Cyber Crime News: A Prost to Cyber Awareness Month
Oktoberfest is the greatest season of the year. In the fatherland, villages are holding their smaller versions of the big fest in Munich, with all local Brauereis featuring their best seasonal ales. Soccer is in full swing. The weather is changing. People are in high spirits. For INFOSEC and cybercrime fighters, you could say Oktober ’21 was much the same. Often our blogs have dreadful news or another warning of another cyberattack or ransomware attack.
Most days are exactly like Groundhog Day. But the recent few weeks have been like a digital Oktoberfest. Today’s inspiration is based on this article concerning German authorities who have positively identified and tracked what is probably a leader in the Revil hacker group. Although bringing a Russian hacker into custody is unlikely, and the fact that attribution is often irrelevant, it’s still nice to know.
Additionally, new speculation about the nature of Ransomware Group Conti was published here. What’s more interesting about Conti however is how they blew up over several friendly nation-states taking Revil matters into their own hands, and basically taking down or taking over significant REvil infrastructure. In a public rant both on Twitter and posted in other sources, the youngsters at Conti publicly displayed their juvenile complete misunderstanding of what partnerships and coalitions mean. Nothing is more festive than watching foreign youngsters have a total meltdown in their best English, threatening the US apparatus while simultaneously demonstrating they know little about how the world works outside their petty snatch & grab cybercrime sprees. You can read their statement here.
Lastly, what really kicked off the festivities was the subject of Conti’s rant. The systematic take-down of a large portion of Revil’s infrastructure. Revil had an interesting 2021 up to Oktoberfest. After a few very successful high-profile ransomware attacks (Kaseya and JBS), they announced their retirement. Actually, it was Darkside (who everyone claims is close to REvil) that announced their retirement in May 2021. Some say Darkside was just a body of code written by members of REvil. The retirement announcement was a result of governments interdicting their bitcoin payments, thus preventing them from profiting off their criminal activity. However, in July, REvil could standby no longer and launched another attack seeking to make $70M.
Recently, a multi-national task force had enough and decided to execute a true Oktoberfest-worthy operation by infiltrating and taking down much of the REvil server infrastructure. A key REvil member announced as much claiming “Good luck, everyone; I’m off,” as reported by experts at the Recorded Future. Whether this actor is the same actor German authorities have tracked and identified is yet to be seen.
Before we say “Prost!!” we offer a few words of caution: Watch out for Conti. They’re effective and may feel energized in response to the REvil takedown. Within the past 30 days, there has been an equal number of “new” groups identified as active and successful in exploiting networks. Remember that together, despite a few late summer internal disagreements between criminal group leaders and their affiliates, the cybercriminal community supports one another. Just like juveniles who haven’t learned to control their initial reactions, lashing out with fresh new waves of attacks is always imminent.
But for now, based on all we know about the internal dysfunctions of gangs and their affiliates, and the pressure now being placed on them by coordinated multi-national efforts, we feel you deserve at least one day to get a liter of your favorite ale in a giant stein and offer your cyber defenders and crime fighters a hearty “PROST!!”
And then get back to work. Shields up.
Dave Gast (CEH/SEC+/ITIL 4/PMP) is an INTRUSION Sr. Threat Researcher & Info/Cyber Security Subject Matter Expert with a 26 year active duty military career and 10 year government contracting consulting role including extensive cyber intelligence and threat analysis.
Ready to get protected?
INTRUSION Shield is affordable for every business, large or small. We price per seat, per month – with no annual contract and no hardware to buy.