REvil is Off-Line

This is an interesting development:

Just days after President Biden demanded that President Vladimir V. Putin of Russia shut down ransomware groups attacking American targets, the most aggressive of the groups suddenly went off-line early Tuesday.

[…]

Gone was the publicly available “happy blog” the group maintained, listing some of its victims and the group’s earnings from its digital extortion schemes. Internet security groups said the custom-made sites ­- think of them as virtual conference rooms—where victims negotiated with REvil over how much ransom they would pay to get their data unlocked also disappeared. So did the infrastructure for making payments.

Okay. So either the US took them down, Russia took them down, or they took themselves down.

Tags: , , ,

Posted on July 16, 2021 at 3:03 PM29 Comments

Comments

GregW July 16, 2021 3:56 PM

Those are words from the NYTimes, not our host Bruce.

My guess is there is some style guide they adhere to that involves spelling out fully all foreign leader’s names but assumes that is unnecessary for the domestic president.

vas pup July 16, 2021 5:42 PM

Logical construction “After something meaning as result of something” assume sequence of events in time is the same as cause and effect.

Yes, cause is always going before effect, but such correlation the same as causation.

Just observation.

I guess all three in play:

“So either the US took them down, Russia took them down, or they took themselves down.”

May be Russia gov notify them to stop operations, but keep some infrastructure on, so let US put them down and monitor the tools US used for this.

But who knows for sure? Who we could trust in case of leak?
Papers found on the bus or subway stop?

vas pup July 16, 2021 5:45 PM

Sorry for typo:
“Yes, cause is always going before effect, but such correlation is NOT the same as causation.”

SpaceLifeForm July 16, 2021 6:10 PM

Yesterday, I was thinking that the Guardian leak story was misinformation. Possibly to get out in front of the impending FB/CA story to come.

Now, I am looking at another angle also.

That leak story may actually be connected to REvil alleged shutdown. (I think they will try to reappear under a different label)

hxtps://www.spytalk.co/p/new-russiagate-docs-bombshell-or

hxtps://www.emptywheel.net/2021/07/16/the-guardian-scoop-would-shift-the-timeline-and-bureaucracy-of-the-known-2016-russian-operation/

SpaceLifeForm July 16, 2021 6:27 PM

Yes, what I alluded to above, may have been the ‘message’. REvil shutdown and the leak. That is the ‘message’.

Watch what happens on new squid. It has already started.

The quiver is loaded, and can launch more arrows towards GMT+3. Just watch.

SpaceLifeForm July 16, 2021 6:59 PM

Reporter: “What’s your message to platforms like Facebook?”

President Biden: “They’re killing people.”

Clive Robinson July 16, 2021 7:04 PM

@ ALL,

The first obvious problem is that the group it’s self has probably not disbanded.

The reason, they still have decryption keys that are worth real money currently and thus targets locked out of their data. If the group had decided to disband why keep the keys unless they intend to collect on them whilst they still have value.

But the second more obvious problem is this is just one of very many groups that do ransomware, so the fact just one visable actor has disapeared from view, is “political” more than it is anything else.

If people want to stop ransomware it’s relatively easy, don’t operate your systems in a way that makes ransomware easy or even possible.

That is the people who we should be looking at are the alledged “victims” who have chosen for financial reasons to build highly vulnerable systems that are such low hanging fruit even the earth worms get an easy life of it.

It’s not hard to find the reason behind the financial reasons, and guess what it’s actually another form of ransomware that will be hitting corps in the near future and it will all be legal.

A little history for you about the television industry. Back in the 1960’s most major nations had their own manufacturing of Cathode Ray Tubes (CRTs) and domestic manufacture of television sets. Japan decided that it would be a long term target to take over the TV industry. Thus the first objective was to get rid of domestic manufacturing. In essence they flodded the market with cheap CRTS and killed off domestic manufacturing of CRTs. They then targeted domestic set manufacture by raising the price of CRTs so that domestic set manufacture was nolonger productive and closed. They then kept the price at a profitable level but not so high that the required investment in dommestic manufacturing to build new factories etc would be viable.

They then went on to target other industries in a similar way. The result is domestic manufacturing became “high risk” especially with the “middleman policy” of the “service industry mantra” left in place that was always going to keep domestic manufacturing at a significant financial disadvantage.

