Palo Alto Networks’ global threat intelligence team, Unit 42, has detailed the tactics ransomware group REvil has employed to great impact so far this year – along with an estimation of the multimillion-dollar payouts it’s receiving.

[…]

The group, which provides what security wonks have come to term “Ransomware as a Service” or RAAS, has been fingered in some high-profile attacks: Travelex, an entertainment-focused law firm with an A-lister client base; Apple supplier Quanta Computer; a major meat producer; a nuclear weapons contractor; and fashion giant French Connection UK – among many others.

Most recently, the group gained access to an estimated 1,500 companies through the Kayesa VSA platform. While the company denied a supply-chain attack, it disabled its Saas platform as a security measure – and, as of this morning, was struggling to recover.

[…]

“For these services, REvil takes a percentage of the negotiated ransom price as their fee. Affiliates of REvil often use two approaches to persuade victims into paying up: they encrypt data so that organizations cannot access information, use critical computer systems or restore from backups, and they also steal data and threaten to post it on a leak site (a tactic known as double extortion).”

According to research carried out by Martineau and colleagues, REvil and its affiliates averaged $2.25m in payouts per breach over the first six months of 2021 – chickenfeed compared to the $70m the group is demanding for a universal decryption tool designed to unlock the data being ransomed as a result of the Kaseya attack.

The methods chosen by the group to gain access to the target systems are depressingly simple, Martineau’s report claimed, with the most common methods being as simple as sending a phishing message or attempting to log in to Remote Desktop Protocol (RDP) servers using previously-compromised credentials.

“However,” Martineau noted, “we also observed a few unique vectors that relate to the recent Microsoft Exchange Server CVEs, as well as a case that involved a SonicWall compromise.”

Once in, REvil attackers cement their access by creating new local and domain user accounts, install Cobalt Strike’s Beacon covert payload – a commercial product which apparently delivers a little too well on its promise to “model advanced attackers” for “threat emulation” – and disable antivirus, security services, and other protection systems. The impact is further expanded to other devices on the network, using “various open-source tools to gather intelligence on a victim environment.”

It could be a while before the attack is noticed, too – no surprise given how the group often exfiltrates gigabytes of data as part of its ransom approach. “REvil threat actors often encrypted the environment within seven days of the initial compromise,” Martineau found. “However, in some instances, the threat actor(s) waited up to 23 days. [They] often used MEGASync software or navigated to the MEGASync website to exfiltrate archived data. In one instance, the threat actor used RCLONE to exfiltrate data.

[…]

The full report has been published on the Unit 42 site.

Source: Report shines light on REvil’s depressingly simple tactics: Phishing, credential-stuffing RDP servers… the usual • The Register

Ransomware attacks are on the rise, but quantifying the scope of the problem can be tricky when only the most high-profile cases make headlines. Enter Ransomwhere,

[…]

Jack Cable, a security architect at the cybersecurity consulting firm Krebs Stamos Group, launched the site on Thursday.

[…]

The way it works is Ransomwhere keeps a running tally of ransoms paid out to cybercriminals in the bitcoin cryptocurrency. This is largely made possible because of the transparent nature of bitcoin: All transactions involving the cryptocurrency are recorded on the blockchain, a decentralized database that acts as a public ledger, thus allowing anyone to track any transactions specifically associated with ransomware groups.

[…]

Since the U.S. dollar value of bitcoin is constantly fluctuating, Ransomwhere calculates each ransom amount based on the bitcoin exchange rate on the day that the transaction was sent.

[…]

So far in 2021, the Russia-linked cybercriminal gang that took credit for the Kaseya and JBS attacks, REvil, is leading the pack by a mile with more than $11 million in ransom payments, according to Ransomwhere. Coming in second with 6.2 million is Netwalker, one of the most popular ransomware-as-a-service offerings on the dark web. Though it should be noted that Netwalker has the dubious honor of racking up the most ransom payments of all time, with roughly $28 million to its name based on the site’s data.

REvil could soon surpass that record if its recent demands for $70 million are met. That’s how much the gang asked for on Sunday to publish a universal decryptor that would unlock all computers affected in the Kaseya hack, a supply chain attack that has crippled more than 1,000 companies worldwide and prompted a federal investigation.

[…]

Source: This Crowdsourced Ransomware Payment Tracker Shows How Much Cybercriminals Have Heisted

Cyberattacks reportedly disrupted Iran’s railway system on Friday, causing “unprecedented chaos” at stations throughout the country, according to state media.

The hackers, whoever they are, also reportedly trolled the nation’s Supreme Leader Ali Khamenei, posting his phone number as “the number to call for information” on multiple train station message boards, Reuters reports. According to some Iranian outlets, the number, 64411, was displayed on screens in train stations and redirected to Ayatolla Khamenei’s office when dialed.

The railway’s website, local ticket offices, and cargo services have all apparently been affected, the news outlet reports.

There isn’t otherwise a whole lot of information about this incident, though local reporting would appear to suggest that trains have been massively delayed but not totally stalled.

[…]

Source: Iran’s Train System Reportedly Hacked by Trolling Attackers