The Kaseya attack
Growing ransomware incidents
AMAJOR Russian-based hacker group blamed for a massive ransomware attack suddenly went offline last Tuesday, sparking all sorts of speculation about whether the move was the result of a government-led action.
The Darknet sites of the group known as REvil disappeared some two weeks after an attack that crippled networks of hundreds of companies worldwide and prompted a ransom demand of $US70 million ($F145.11m) to be paid in Bitcoin.
The news comes after US President Joe Biden repeated a warning to his Russian counterpart Vladimir Putin late last week about harbouring cybercriminals while suggesting Washington could take action in the face of growing ransomware attacks.
The mystery is who made it happen. Analysts in the past have suggested that the US military’s Cyber Command has the capability to strike back at hackers in the face of threats to national security, but there was no official word on any such action.
The ransomware attack two weeks ago targeting the US software firm Kaseya affected about 1500 businesses.
The Kaseya attack, which was reported July 2, shut down a major Swedish supermarket chain and ricocheted around the world, impacting businesses in at least 17 countries, from pharmacies to gas stations, as well as dozens of New Zealand kindergartens.
Hey, our Pacific neigbours are certainly taking online education to the next level.
The group is called REvil, short for “Ransomware evil”.
Two weeks after Mr Biden and Mr Putin met in Geneva last month; REvil took credit for a hack that affected thousands of businesses around the world over the July 4 holiday.
That latest attack led to Mr. Biden’s ultimatum in a phone call on Friday to the Russian president. Later, Mr. Biden said that “we expect them to act,” and when asked by a reporter later if he would take down the group’s servers if Mr. Putin did not, the president simply said, “Yes.”
He may have done exactly that.
But that is only one possible explanation for what happened around 1 am Eastern Time on Tuesday, when the group’s sites on the dark web suddenly disappeared.
Gone was the publicly available “happy blog” the group maintained, listing some of its victims and the group’s earnings from its digital extortion schemes. Internet security groups said the custom-made sites - think of them as virtual conference rooms - where victims negotiated with REvil over how much ransom they would pay to get their data unlocked also disappeared. So did the infrastructure for making payments.
While the disappearance of the hackers’ online presence was celebrated by many who see ransomware as a new scourge, it left some of the group’s targets in the lurch, unable to pay the ransom to get their data back and get their businesses running again.
There were three main theories about why REvil suddenly disappeared.
One is that Mr Biden ordered the US Cyber Command, working with domestic law enforcement agencies, including the FBI, to bring the group’s sites down.
This is quite possible as the US Justice Department last month recovered some $US2.3m ($F4.76m) in ransom paid out by Colonial Pipeline after a Russian-based group DarkSide ransomware cyber attack shut down 5500 miles of fuel pipeline in the US. The DarkSide cybercriminal group is strangely silent and has also gone offline!
The second theory is that Mr Putin ordered the group’s sites taken down. If so, that would be a gesture toward heeding Mr Biden’s warning, which he had also conveyed, in more general terms, when the two leaders met on June 16 in Geneva.
A third theory is that REvil decided that the heat was too intense, and took the sites down itself to avoid becoming caught in the crossfire between the American and Russian presidents.
REvil is one of the most prolific and feared of all ransomware gangs and if this really is the end, it’s extremely significant.
The Internet rumour mill is in overdrive about what’s behind this sudden shutdown, but one hacker who claims to be an affiliate of the gang gave some insights on a Darknet hackers forum.
He claims that the US “Feds took down” elements of their websites and so they pulled the plug on the rest of their operation in order to secure it – this was mainly the payment gateway elements. He also said there was pressure from the Kremlin too saying: “Russia is tired of the US and other countries crying to them”.
Like all hacker claims we have to take this with a grain of salt, but if this scenario proves to be accurate, it shows a dramatic shift in policy from Russia which has so far been happy to sit back and let gangs like REvil operate without fear of intervention as long as they operated outside Russia.
Cybersecurity researchers find a lot of malware and ransomware that originates from Russian cybercriminals groups will check to see if there is any Cyrillic (Russian alphabet) documents etc on a server before infecting it! Hey, this might be a novel way to stop Russian-originated malware from infecting your servers – add some dummy Cyrillic documents or a Cyrillic keyboard to your network!
However another similar comment from the same Darknet hacker forum also hints at the bigger picture. Basically they say they have no plans to retire and are already planning another unknown venture.
Leaving aside the political posturing and the blame game finger-pointing, how did our nation’s leaders mishandle this COVD-19 second wave so badly? What did we do wrong? Why were there so many systemic failures at the local, community and national levels?
These are reasonable questions. The global COVID-19 pandemic has been with us for well over a year now and we’ve had time to prepare, be vigilant and learn from other countries.
Some technology was used in contact tracing apps and nice ArcGIS portal maps showing us all those red spots to avoid – although I’m having trouble reading the map in Suva now!
It’s overrun by red spots. But then again, technology is only a tool and just shows you (or not) the reality on the ground. Vaccination is part of the solution, but containment is just as important.
The problem is that we all got caught up in the rhetoric “it’s under control” without taking into account the human factor and complacency.
You know things are not looking good when the initial new cases were frontline respondents – medical, police, military etc.
It reveals complacency in following pandemic protocols and once that breaks down at the frontline or border control the rest is ... you get the picture.
Funding food packs and local lockdowns looks good on the media, but the reality is that local NGOs are doing a much better job than government in identifying and fulfilling the real needs of the people, especially the thousands left jobless after a tourism industry meltdown last year.
Our government’s ineptitude demonstrates how little we’re getting for all our aid funding assistance.
It’s unconscionable that we’re wasting both ours and overseas partners taxpayers’ money after allowing the coronavirus almost free reign to spread through porous or non-existent borders, half-measures and conflicting messages from various ministries and departments.
However, the night is always darkest before the dawn so cheer up and do get vaccinated – whether you believe in it or not! It is now part of the new norm and future international travel.
An interesting quote on disaster preparation - “It wasn’t raining when Noah built the ark”.
Good luck to the Flying Fijians in Hamilton, New Zealand tonight! As always, God bless you all and stay safe in both digital and physical worlds.