What you see currently is the silicon valley Corps doing the same old trick with “cloud”. Yes it’s cheap at the moment, but when it gets to the point where there is little in the way of native business data centers and the investment seen as to risky, that is when the price of the “cloud” will start to climb and climb and your data held to ransom against you (which it already is if you look at the “diode policies” that currently make the cost of getting data into the cloud quick and convenient, but getting it out again… “Oh well UPS it sometime but deleate the data hear before we ship, so if it goes missing in transit…”.

People need to wise up to the idea that data is both infrastructure and foundations, and if you do not have proper control of it, somebody is going to shake you down not just the once but over and over, every time they want to up their profits you will get that “Rent seeking squeeze” that will make ransomware look cheap and you will not be alowed to get out of the trap you sleepwalked into…

So organisations need to realise that whilst investors can get their money out rapidly and will, most businesses have boat anchors of investment chaining them down that makes them a sitting target. Thus they need to ensure they have the investment in place to be a hard target not a soft target. Not investing in data correctly is taking target practice at both feet via the knees, thus incapable of standing up for oneself…

So not investing in data independence is an invitation to others to legaly “ransomware” you, and Silicon Valley Corps have already started if you can be bothered to look for the signs, which are fairly blatant.

Thus businesses should “hard target” their data not just from China / India / Iran / North Korea / Russian or where ever else allegeded “illegal” criminals chose to hang out but the likes of Silicon Valley where the lobbied to be “legal” criminals currently appear to hang out.

Truth.is.stranger.than.fiction July 16, 2021 9:10 PM

For a group of people that loves to blame the US Gov for the world’s woes, y’all are sure accepting of stories.

For instance this MSFT print spooler attack which they cannot seem to stop. MSFT is warning everyone to disable their print spooler. Windows Defender Firewall is drilled like Swiss cheese by default. There’s no way to discern why MSFT needs to let dozens of services through a firewall or what each one does. MSFT even kills your ability to use their services if you dare disable the obviously unnecessary ones. If the US Gov want ransomware to stop then make MSFT stop doing this. Every government employee is compromised by this at home too.

So far as Biden referring to FB killing people, it’s likely this https://www.cnn.com/2021/07/15/tech/facebook-iran-hackers/index.html

Then MSFT publishes this ‘story’ which accuses Israel of spying on Iran. Clearly this is retribution for someone outing Iran’s use of FB. Notice there is a FB photo included in this MSFT report as “evidence”.
https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/

Sorta weird that Ontario is yet popping up again in the MFST saga. No?

I have always been a fan of non-fiction.

Truth.is.stranger.than.fiction July 16, 2021 9:57 PM

@Clive

Big tech’s profit model is dependent upon growing data. Hence the birth of unstructured data and cloud. Yet Cybersecurity is dependent upon data minimization. Moreover, a business needs to be able to manage and FIND their data. But when you migrate data to the cloud it loses its metadata and structure. Cloud has a low cost entry point but performing elastic search is very expensive.

Also each bit and byte is carbon. We are quickly destroying our world for data growth. https://eos.org/articles/u-s-data-centers-rely-on-water-from-stressed-basins

There has to be a way that Big Tech can make money while serving mankind’s greater good.

Also data portability is the best defense against ransomware, besides offline backups. So maybe the application layer belongs in the cloud, but perhaps the solution is designing SaaS for structured data using standard (i.e.: ISO, Swift) data dictionaries. This is how the global financial system communicates and maybe the same principles can extend to PII. Structured data is easier to manage and protect. Plus noisy data is still pretty useless. Data has value when it can enhance automation and intelligence, not just take up space.

I’ve witnessed many tech companies put profits before customers needs and it is not a sustainable business model. Most companies that do that cease to grow or innovate.

Seems to me there’s lessons in Covid on how to save the world.

anon July 16, 2021 11:05 PM

@clive

You seem to have, unfairly, left all of the MBA’s out of the picture. Can you re-write that taking into account the MBA effect on pricing, prices, inventory, and manufacturing.

JonKnowsNothing July 17, 2021 1:04 AM

@ Truth.is.stranger.than.fiction, @Clive

re: Cybersecurity is dependent upon data minimization

It is more like: Minimizing Data Exposure to Exploit/Exfiltration

As pointed out, vast amounts of data are needed for even a minimally large corporation to function with electronic interfaces. Removing redundant data might reduce some foot print. Removing unnecessary data might reduce more. There will be a point where you cannot minimize anymore data and still have a functioning business on-line.

Paper based or non-electronic systems create their overloads in chits, receipt books and paper logs. A fixed amount is needed to provide “proof of business” for tax purposes and 7+ years of paper storage.

