Executive Summary

If you’re one to keep up with the latest cyber security news, you may have seen headlines regarding the disappearance and re-emergence of ransomware-as-a-service (RaaS) groups. Lately, RaaS has become the attack vector of choice amongst cyber criminals and they’re always finding new ways to profit. In 2019, 62% of global organizations were the victims of ransomware – that’s a 56% increase from 2018. The increase is more than likely due to victims paying attackers ransom, which has also increased by 45% from 2018.

The top three reasons why ransomware is still a preferred attack vector for cyber criminals are:

  • Unlike other means of finding valuable information, ransomware is fast, easy, and less risky. It doesn’t require monitoring or data exfiltration.
  • Ransomware criminals don’t have to communicate or do business with other criminals.
  • Ransomware is scalable. Millions of phishing emails can be sent with one click and web traffic can easily be re-directed to malicious URLs.

Unlike previous years, RaaS gangs have a lot more to consider when attacking critical infrastructure like the health care or energy industry. Law enforcement and the FBI have recently started to crack down on RaaS gangs and they consistently put out messaging discouraging organizations from paying ransom. Now that countries like Russia are starting to cooperate with the United States in regard to shutting down ransomware operations, threat actors are acting accordingly. Instead of sticking around to do more damage and gain more money, threat actors are going off the grid until they are no longer seen as a threat, then re-emerging months or years later. Let’s look at threat actors who have disappeared and re-emerged or joined other threat actor groups.

 

revil goes dark and re-emerges

If you recall, we published a Threat Actor Profile on BlackMatter in August 2021 questioning the identity of the group. BlackMatter began making its presence known in July 2021. They were suspected to be members of REvil and Darkside who went dark after they executed two of the largest ransomware attacks in cyber security history. Darkside was behind the attack on major the U.S fuel pipeline, Colonial Pipeline. This attack led to a supply disruption that made national headlines and caused the company to shut down its operational technology network, cutting off much of the gasoline supply to the United States. REvil was responsible for the attacks on Kaseya, a U.S based software provider. The heist affected 60 of Kaseya’s managed service provider customers and more than 1,000 small and medium-sized enterprises.

The attack on Kaseya was so devastating that it had the attention of law enforcement and the Biden Administration. President Biden demanded that Russian President Putin shut down all ransomware groups. This demand caused REvil to keep a low profile and take their infrastructure offline. It wasn’t until September 2021, after the heat died down, that researchers discovered their re-emergence. REvil operators were found posting on Exploit, a well-known forum, explaining that the group was back in operation.

 

Image 1: REvil's Site Goes Offline

REvil Re-emerges

Source: Threatpost.com

 

When REvil went dark, many hackers were turning to LockBit (RaaS gang) for ransomware attacks. Researchers noticed that after REvil went dark, LockBit started recruiting heavily on the dark web. It was suspected that REvil joined LockBit until the news surrounding Kaseya subsided. Researchers noted that LockBit uses the same tactics, tools, and procedures they were using in attempts to deliver the REvil ransomware to victims, they just switched the payload.

The methods they use include:

  • Unpatched firewall and VPN vulnerabilities
  • Brute force attacks against remote protocol (RDP) services

They also use tools like Mimikatz and Netscan to help establish the access to the network required to install ransomware.

 

members of revil arrested

In early November of 2021, the United States arrested a Ukrainian hacker named Yaroslav Vasinksyi, in connection with a string of REvil ransomware attacks, including one that happened over the Fourth of July weekend (Kaseya). Vasinksyi was arrested when he traveled from Russia to Poland and is currently awaiting extradition from Poland. In addition, a Russian national named Yevgeniy Polyanin, was also arrested and separately charged for stealing $6.1 million by conducting over 3,000 ransomware attacks on companies across the United States (including law enforcement agencies and local governments in Texas). He is also said to be affiliated with the RaaS gang, REvil.

Both men yielded at least $200 million in ransom payments from attacking Kaseya and JBS SA (the world’s largest meat processor). Lately, law enforcement has been making it a point to bring down cyber-criminal gangs and keep them from attacking enterprises, as well as critical infrastructure. This feat can sometimes be difficult because the majority of cyber criminals operate in countries that don’t extradite their own citizens to the United States for prosecution. Cyber laws are fairly lenient in other countries or even non-existent, but the United States and other countries quietly keep watch of cyber criminals until they make a mistake. In the instance of Vasinksyi, he made the mistake of traveling to another country where law enforcement was able to arrest him.

Vasinksyi and Polyanin were not the only members of REvil who were arrested. The 17-nation operation has had a total of seven members arrested since February 2021. As stated previously, these arrests are rare due to weak cyber security laws in other countries. The United States cannot legally go into another country and arrest cyber criminals even if they do have evidence. It takes the cooperation of these countries in order to issue arrests. Analysts are hopeful that the Russian government will continue to do everything in their power to keep threat actors from gaining steam and report them to the proper authorities.

