by a company called Kaseya. As is often the case, these vulnerabilities had not been patched and were therefore open for exploitation. The code change was deployed globally against over 30 MSPs worldwide and 1,000 business networks managed by those MSPs.
The hackers rented their ransomware to other cyber criminals so that a similar attack could occur and disrupt the activities of others. It's been reported how sustained ransomware attacks were conducted revealed that most hacking groups utilize Ransomware-as-service by renting out their services to other users (who often have easy access to the victim's systems, networks, and other personal information). The famous Colonial Pipeline, the oil pipeline company, operating in the United States, was attacked by REvil as part of a Ransomware service.
In October 2021, a multi-country law enforcement operation seized control of REvil's main ransomware-related resources and dismantled the darknet campaign that was being conducted on anonymous ToR servers.
But thanks to the U.S.-Russian collaboration, the REvil gang was dismantled, and the group itself was hacked. The crime group's "Happy Blog" website, used to leak victim data and extort companies and provide an avenue for commending members involved in successful attacks, was forced offline.
ReVil Making a Comeback
Cybersecurity researchers have put forward samples of REvil ransomware. Their findings, based on the findings of samples which all showed identical creation dates and compilation strings along with several other attributes, which mean the same person/team probably makes it - strengthens their argument that they have indeed identified the original REvil ransomware developer and should logically, therefore, conclude that the self-exiled cybercriminal group known as REvil has returned. Recently, the latest Ransomware leak site was promoted through the Russian forum RuTOR – a website that allegedly markets leaked data to customers.
As Per Vines, REvil's Tor Sites Have Come Back to Life.
In late April of this year, security researchers noticed some malware found in previous
attacks had resumed activity after a long period of quiet. Two researchers who are into the dark side of cybersecurity recently uncovered a blog on the dark web that is used to publish ransomware attacks, and it was enticing others to take part in this dangerous trend. They also came across news that attackers have taken it upon themselves to recruit more ghost hackers.
Ransomware sample confirms the return:
The latest sample has made use of longer GUID-type values, such as
3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4 for the SUB and PID options to track campaign and affiliate identities, respectively.
Is REvil Back? - How Can You Fight Back?
REvil is known for being particularly destructive ransomware, and its return means that businesses and individuals need to be on high alert for possible attacks. It is too early to tell if the REvil ransomware gang's comeback will be as effective as its predecessor.
But the fact that it surfaced soon after the takedown operation indicates that this may be their intent, and best ransomware protection and web security practices are suggested to be a regularity.
When it comes to safeguarding your website from hackers and criminals, there are several methodologies you can use - some of which include:
- Using an automated web application scanner, manual penetration testing.
- Setting up anti-malware & anti-virus programs for regular security scans and so on.
- Implement security training programs – your end-users and employees should know the ransomware threat and how it is launched.
- Enabling the principle of "least privilege" for application users will help you ensure that no one can access any part of your application that another user doesn't also have access to, which will allow them to avoid any security breaches from happening.
- Support your information security department by introducing cyber threat awareness initiatives that teach end-users and employees how to recognize cyber criminals' modus operandi.
- Ensure your business is protected from downloading any executable files attached to incoming or outgoing emails so your website's application isn't vulnerable to hackers.
- To stop cyber attackers from breaking into your web applications, it is suggested to configure a Web Application Firewall (WAF) to block access to malicious IP addresses.
- Furthermore, installing proper SSL certificates for protection against Man-In-The-Middle attacks or using login plugins that verify the client's security token can reduce the risk of succumbing to data breaches.
- Bring in the support from trusted managed cybersecurity service providers like Indusface to stay ahead of emerging threats and assist in addressing real-time security issues. Make sure they have the appropriate certifications, keep up to date on the latest cybersecurity news, and are always available should you need in-the-field assistance.
It won't be a surprise if the REvil ransomware group resumes attacks as the original creator(s) of the previous incarnation still exist. Even those caught are likely to attempt it again in the future, which is especially scary if you think about how prepared these online crooks are.
Getting your customers' digital identities, servers, and data files stolen because of ransomware could mean losing a lot of time and money as these attacks only get worse with time.
Also, the importance of protecting your reputation or avoiding getting it damaged can arguably be beyond measure. Therefore, businesses must ensure that their brand, intellectual property, and personal or sensitive information are protected from cyber criminals who use ransomware attacks daily.