Threat Database Ransomware REvil Ransomware

REvil Ransomware

Cybersecurity experts have spotted a new ransomware threat circulating the Web recently. This data-encrypting Trojan is called REvil Ransomware and also is known as the Sodinokibi Ransomware.

Infiltration and Encryption

Malware experts have not been able to reach a consensus as to what method is employed in the propagation of the REvil Ransomware. It is largely believed that the authors of the REvil Ransomware may be using some of the most common techniques to spread this file-locking Trojan – bogus application updates, infected pirated software downloaded from unofficial sources, and spam emails, which contain corrupted attachments. If the REvil Ransomware manages to penetrate a system, it will begin the attack with a quick scan of the files present on the computer. The goal is to find and locate the files, which the REvil Ransomware was programmed to go after. Then, the encryption process will be triggered, and all the targeted files will be locked using an encryption algorithm. Upon locking a file, the REvil Ransomware adds an extension to its filename, which consists of uniquely generated random string for each victim, for example ‘.294l0jaf59.’ This means that once a file, which was originally named ‘kitty-litter.jpg’ undergoes the encryption process of the REvil Ransomware, its name will be altered to ‘kitty-litter.jpg.294l0jaf59.’

The Ransom Note

The next phase is the dropping of the ransom note. The REvil Ransomware’s note will be named ‘294l0jaf59-HOW-TO-DECRYPT.txt’ if we carry on with the example of the uniquely generated extension for earlier. The ransom message reads:

’--=== Welcome. Again. ===---

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 686l0tek69.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.

[+] How to get access on website? [+]

You have two ways:

1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: hxxps://torproject.org/
b) Open our website: hxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/913AED0B5FE1497D

2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.top/913AED0B5FE1497D

Warning: secondary website can be blocked, thats why first variant much better and more available.

When you open our website, put the following data in the input form:
Key:

-

Extension name:

294l0jaf59
-----------------------------------------------------------------------------------------

!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!’

The attackers demand $2500 in Bitcoin as a ransom fee. However, if the sum is not paid within 72 hours, it doubles to $5000.

The sum demanded by the authors of the REvil Ransomware is pretty hefty, and we would advise you strongly against paying up and giving in to any demands made by cybercriminals like the ones responsible for this data-locking Trojan. A wiser option would be to make sure you download and install a reputable anti-virus software suite, which would keep your system secure from threats like the REvil Ransomware.

Grubman Shire Meiselas & Sacks Hack And $42 Million Ransom Demand

At the beginning of May 2020, the REvil hacking group breached the systems of New York-based law firm Grubman Shire Meiselas & Sacks (GSMS), encrypting and stealing a whopping 756GB of sensitive data.

The stolen files included personal correspondence, music rights, nondisclosure agreements, phone numbers, and email addresses of numerous A-list celebrities, including Elton John, Madonna, Bruce Springsteen, Nicky Minaj, Mariah Carey, Lady Gaga, and U2.

Not only that, but the hackers claimed that they had gotten their hands on sensitive data about US President Donald Trump. This claim was the reason for the impressive ransom demand made by the REvil group. Initially, the attackers demanded $21 million, but GSMS countered with an offer of just $365,000.

This resulted in the doubling of the ransom demand by the cyber-crooks, as well as the publishing of a 2.4GB archive that contained Lady Gaga legal documents, including concerts, TV appearances, and merchandising contracts.

The content of the Lady Gaga leak. Source: zdnet.com

The leak also contained a threat about the release of President Trump's ''dirty laundry'':

''The next person we'll be publishing is Donald Trump. There's an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don't want to see him as president. Well, let's leave out the details. The deadline is one week. Grubman, we will destroy your company to the ground if we don't see the money. Read the story of Travelex, it's very instructive. You repeating their scenario one to one."

GSMS responded to the threat by saying that Trump has never been a client of the company. The hackers did publish an archive of 160 emails that allegedly contained ''the most harmless information'' on Trump. Still, they mentioned the US President only in passing and contained no actual dirt on him. Apparently, the threat actors had just searched for any mention of ''trump,'' and many of the leaked emails contained it merely as a verb.

Meanwhile, GSMS responded, by suggesting that the FBI has classed the breach as an act of terrorism, stating:

''We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law.''

This doesn't seem to have affected the attitude of the REvil gang, who say they're going to auction off any valuable information they have to whoever is willing to pay their price.

Important July 2021 Update – REvil Ransomware Hackers Initiate New Attacks

REvil ransomware has jump-started a new cyber campaign by compromising Kaseya’s remote desktop software to spread. Using Kaseya’s software, REvil has hit over 200 US businesses including AT&T, Sprint, and Verizon, and over 40 customers worldwide. The attack was discovered on Friday, July 2nd, right before the July 4th holidays, making it less likely for companies to respond with countermeasures.

The timing couldn’t have been worse as the cyber campaign occurred during the July 4th weekend, won’t most employees, particularly the ones involved in IT, are not at work. Kaseya is trying to protect its customers' data. According to Kaseya CEO Armen Movsisian, the company is "working around the clock" on implementing solutions while working with law enforcement.

According to the report, the new campaign, known as a supply-chain attack, uses Kaseya's remote software to connect to computers and attempt to install REvil ransomware on them. At this point, it is unclear whether Kaseya's software was intended to be used by attackers for ransomware installation. Reports state that at least over 200 US companies have been affected by the hack.

Related Posts

Trending

Most Viewed

Loading...