 

members of cl0p arrested

Arrests haven’t been exclusive to REvil. The ransomware gang, Cl0p also had its members arrested just three days before the REvil take down. The first slew of arrests for the gang happened in June 2021 after a 30-month long investigation. Cl0P is responsible for a spree of breaches on IT provider, Accellion. Attackers were able to exploit flaws in Accellion’s software and stole data from dozens of customers including the University of Colorado and cloud security vendor, Qualys.

Before being arrested, Cl0p was posting around 15 leaks per month on their leaks page. Since being arrested, their leaks have dropped to eight. As news broke about arrests, cyber criminals were discussing it within their own networks via underground forums. Some start to see the groups who have had members arrested as tainted and jump ship.

Members may also start to get nervous depending on how the arrests were orchestrated. In the case of Cl0p, the arrests took place after a 30-month long investigation that will more than likely continue. Long, continuing investigations are not common for ransomware investigations.

Typically, ransomware investigations are one and done, then on to the next. However, in this case, the long investigation introduces a different era of cyber-criminal investigations – sending the message that cyber criminals are being carefully watched and more arrests will happen.

The Cl0p arrests focused on the supplier of the ransomware, but if law enforcement wants to truly keep track of ransomware gangs, they will need to do more than take down large gangs.

Law enforcement will need to also take down bottom feeders as it is not unusual for a ransomware gang to disband and join a smaller, lesser-known group to continue their mayhem.

Cl0p is still an active group and recently attacked the Pacific offshore marine service provider, Swire Pacific Offshore (SPO). The company didn’t confirm if the attack was ransomware based, but Cl0p published a statement on their blog claiming that it breached SPO’s systems. The data stolen includes full names, addresses, bank details, passport scans, and phone numbers. Employees affected by the attack are based in Singapore, Malaysia, UK, China, and the Philippines.

 

ryuk goes dark & possibly joins conti

Ryuk is a threat actor who takes pride in putting healthcare organizations at risk. This is different for threat actors because most don’t wish to attack critical infrastructure. Ryuk was suspected of being the culprit of a baby’s death in 2019 after ransomware was deployed on a hospital’s system. They are also responsible for locking up Universal Health Services’ systems for days in September 2020, which resulted in delayed lab results.

Between April and August of 2020, Ryuk went dark. It was assumed that the ransomware gang was no longer a threat…until recently. According to Emsisoft, after Ryuk’s activity dropped, Conti ransomware emerged using a similar malware code to the second version of Ryuk. In Early 2021, researchers found a wormable, Ryuk-like strain, which hints at a rebrand. Conti is a ransomware gang who also attacks critical infrastructure like hospitals and government organizations.

Emsisoft stated that two things are likely: Conti is a splinter group of Ryuk and is giving operators time to develop a new strain or Conti and Ryuk are separate groups with incredibly coincidental timing. Conti has continued to be active with their attacks, but Ryuk is still quiet and staying under the radar.

"We must focus on disrupting these groups as much as possible. If they're constantly having to rebrand, they will be less focused on attacking us." – John Shier, Senior Security Advisor at Sophos

 

blackmatter goes dark, but could re-emerge

In November 2021, shortly after members of REvil were arrested, BlackMatter announced their plans to shut down their RaaS portal (where criminal groups register to get access to the BlackMatter ransomware strain). The group stated that they were shutting down due to “pressure from the authorities”. They also stated that part of their team was no longer available and that the project was closed.

BlackMatter was responsible for a ransomware attack on the Japanese tech giant, Olympus. Olympus is known for manufacturing optical and digital technology for the medical and life sciences industry. BlackMatter encrypted the company’s programs and left a ransom note demanding payment through their TOR website. After encryption, the company had to shut down their European, Middle East, and Africa network. BlackMatter has been responsible for at least 40 ransomware attacks since June 2021, with ransom demands ranging from $80,000 to $15 million in cryptocurrency.

Many believe that the arrests of Vasinksyi and Polyanin, amongst other cyber criminals, were enough for BlackMatter to reconsider their operation. They shut down after a 48-hour notice and offered to decrypt companies affected by their attacks. Analysts also suspect that BlackMatter shut down due to an article that was published by the New York Times. The article announced that the United States and Russia started collaborating in order to track cyber-criminal organizations in Russia. Additionally, CISA, the NSA, and the FBI published a document warning that BlackMatter has targeted multiple organizations considered to be critical infrastructure.

Brett Callow, an Analyst at Emsisoft, stated that it’s impossible to say whether or not the group is permanently gone or if they’ll simply rebrand, but he’s hoping for the former.

