According to the recent research published by ReSecurity on Twitter, starting January 2021 REVil leveraged a new domain ‘decoder[.]re’ in addition to a ransomware page available in the TOR network.
The domain was included within the ransom notes dropped by the recent version of REVil, it came in the form of a text file containing contact and payment instructions.
Typically, the collaboration between the victim and REVil was organized via a page in TOR, but in the case their victim is not able to access the Onion Network, the group prepared domains available in Clearnet (WWW) acting as a ‘mirror’.
To access the page in WWW or TOR – the victim needs to provide a valid UID (e.g.,”9343467A488841AC”). The researchers acquired a significant number of UIDs and private keys as a result of ransomware samples detonated and through the collaboration with victims globally. The private keys determine if the same functional process is available on both resources confirming, they’re delivering exactly the same content.
Like decryptor[.]cc and decryptor[.]top in previous REvil / Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations. The application hosted on it contains ‘chat’ functionality enabling interactive close to real-time communications between the victim and REVil.
The threat actors also used a disposable temporary e-mail address created via https://guerrillamail.com to anonymously register the domain name, which was later used for name servers too, this also allowed them to park other elements of their infrastructure. Such e-mails could only be used a limited number of times, for example all communications with them would be automatically deleted within 1 hour.
Resecurity was able to collect the available and historical DNS records, then create a visual graph representing the current network infrastructure used by REVil and shared it with the cybersecurity community. According to experts, such a step may facilitate proper legal action against ransomware, as well as outline parties responsible for such malicious activity, as the uncovered details raise significant questions regarding the reaction from hosting providers and law enforcement.
Based on the network and DNS intelligence collected by experts, the IPs associated with it have been rotated at least 3 times in Q1 2021 and were related to a particular cloud hosting and IoT solutions provider located in Eastern Europe, which continues to service them.
“It’s hard to believe such malicious activity has gone unnoticed by certain governments resulting in damage to thousands of enterprises globally.” – said Gene Yoo, Chief Executive Officer of Resecurity.
President Joe Biden has ordered U.S. intelligence agencies to investigate the sophisticated ransomware attack on Kaseya presumably conducted by REVil, a notorious cybercriminal syndicate believed to have ties to Russian-speaking actors that’s previously gone after high-profile targets such as Apple and Acer.
The group is also believed to be behind last month’s successful attack on the world’s largest meat processing company, JBS, that extorted $11 million in ransom. REvil took official responsibility for the attack and released an announcement in their blog which is available in TOR network asking for $70 million payment from Kaseya – the biggest ransom payment demand known in the industry today.
The attack has already affected over 1,000 businesses globally disrupting their operations. One suspected victim of the breach, the Sweden-based retailer Coop, closed at least 800 stores over the weekend after its systems were taken offline.
The White House Press Secretary Jen Psaki said the US will take action against the cybercriminal groups from Russia if the Russian government refuses to do so.
The investigation is still ongoing.
About the author: Gene Yoo, Chief Executive Officer (Resecurity, Inc.)
(SecurityAffairs – hacking, REVIL ransomware)