REvil Notes
It looks like it took from a Netflix series, but in my opinion, the film direct isn’t that successful. 😜
If you’ve read the newsletters from The Verge or any other media, you probably think that 2022 is gonna be awesome from the Ransomware attack perspective. Think again. As we saw from the press, the Russian special services (the FSB) recently arrested the REvil ransomware group members.
This post intends to trace some specific details on this operation and emerge by analyzing the details shared by the Russian services. Thanks to the audio translation, it was easy to know that they were speaking. But from my point of view (always IR eyes), I saw many fringed edges and some pieces that do not connect.
The well-known (yeh really…)
How much trust do you have in this news? Very curious to know who believes today’s news and if it’s a real story.
On January 15, names emerged relating to the arrest of all suspected members of the hacker group REvil by a Moscow court. They are expected to remain in police custody until March.
Despite the thrill of the White House and other people in the world for this operation, considered fundamental for the following US-Russia relations, the arrest of REvil members does not help much.
This gang has long been dissolved and has been out of business for now (despite their successes). The Russian government has only eased the pressure with this shutdown but is waiting for the next big ransomware attack to rely on.
Based on the available material, from the video that the services have officially published and other people posted on Twitter, I saw fringed edges.
Now. What we’ve got from this video and what other people put on Twitter?
The first one. The following image, which may seem ironic as it refers to the presence of coupons for a well-known Russian cosmetics site. The telephone number identified as +79313631534 (+7 is for the Russian international prefix).
This number, from a search, seems to belong to an actual construction management company called Capitan Nemo – present on their social page ykkapitannemo. The official website is https://www.lpmc.ru/.
A quick analysis for those contacts present, that number seems to be the contact for the shipping service of this large company group.
Identifying the coordinates on Google Maps, one wonders if, in this structure, there may be links with the REvil group: 59.9360285, 30.2046293.
Another detail is a conversation released by a Lockbit spokesperson, disseminated as a screenshot on the XSS forum, between the Lockbit group and a member of REvil, in which a forum moderator (such Kajit) is accused of stealing data from the REvil domain and to have collaborated with the Russian federal services.
Meanwhile, REvil ransomware operators got rekt by FSB on the same day. Another group, Conti, dropped seven new victims, all from the USA.
Image from CyberShow
Some Points
Some point to think about them in geopolitics, cyber, and nation-state.
- REvil ransomware group leader isn’t part of this arrest. Why?
- Are you familiar with the XSS.IS conversations and other similar sites?
- Ukrainian Government websites targeted after failed talks. Several sites were hacked and defaced.
Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022. Microsoft is aware of the ongoing geopolitical events in Ukraine and the surrounding region. Meanwhile. It encourages organizations to proactively use the information in this post to protect from any malicious activity.
The following list provides IOCs observed during our investigation. Ensure to investigate these indicators in your environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.
