REvil-ryhmän Darknet-sivustot toimivat taas: ovatko venäläiset vapauttaneet kyberrikollisia luontoon?

Information security specialists have noticed that the darknet sites of the REvil hack group, which stopped working in early 2022, are active again. The sites are redirecting to another ransomware campaign, with the new site listing past victims of the REvil attacks as well as new ones.

REvil ceased operations in January 2022 jälkeen FSB announced the arrest of 14 people associated with the hack group. Samaan aikaan, it was reported thatthe basis for the search activities was the appeal of the competent US authorities.

Then the Tverskoy Court of Moscow took into custody eight alleged members of the hack group. All of them were charged with the acquisition and storage of electronic funds intended for the illegal transfer of funds made by an organized group (Section 2 Paragraph 187 of the Criminal Code of the Russian Federation). The punishment under this article is up to seven years in prison.

Muuten, there is also a struggle within the hacker community: esimerkiksi, we reported that LV malware uses binaries of hack group REvil without permission.

Piikuva tietokone writes that the first to notice the activity of the REvil sites were the information security specialists pancak3 ja Soufiane Tahiri. The fact is that the newsite for leaksREvil began to be advertised through the Russian-speaking forum-marketplace RuTOR (not to be confused with the torrent tracker of the same name).

The new site is hosted on a different domain but linked to the original REvil site that was in use when the group was still active.journalists of Bleeping Computer told.

The site provides detailed working conditions for “partners” who allegedly receive an improved version of the REvil malware and share the ransom with the developers of the ransomware in an 80/20 ratio.

The 26 pages of the site also list companies that have suffered from ransomware, most of which are old victims of REvil. Only the last two attacks appear to be related to the new campaign, ja one of the victims is Oil India oil and gas company.

Journalists note that back in January of this year, shortly before the termination of REvil, the researcher MalwareHunterTeam Yhdysvaltain ja Britannian hallitukset that since mid-December last year, he has been observing the activity of another ransomware group, the Ransom Cartel, which seems to be somehow connected with the REvil ransomware.

Muuten, we noted that according to Tallennettu tulevaisuus asiantuntijat, ALPHV:n luoja (Musta kissa) was previously a member of the well-known hacker group REvil.

Myöhemmin, the same MalwareHunterTeam researcher noticed that theleak siteREvil was active from April 5 kohteeseen 10, but contained no content. It started filling up about a week later. The MalwareHunterTeam also found that the RSS feed has aCorp Leaksstring, which used to be used by the now defunct Nefilim hakkerointiryhmä.

REvil darknet-sivustot

Samaan aikaan, Bleeping Computer claims that the new blog and payment sites are running on different servers, and the blog contains a cookie named DEADBEEF, which was previously used by another extortionist groupTeslaCrypt.

REvil darknet-sivustot

Pohjimmiltaan, the operation of the new redirects means that someone other than law enforcement has access to Tor’s private keys, which allow them to make the necessary changes.

According to the publication, there is already an active discussion on Russian-speaking hack forums about whether the new operation is a scam, a lure of the authorities, or is it really a new proposal from some REvil members who are trying to fix a damaged reputation.

Tällä hetkellä, there are several ransomware that use a modified REvil malware, and some of them even impersonate the original hack group. These include LV, who used the REvil ransomware even before law enforcement became interested in the hack group, and the Ransom Cartel, which is somehow connected to REvil, but how exactly is not yet clear.

Helga Smith

Olin aina kiinnostunut tietojenkäsittelytieteistä, erityisesti tietoturva ja teema, jota kutsutaan nykyään "datatiede", jo varhaisesta teini-ikäisestäni. Ennen tulemista viruksenpoistotiimiin päätoimittajana, Olen työskennellyt kyberturvallisuuden asiantuntijana useissa yrityksissä, mukaan lukien yksi Amazonin urakoitsijoista. Toinen kokemus: Olen opettanut Ardenin ja Readingin yliopistoissa.

Jätä vastaus

Tämä sivusto käyttää Akismet roskapostin vähentämiseksi. Opi kommenttisi tietoja käsitellään.

Takaisin alkuun-painike