"REvil gang suddenly goes silent leaving victims unable to recover systems The dark web sites operated by the notorious REvil ransomware group suddenly went offline on Tuesday, prompting speculation that the US or Russian governments stepped in. Meanwhile, victims and the security companies working for them to recover data have been put in a more difficult situation... 'Victims have been left without the ability to recover the decryption software necessary to restore encrypted networks, our clients being among them,' Mike Fowler, vice president of intelligence services at GroupSense, a company that provides ransom negotiation services, tells CSO. 'It is our hope that the organization responsible for the takedowns was able to gather the necessary software needed to provide the decryption keys when supplied with the victim-specific encryption keys. If not, we consider it computationally infeasible that the victims will be able to recover their data via other means'..." https://www.csoonline.com/article/3...eaving-victims-unable-to-recover-systems.html
"Hacking group behind widespread ransomware attacks disappears online... 'Someone went in and removed the IP address' linked to the domain hosting the group’s sites, said Dmitri Alperovitch, president of the think tank Silverado Policy Accelerator and former chief technology officer of the cyber firm CrowdStrike. The group’s blog is reachable on the dark web, a portion of the Internet that is not easily navigable by search engine, he said. But the more critical sites, which are used to negotiate with the group and receive decryption tools, are on the regular Internet, he said. All were down Tuesday... The reason behind the site outage is unclear... The servers do not appear to have been hacked, so this is unlikely to be an offensive cyber operation, Alperovitch said. He also said the fact that the domains were not fully seized made it doubtful that it was a law enforcement operation..." https://www.washingtonpost.com/technology/2021/07/13/revil-disappears-kaseya-hack/
In light of this MSP supply chain attack, Eset has published an informative article in regards to MSP evaluation criteria: https://www.welivesecurity.com/2021/07/13/msp-kaseya-incident-third-party-cyber-risk/
Morgan County Schools’ computers hit by holiday ransomware attack July 14, 2021 https://www.morganmessenger.com/202...s-computers-hit-by-holiday-ransomware-attack/
Kaseya attack: "Yes, we can do something about this, and we should do something about this" July 16, 2021 https://www.techrepublic.com/articl...t-this-and-we-should-do-something-about-this/
Yes, but I assume that the other processes that were used in this attack were not whitelisted, so Sophos should have been able to block it. I'm talking about cmd.exe, cert.exe, msmpeng.exe and mpsvc.dll. They are all listed in the C:\Windows folder.
"Company hit by massive ransomware attack [Kaseya] obtains key to unlock customer files The company hit by a massive ransomware attack just before Fourth of July weekend said it has obtained a computer key to unlock the files of hundreds of companies. Kaseya, an information technology company, said it got the universal decryptor key from a 'trusted third party' and has validated that it works. Spokeswoman Dana Liedholm said Kaseya received the key yesterday and has been working with customers to roll it out... Liedholm declined to say whether Kaseya paid a ransom to obtain the key..." https://www.washingtonpost.com/technology/2021/07/22/kaseya-ransomware-revil-key/
Wow. That's got to be a welcome relief for many affected and quite a revelation. Danged encryption anyway. What a horrific and dangerous discovery when in the hands of ruthless people of mischief. Just like wireless cellphones.
https://twitter.com/BleepinComputer/status/1418266378923085827 Speculating that Russia released the decryptor as a "gesture of good will."
Kaseya Says It Did Not Pay Ransom to Obtain Universal Decryptor July 26, 2021 https://www.databreachtoday.com/kaseya-says-did-pay-ransom-to-obtain-universal-decryptor-a-17144
Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities https://www.bleepingcomputer.com/ne...ched-kaseya-unitrends-backup-vulnerabilities/
Getting them lazy's on the ball now. Wake Up call. Take security security EXTRA serious not lull into false sense of confidence. Just occurred to me big dog services like this may have to get off the pot and start keeping equipment manned 24/7 instead of depending on pager alerts
Kaseya's universal REvil decryption key leaked on a hacking forum August 11, 2021 https://www.bleepingcomputer.com/ne...vil-decryption-key-leaked-on-a-hacking-forum/
Kaseya Ransomware Attack Update: New Authentication Patch Released August 12, 2021 https://www.crn.com/news/channel-pr...tack-update-new-authentication-patch-released
BTW, not only Sophos but CrowdStrike also claims it would have been able to stop the Kaseya attack in this article: https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/
Big outfits like that always seem to be complacent until the inevitable issues their entire industry a rude wake up call. Taking anything and anyone peddling server security for their word that their product is the best. But to be fair with so many vendors sparring for new enterprise customers it can and always is a daunting task making the best decision. That's where company data security research enters the picture. Your company security and the security of your customer base is only as good as your IN-HOUSE Data Protection Specialist is. He is ultimately the one, or a board of them, who settles on the vendor they already determined is best suited for that occupation.
Kaseya patches Unitrends server zero-days, issues client mitigations August 26, 2021 https://www.bleepingcomputer.com/ne...s-server-zero-days-issues-client-mitigations/
"Attackers' fumble gave out Kaseya decryptor key The REvil cybercriminal group said the universal decryptor key for all victims of the Kaseya ransomware attack was accidentally released to victims by a coder. 'Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine,' REvil wrote Friday morning on an illicit Russian-language forum called Exploit. 'One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we **** ourselves.'..." https://www.crn.com.au/news/attackers-fumble-gave-out-kaseya-decryptor-key-569723
"FBI held back ransomware decryption key from businesses to run operation targeting hackers... The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so... The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack... But the FBI held on to the key, with the agreement of other agencies, in part because it was planning to carry out an operation to disrupt the hackers, a group known as REvil, and the bureau did not want to tip them off. Also, a government assessment found the harm was not as severe as initially feared. The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials..." https://www.washingtonpost.com/nati...9417d0-f15f-11eb-a452-4da5fe48582d_story.html
The withholding certainly didn't stop REvil from coding BlackMatter, the new build (2.5) of which is a nastily pretty piece of work.
OK, so they are back at it again? Perhaps you can give some more info about BlackMatter, what's so nasty about it, is it using any new techniques and would tools like AppCheck and HMPA be able to stop it?
@Rasheed187 - Think that is bad. Wait until they begin slamming our own (regular user's) ISP's on a wide scale and gum up those works too. Ugh