 

why raas gangs disappear & re-emerge

RaaS gangs go dark, re-emerge, or join other ransomware gangs for a few reasons:

  • Members may join other gangs or threaten to hurt operations
  • Law enforcement has started to intervene and there is fear of arrest
  • The group made a mistake that cost them money or freedom

The last reason is probably the most interesting because it is not common for cyber criminals to make a ton of mistakes, but when they do, they have major consequences. BlackMatter is a good example of this point. They made an error when attacking the security company, Emsisoft. While BlackMatter was deploying malware, they gave the company the opportunity it needed to return much of their encrypted data without the company paying the ransom. This mistake is why analysts are hopeful that this could be the end of BlackMatter. REvil is also a good example of members making careless mistakes – like Vasinksyi traveling from Russia to Poland where one can be arrested for their cyber-crimes.

 

how avertium is protecting our clients

Right now, major threat actors like BlackMatter and REvil are quiet, but it won’t be long before they re-emerge, come back under a different name, or join another ransomware gang that isn’t well-known. Avertium is here to help protect your organization from ransomware attacks that could cost you.

  • Avertium offers vulnerability management as a service (VMaaS) to remove any unnecessary applications and implementing XDR tools to prevent ransomware and phishing attacks. Include an EDRMDR or XDR strategy to stop ransomware before it spreads. You should also include a Zero Trust Architecture, like AppGate, to stop malware lateral movement.
  • It’s also recommended by Avertium and the FBI that your business require multi-factor authentication to remotely access networks.
  • Reach out to your Service Delivery Manager or Account Executive if you need assistance applying any of the above recommendations.

 

Avertium's recommendations

BlackMatter

  • Maintain offline, encrypted backups of data and regularly test backups.
  • Create, and exercise a basic cyber incident response plan and a communications plan.
  • Mitigate internet-facing vulnerabilities and misconfigurations.
  • Reduce risk of phishing emails by enabling strong span filters and implementing a cybersecurity user awareness training program.
  • Practice good cyber hygiene:
    • Ensure antivirus and antimalware software signatures are up to date
    • Implement application allowlisting
    • Ensure user privileged accounts are limited
    • Employ MFA
    • Implement cybersecurity best practices

REvil

  • Implement and maintain access control lists of users who are allowed access to RDP.
  • Ensure backup and recovery strategies are routinely scheduled.
  • Implement regular patching to ensure existing vulnerabilities are sealed.
  • Implement strong password protocols and multi-factor authentication at every level of access.
  • Implement monitoring across as much of the organization’s digital presence as possible. Be on watch for Indicators of Compromise (IoC) by both REvil, QBot, and any other associated syndicates.
  • Implement advanced intelligence gathering to maintain an up-to-date list of known IoC’s and ensure these lists are available to the Security Analysts as newly implemented rules and manually available lists.
  • Implement end-user training to harden the human component against phishing campaigns and Social Engineering.
  • Whenever possible, solicit the advice and representation of legal counsel prior to an event; this may be the first call in a ransom situation.

Conti

  • Recommendations from Avertium and our partner, Advanced Intelligence:
    • Conti uses developed social engineering techniques to lure victims. Avertium offers user awareness training with KnowBe4.
    • Due to Conti using corporate VPN compromise and TrickBot delivery as an alternative for attack initiation, it’s wise to track externally exposed endpoints.
    • Prevent lateral movement by implementing network hierarchy protocols with network segregation and decentralization.
    • Use whitelisting tools to audit or block command-line interpreters (AppLocker).
    • Rclone and other data exfiltration command-line interface activities can be captured through correct logging of process execution with command-line arguments.
    • Have security protocol in place for Veeam to avoid account takeover. Enabled backups decrease Conti’s ransom demands and can lead to data recovery without you having to pay them.

Cl0p

  • Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.
  • Implement a regular backup schedule for systems, especially those with critical data.
  • Deploy Endpoint Protection such as SentinelOne.

 

Ryuk

  • Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.
  • Regularly update Windows hosts with recently released patches.
  • Update older versions of Windows to Windows 10 for increased security features.
  • Implement a regular backup schedule for systems, especially those with critical data.
  • Use Endpoint Protection with anti-ransomware features such as Sophos Intercept X.
  • Implement best practices and security features for PowerShell on your network.
    • Run PowerShell 5.0 or greater on systems requiring PowerShell.
    • Implement the privilege of least principle, only allowing PowerShell, and related tools like PsExec, to be run by users and hosts requiring it.
    • Enable script block logging and transcription to better log PowerShell activity.

If your organization is impacted by a ransomware attack, the FBI and CISA recommend the following:

  • Isolate the infected system.
  • Turn off other computers and devices.
  • Secure your backups.