On-line systems can store much more data than the “official tax requirements” but there is a small wrinkle in removing outdated materials.

In the USA, the Internal Revenue Service only requires 7 years of storage provided they do not “find or inquire” into any accounting anomaly. Should the IRS decide to investigate a potential legal problem, the scope of the investigate can extend as far back as they want to go. The burden of proof is on the taxpayer to provide the required documentation. (1)

In this overheated and thirsty part of California, pre-COVID, the local community provided several Free Shredding Days, where you could haul your boxes of stored data for free shredding. As shredding here costs $2.00 USA per pound of paper, it’s a big give away.

Except it’s not a give away:

  1. While parked in the rats maze queue the local police park their surveillance van just behind a building out of line of sight. Using telescoping antennas they aim their cameras and license plate readers over the roof at the cars threaded into a narrow lane with no pullouts. Fish in a barrel.
  2. In the USA, once you put your trash on the street it becomes the property of the City. LEAs get warrants to collect targeted trash bins where the content is taken to a secured dump area and the police can look at what you ate for dinner since your last pick up day.
    Once you give the the paper box to the shred crew, it goes in a big bin that is supposed to go into a big shredding truck for secure disposal. But you will never know if that’s what actually happened.

The other wrinkle in removing excess, redundant and out of date info is the propensity for some LEAs to require Long Term Proofs of things. Some of these proofs go back 30 or more years. Once you have shredded your pay stubs from your first job at BigDs, you have no proof you worked there, or how much tax you paid.

===

1, There was a fairly recent exchange on converting illegal funds to legal ones which maybe found in the archives or perhaps the way back machine.

In accounting, there is no way that illicit funds become legal ones. A lot of obfuscation occurs to hide the source of such funding however, the infinite look-back of the IRS can unmask the sources. Such funds and the trail of purchases can be confiscated.

Winter July 17, 2021 2:46 AM

I would guess that it might be possible that someone at REvil realized, or was informed, that bragging about crimes against a superpower with a large army is not healthy.

JMM July 17, 2021 6:19 AM

“So either the US took them down, Russia took them down, or they took themselves down.”

Or someone else took them down. We can’t tell.

Clive Robinson July 17, 2021 7:33 AM

@ JMM,

Or someone else took them down.

Or they may not have gone down at all, just taken a vacation to rest recuperate and regroup.

They have a “reputation” now which perversely an accountant would see as “good will” on their books.

If they “spring clean” properly and tie up loose ends they can become a much more secure entity if they decide to come back.

If you think about it “crypto-coins” are not turning out as well for criminals as they might have hoped.

However with a sufficient reputation and hedge of funds they can move into a different more secure payment transfer models as more traditional criminals will take them rather more seriously.

It’s actually a move that has been over due for some time and political patronage has been one reason it has not happened. So the Western Law Enforcment organisations have had an opportunity to play “catch up”…

Thus don’t be too surprised to see the smarter ransomware groups etc to just apparently “disappear” before LEA’s catch up to them. But to reappear in a vastly different form in a few weeks or months.

Some will almost certainly just “retire out” and if cautious lead quiet but comfortable lives doing a little property development or similar, like open small businesses etc.

If you have a creative flair, and a sound head on your shoulders money laundering is not that difficult, you just have to blend in but be a little more successfull than others.

On line marketing is an almost ideal financial transfer vehicle currently, especially across national boarders with quite disparate legislation. Other industries like film making have made 100’s of billions disapear faster than Harry Potter with a fit of the shakes.

It does get silly sometimes, for some people “pocket change” / “petty cash” comes in cubic meter palettes of hundred $/€ or similar value notes just stacked up in warehouses, waiting to go through a wash cycle such as a little “Carousel / Missing Trader” fraud. This,

https://www.commsbusiness.co.uk/features/11-years-for-vat-carousel-fraudster/

Was a decade and a half ago, I sincerly doubt those found guilty have been sitting on their hands since with tens of billions up for grabs…

https://en.wikipedia.org/wiki/Missing_trader_fraud

One of the oldest VAT tricks used to be gold coins. Technically being “currancy” they are not subject to VAT whe bought or sold. But melt them down into bullion or mount them up into jewelry and then they become subject to VAT on sale. As the seller you are making 20%VAT as profit, all you have to do is know how to walk away with it. Which is actually not that hard to do in the short term, but gets more difficult with time.

