Key Takeaway
The Federal Criminal Police Office of Germany identified two Russian nationals as leaders of the GandCrab and REvil ransomware groups. The groups exploited known vulnerabilities like CVE-2019-11510 and CVE-2018-13379, causing widespread disruption. Ensuring timely patches and using multi-factor authentication can mitigate such threats.
What Happened
The Federal Criminal Police Office of Germany (BKA) has pinpointed two Russian nationals, identified as key figures orchestrating the GandCrab and REvil ransomware attacks. These operations were notably active between 2019 and 2021. The suspects are believed to have played decisive roles in managing these ransomware as a service (RaaS) programs, which targeted various sectors globally, including critical infrastructure and private corporations.
These revelations come after an extensive international investigation involving law enforcement agencies across multiple countries. The investigation also highlighted connections between these groups and other significant cybercriminal operations. German authorities worked in coordination with counterparts from the United States and Europol, leading to a clearer understanding of the operational mechanisms and key personnel driving these ransomware attacks.
Technical Details
The GandCrab and REvil ransomware primarily utilized phishing emails as their initial access vector, exploiting Windows systems. In numerous instances, attackers leveraged vulnerabilities in software products to gain entry. Notably, REvil exploited a zero-day vulnerability in Kaseya VSA, identified as CVE-2021-30116, with a CVSS score of 9.8, allowing remote code execution.
Indicators of Compromise (IOCs) for these ransomware included specific IP addresses used in command-and-control activities, hashes of the ransomware binaries, and unique artefacts left in compromised systems. GandCrab frequently used the RSA-2048 encryption algorithm, while REvil adopted a dual encryption method, combining Salsa20 and RSA for robust encryption.
Impact
The ransomware attacks attributed to GandCrab and REvil have affected thousands of organizations worldwide, resulting in millions of dollars in ransom payments and economic damage. Sectors most impacted include healthcare, energy, and financial services. These operations often led to significant disruptions in business continuity and resulted in sensitive data breaches, escalating both financial and reputational damage to the victim organizations.
Downstream effects of these attacks underscore the necessity for robust cybersecurity measures, highlighting vulnerabilities in IT infrastructure that are often exploited by such ransomware groups.
What To Do
- Conduct regular security training for employees to recognize and report phishing attempts.
- Implement patches and updates promptly, focusing on critical vulnerabilities such as CVE-2021-30116.
- Employ advanced intrusion detection systems to monitor for IOCs related to GandCrab and REvil exploits.
- Utilize robust disaster recovery and backup solutions to mitigate data loss.
- Enable multi-factor authentication (MFA) to reduce risk of unauthorized access.
Organizations must continuously evaluate the effectiveness of their cybersecurity postures against evolving threats. Ongoing collaboration with cybersecurity agencies and law enforcement is crucial to stay informed about emerging threats and apply timely defensive measures.
Related:
Original Source
BleepingComputer →Related Articles
Storm-1175 Exploits Zero-Day Vulnerabilities in Medusa Ransomware Attack
Storm-1175, a China-based cybercriminal group, exploited zero-day vulnerabilities in Medusa ransomware attacks against enterprises in October 2023. The group's methods included leveraging vulnerabilities in Microsoft Exchange and Oracle WebLogic. Affected companies face ransom demands and data leaks.
Unmasking REvil: BKA Identifies Key Ransomware Figures
Germany's BKA has revealed the identities of key REvil ransomware figures, marking a significant step in disrupting organized ransomware operations. The REvil group, known for attacks on major targets like JBS and Kaseya, used vulnerabilities such as CVE-2020-0601. Security professionals should focus on patch management, MFA, and network monitoring.
Qilin Ransomware Attack: BYOVD Technique Compromises Security Defenses
The Qilin ransomware group attacked organizations using the BYOVD technique. Compromising security defenses with vulnerable drivers facilitated deep system penetration and ransomware deployment. Robust security measure updates are critical.
Unmasking the Leader of GandCrab and REvil: A Detailed Ransomware Incident Report
Daniil Maksimovich Shchukin, the mastermind behind GandCrab and REvil, has been implicated in over 130 ransomware attacks. The impact caused significant economic damage, demanding refined defensive strategies.