fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

REvil Ransomware Devs Added A Backdoor To Cheat Affiliates

REvil Ransomware Devs Added A Backdoor To Cheat Affiliates

Cybercriminals are slowly realizing that the REvil ransomware operators may have been hijacking ransom negotiations, to cut affiliates out of payments.

By using a cryptographic scheme that allowed them to decrypt any systems locked by REvil ransomware, the operators left their partners out of the deal and stole the entire ransom.

Conversations about this practice started a while ago on underground forums, in posts from collaborators of the gang, and have been confirmed recently by security researchers and by malware developers.

REvil ransomware, also known as Sodinokibi, emerged in the first half of 2019 and built a reputation as a successor of the GandCrab ransomware-as-a-service (RaaS) operation.

The RaaS cybercriminal business model involves a developer, who creates the ransomware malware and sets up the infrastructure, and affiliates recruited to breach and encrypt victims. The proceedings are divided between the two parties with affiliates taking the larger cut (typically 70-80%). 

Also Read: September 2021 PDPC Incident and Undertaking: Lessons from the Cases

Promoted by veterans of underground forums, the REvil gang developed a highly lucrative private operation that accepted only experienced network hackers.

REvil name goes down the drain

If the REvil operation started as an “honest” cybercriminal endeavor, it soon switched to scamming affiliates out of the promised 70% share of a ransom from paying victims.

Yelisey Boguslavskiy, head of research at Advanced Intel, told BleepingComputer that since at least 2020 various actors on underground forums claimed that the RaaS operators were taking over negotiations with victims in secret chats, unbeknownst to affiliates.

The rumor became more frequent after the sudden shut down of DarkSide ransomware and Avaddon’s exit by releasing the decryption keys for their victims.

The conversations involved individuals that played a role in REvil ransomware attacks, such as partners that provided network access, penetration-testing services, VPN specialists, and potential affiliates.

Boguslavskiy says that REvil admins reportedly opened a second chat, identical to the one used by their affiliate to negotiate a ransom with the victim.

When talks reached a critical point, REvil would take over by posing as the victim quitting the negotiations without paying the ransom, Boguslavskiy explained to BleepingComputer.

The gang would continue the talks with the victim and obtain the full ransom with the affiliate being none the wiser.

Recently, these claims got more substance as an underground malware reverse engineer provided evidence of REvil’s double-dipping practices. They talk of a “cryptobackdoor” in the REvil samples that RaaS operators gave affiliates to deploy on victim networks.

Also Read: The 5 Important Things To Know In Security Pen Testing

The author’s revelation comes after cybersecurity company Bitdefender released a universal REvil decryption tool that works for all victims encrypted up to July 13, 2021.

REvil called out for using secondary decryption to cheat affiliates
source: Advanced Intel

Public key in the image above:

FF5EEDCAEDEE6250D488F0F04EFA4C957B557BDBDC0BBCA2BA1BB7A64D043A3D

What the author of the above post is saying is that affiliates were not the only ones that could decrypt the systems they locked with the REvil ransomware sample they received.

REvil operators had a master key they could use to restore encrypted files.

Researcher revealed the trick in July

Fabian Wosar, “ransomware slayer” par excellence and chief technology officer at Emsisoft, in early July provided a clear explanation for how REvil’s cryptographic scheme worked.

GandCrab’s successor uses in their malware four sets of public-private keys responsible for the encryption and decryption tasks:

  1. An operator/master pair that has the public part hardcoded in all REvil samples
  2. A campaign pair, whose public part is stored in the configuration file of the malware as a PK value
  3. A system-specific pair – generated upon encrypting the machine, with the private part encrypted using both the public master and campaign keys
  4. A key pair generated for each encrypted file

“The private file key and public system key are then used as inputs for ECDH using Curve25519 in order to generate the Salsa20 key (called a shared secret) that is being used to actually encrypt the file content,” Wosar explains.

The system private key is essential to unlocking a machine because it is the only one required to decrypt individual files. Recovering it is possible with either the master private key – available only to REvil operators, or the campaign key that affiliates have.

Wosar notes that the master private key is REvil’s insurance against rogue affiliates, allowing them to decrypt any victim. This is also what Bitdefender used for their REvil decryption tool and likely what helped Kaseya victims recover files for free.

To access the REvil payment portal, the ransomware threat actor requires a blob of data present in the ransom note. That string of apparently nonsensical characters includes various data about the machine, campaign, version of the malware used, and the system private key.

Info present in REvil key blob for payment portal

Keeping an ace up their sleeve that gives ransomware operators total control over decrypting any system locked by their malware is a practice seen with other, newer ransomware groups.

Boguslavskiy says that the DarkSide ransomware gang was rumored to run their operation in the same way.

After rebranding as BlackMatter, the actor was open about this practice, letting everybody know that they reserved their right to take over the negotiations at any point, without explaining.

Reverse engineer and Advanced Intelligence CEO Vitali Kremez told BleepingComputer that the latest REvil samples, which emerged when the gang restarted operations, no longer have the master key that enabled the decryption of any system locked with REvil ransomware.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us