At one point Indian jewellers in certain parts of the UK were happy to buy ingots of gold with LBC on the side, that actually stood for “London Brick Company” as bricks made convenient mould for pouring molten gold into…

Winter July 17, 2021 7:52 AM

@Clive
“Thus don’t be too surprised to see the smarter ransomware groups etc to just apparently “disappear” before LEA’s catch up to them.”

I do not think it is LEA’s they try to avoid. Biden has made the latest (aledged) REvil attack a matter of state security. Biden also made it an international security issue by telling Putin he should stop them. Never come between the USA and their oil.

If I were REvil, the fate of Osama bin Laden should now haunt my dreams.

echo July 17, 2021 10:45 AM

In accounting, there is no way that illicit funds become legal ones. A lot of obfuscation occurs to hide the source of such funding however, the infinite look-back of the IRS can unmask the sources. Such funds and the trail of purchases can be confiscated.

In the UK one wheeze was uncovered by HMRC analysing the random pattern of payments and proving the payments were not random.

I forget what the discussion was about but I recall bringing up the subject of “Finland Revenue”. One QC who was somewhat evasively calling me “stupid” and his QC chum who thought it was a lovely idea to join in the mockery had not heard of this scam. An enterprising civil servant who worked at HMRC in the days when anyone could open a bank account at any time for any reason with no effective checks at all skimmed payment cheques made out to Inland Revenue” simply by appending the letter “F” to make the payment for “Finland Revenue” which he then proceeded to bank in a business account for Finland Revnue Ltd.

There are other scams such as mail redirection which could be used to obtain access to someone’s confidential information or bank and high value credit cards, and POTS telephone line interception which could be used to clear a fake bankers draft with bullion dealers.

One last scam was amending bank payment slips which used to sit in a recepticle on the bank counter so payments paid in were directed to another bank account.

Clive Robinson July 17, 2021 12:41 PM

@ echo,

Not the first time you’ve mentioned it,

https://www.schneier.com/blog/archives/2018/05/maliciously_cha.html/#comment-320815

However I mainly remember the Halifax Building Society alowing accounts to be opened in vaguely Indian/Pakistani names that were things like the I of inland made into a J or similar.

This happened back in the days of “Fred the Shred” who was lets be honest his own specialist type of confidence trickster, thus probably did not care as long as the business was getting a slice of the action.

The trouble is you go hunting on the Internet and a scam that’s maybe 30years old even though it made national television peek time viewing is not coming up.

SpaceLifeForm July 17, 2021 5:21 PM

Messaging

hxtps://www.reuters.com/article/russia-defence-website/update-1-russian-defence-ministry-says-its-website-hit-by-foreign-cyberattack-idUSL8N2OS2MH

Ismar July 17, 2021 6:55 PM

This shows that the buck stops with the governments as , regardless of the hackers affiliation (or lack there of) their infrastructure needs to be hosted on a physical system somewhere .
It follows that we need international level laws and non-hacking treaties even if they are often not adhered to fully , but serve an instrument of de-escalation among state level actors.

JonKnowsNothing July 17, 2021 8:44 PM

@Ismar

re: This shows that the buck stops with the governments … regardless of the hackers affiliation

In theory yes, in practice no. In practical terms, if the Activity benefits the Government in some manner, the practice will continue. When the Activity no longer does so, it gets off loaded or revamped into something else.

Getting someone else to do your dirty work is an old story. Mercenaries work for gold, they do not care about politics or governments or paper ideals. Cash in Fist.

If Government A is on the receiving list for such activity from Government B, they may attempt to make that activity unprofitable but mercenaries are cheap by comparison and you can terminate them with a silver bullet.

Plausible Deniability is a winning strategy.

  • “How many people keep silver bullets in their gun?”
    Persephone The Matrix Reloaded

===

ht tps://en.wikipedia.org/wiki/Persephone_(The_Matrix)
(url fractured to prevent autorun)

SpaceLifeForm July 18, 2021 8:25 PM

Interesting timing. This from the same day.

I wonder how long REvil has existed inside Kaseya? Is this
just the main office?

hxtps://apnews.com/article/europe-business-technology-hacking-db3e5f615629bb225259efaf7fdf378c

In 2018, for instance, hackers managed to infiltrate Kaseya’s remote tool to run a “cryptojacking” operation, which channels the power of afflicted computers to mine cryptocurrency — often without its victims noticing. It was a less harmful breach than the recent ransomware attack, which was impossible to miss since it crippled affected systems until their owners paid up. But it similarly relied on Kaseya’s Virtual System Administrator product, or VSA, as a vehicle to get access to the companies that rely on it.