MITRE TTPs: 

BlackMatter

Conti

Cl0p

Ryuk

REvil

 

INDICATORS OF COMPROMISE (IOCs):

BlackMatter

  • bc1qlv2qdmylyuw62zw8qcd4n3uh84cy2edckv3ds7
  • 379ebd1eff6f8685f4ff72657626bf6df5383d87
  • ba375d0625001102fc1f2ccb6f582d91
  • 72ed32b0e8692c7caa25d61e1828cdb48c4fe361
  • 10d6d3c957facf06098771bf409b9593eea58c75
  • a55bc3368a10ca5a92c1c9ecae97ced9
  • 3f9a28e8c057e7ea7ccf15a4db81f362
  • 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502
  • e48c87a1bb47f60080320167d73f30ca3e6e9964c04ce294c20a451ec1dff425
  • 2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009
  • c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99
  • d9006d5c753c364b27388831f03332f404b719a66f344ce8b1a340da24e93d53
  • 79.243.236
  • Mojobiden[.]com

REvil

  • e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
  • 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
  • 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643
  • e1d689bf92ff338752b8ae5a2e8d75586ad2b67b

Cl0p

  • 408af0af7419f67d396f754f01d4757ea89355ad19f71942f8d44c0d5515eec8
  • 7ada1228c791de703e2a51b1498bc955f14433f65d33342753fdb81bb35e5886
  • 102010727c6fbcd9da02d04ede1a8521ba2355d32da849226e96ef052c080b56
  • 2f29950640d024779134334cad79e2013871afa08c7be94356694db12ee437e2
  • e48900dc697582db4655569bb844602ced3ad2b10b507223912048f1f3039ac6
  • 3ee9b22827cb259f3d69ab974c632cefde71c61b4a9505cec06823076a2f898e
  • d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9
  • 929b7bf174638ff8cb158f4e00bc41ed69f1d2afd41ea3c9ee3b0c7dacdfa238
  • 31829479fa5b094ca3cfd0222e61295fff4821b778e5a7bd228b0c31f8a3cc44

Conti

  • fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b
  • 106.160[.]77
  • 106.215[.]61
  • 82.19[.]173
  • Gojihu[.com]
  • New accounts and tools (especially Sysinternals) that were not installed by your organization.

Ryuk

  • The below commands/processes have been associated with Ryuk infections and may also be used by another ransomware.
    • "vssadmin.exe Delete Shadows /all /quiet"
    • "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
    • "WMIC.exe shadowcopy delete"
  • File Hashes
    • cfe1678a7f2b949966d9a020faafb46662584f8a6ac4b72583a21fa858f2a2e8
    • e8a0e80dfc520bf7e76c33a90ed6d286e8729e9defe6bb7da2f38bc2db33f399
    • 795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f
    • 501e925e5de6c824b5eeccb3ccc5111cf6e312258c0877634935df06b9d0f8b9
    • fe909d18cf0fde089594689f9a69fbc6d57b69291a09f3b9df1e9b1fb724222b

 

terms

Ransomware-as-a-service (RaaS) – A subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment. Ransomware as a Service (RaaS) is an adoption of the Software as a Service (SaaS) business model.

Ransomware – malicious software that infects a device and stops users from accessing data and files until a ransom is paid.


 

Supporting Documentation 

New Zealand Cybersecurity Company Helps Squelch BlackMatter Ransomware Scheme (techzone360.com)

CL0P hacking group hits Swire Pacific Offshore | IT PRO

BlackMatter offline: Will the ransomware group return? - Tech Monitor

US charges 2 suspected major ransomware operators - ABC News (go.com)          

Everything You Need to Know About HIVE Ransomware (avertium.com)

One big ransomware threat just disappeared. Now another one has jumped up to fill the gap | ZDNet

CyberEdge-2020-CDR-Report-v1.0.pdf (cyber-edge.com)

Identity crisis: Why ransomware groups rebrand — and disappear | Cybersecurity Dive

With Cl0p crackdown and REvil arrests, what effect do police have on ransomware? | SC Media (scmagazine.com)

US charges 2 suspected major ransomware operators - ABC News (go.com)

REvil Ransomware Group Reemerges | Decipher (duo.com)

Why Are Ransomware Attacks So Successful?| D3 Security Blog

Olympus Suffers a Suspected BlackMatter Ransomware Attack - CPO Magazine

BlackMatter ransomware gang says it’s shutting down over law enforcement pressure | TechCrunch

accellion | TechCrunch                                                

Ryuk Ransomware's Increased Activity Targets Large Organizations Using Windows OS (avertium.com)

Ransomware Giant REvil Disappears | Threatpost

Ryuk Ransomware's Increased Activity Targets Large Organizations Using Windows OS (avertium.com)

 

APPENDIX II: Disclaimer 

This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.  

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation, or standard.

 

 

are you a target for drive-by downloads? check out our latest blog to find out.
Chat With One of Our Experts



Threat Report healthcare Clop Ransomware threat actor blackmatter REvil Blog