And in 2014, Kaseya’s own founders sued the company in a dispute over responsibility for a VSA security flaw that allowed hackers to launch a separate cryptocurrency scheme. The court case does not appear to have been previously reported outside of a brief 2015 mention in a technical blog post. At the time, the founders denied responsibility for the vulnerability, calling the company’s charges against them a “bogus assertion.”

Mark Sutherland and Paul Wong co-founded Kaseya in California in 2000. They had previously worked together on a project protecting the email accounts of U.S. intelligence workers at the National Security Agency, according to an account on the company’s website.

But more than a year after selling Kaseya in June 2013, court records show that Sutherland, Wong and two other former top executives sued the company to recoup $5.5 million in stock buybacks they said they were unfairly denied.

At the heart of the dispute was an attack by hackers who used Kaseya’s VSA as a conduit to deploy Litecoin mining malware that secretly hijacks a victim computer’s power to make money for the hacker by processing cryptocurrency payments.

extremly nice Troll July 18, 2021 9:52 PM

@ SpaceLifeForm

“I wonder how long REvil has existed inside Kaseya?”

I believe you have read Phineas Fisher Hack Back Guide?

hxxps://packetstormsecurity.com/files/142321/HackBack-A-DIY-Guide.html

—-[ 5.2 – Buying Access ]—————————————————–

Thanks to hardworking Russians and their exploit kits, traffic sellers, and
bot herders, many companies already have compromised computers in their
networks. Almost all of the Fortune 500, with their huge networks, have some
bots already inside. However, Hacking Team is a very small company, and most
of it’s employees are infosec experts, so there was a low chance that they’d
already been compromised.

c1ue July 19, 2021 1:05 PM

A lot of speculation.

My view is: it is not at all clear, today, that either “name and shame” or “share the blame” strategies are either necessary or even beneficial to a ransomware gang.

Ransoms are main stream. 2 or 3 years ago, maybe the IT department could squeeze in a special line item emergency authorization for a 5 digit payoff.

But 6 and 7 digit payoffs require executive oversight, much less insurance companies paying off ransoms.

Thus what is the point of these sites listing customers affected?

Data blackmail is a possible reason, I suppose, but even that is not really clear to me. Does posting a company’s hacked data on a web site really increase the likelihood that they will pay a ransom? Or enable a 2nd harvesting?

Not at all clear to me either.

I would not be surprised if these sites were more about bragging rights and marketing (for RaaS purveyors), and it may just be that they are simply pointless anymore. I am reminded of gangster movie scenes where the old gangsters reprimand the young ones for failing to keep in the shadows.

c1ue July 20, 2021 11:06 AM

@SpaceLifeForm
I don’t know what you want me to look at – but unless it is a top cyber gang’s reharvest stata, not clear how any anecdotal evidence will prove anything either way.
What I will note is that reharveat is a bad strategy because it proves that the ransomware extortionist cannot be relied on to keep their own word.
This materially affects the likelihood of paying the initia ransom.
Anyone with a modicum of business acumen would see this as a negative.
The only case I can see where this might make sense is if the “fair value” ransom that can be extracted is too low – and we know there is basically no such thing since the cost of attack is far, far lower than the payouts even in 2016, much less today.

SpaceLifeForm July 20, 2021 9:25 PM

@ c1ue

I’m thinking blackmailed corporate insiders and/or bad agents inside corporate.

All of the AWS datadumps that magically became world-readable.

Software supply chain attacks.

The data made available is probably more valuable than any ransom.

It can become a two-fer. The attacker gets the data and a ransom.

Maybe the attack is purely for the money, but maybe that is a cover for a CEO to pay off some blackmail.

Maybe some blackmail causes an insider to violate proper security which allows a supply chain attack to be implanted.

Maybe a ransomware attack that exfiltrates data, is actually a cover for the fact that the data itself was really the prize.

Maybe a bad agent corporate insider is actually the source of the blackmail.

Maybe it is all of the above in some instances.

meanwhile in Russia July 22, 2021 7:12 PM

@ ALL

Russian trend continues.

hxxps://en.wikipedia.org/wiki/COVID-19_pandemic_in_Russia

Still ~25K infections per day
~700 death per day

What are the odds all the REvil members are now dead and buried?
Or at least one?

AndrewJ July 26, 2021 7:44 PM

The Risky Business podcast jokingly hypothesised that it’s summer in Russia and they’re spending all their bitcoin down at the Black Sea. Seems as valid a hypothesis as any..

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.