ON-DEMAND WEBINAR: Morphisec's Top 10 Security Predictions - Outlook into 2024
arrow-white arrow-white Watch now
close

Security News in Review: Are REvil and DarkSide Rebranding?

Posted by Nuni Snowden on August 21, 2021
Find me on:

REVIL AND DARKSIDE REBRANDING

Is that a rat or a phoenix? Usually, the answer to such a question would be simple. However, when it comes to threat actors, nothing is ever as easy as it appears. For this reason we’ve compiled the latest news on cyber threats, new(ish) ransomware gangs, and what infrastructure is finally being put in place to keep your data safe. Keep reading to catch up on the news you need to know! 

The Brazilian National Treasury And New Ransomware Strains

The RansomExx malware strain, first spotted in June 2020, has been tied to attacks on the Texas Department of Transportation and tech company Konica Minolta. On Aug 13, 2021, the Brazilian government confirmed that the strain had also attacked its National Treasury.

This ransomware attack follows an incident that struck the nation's Superior Court of Justice in November. After the justice system’s file-encrypting attack was detected, the court system temporarily shut down its IT network and network outages lasted two weeks.

Researchers later attributed this attack to the ransomware gang RansomEXX, which has targeted both Windows and Linux servers, and currently has breached their national treasury. This event also has ties to the REvil ransomware gang. For more information about Brazil’s latest ransomware breach, click here.

Diavol Ransomware Linked To TrickBot Gang

2021 threat report vertical call to actionA ransomware strain called Diavol has been linked to threat actors behind the infamous TrickBot syndicate. The latest findings from IBM X-Force show that the ransomware sample shares similarities to other malware that has been attributed to the cybercrime gang, thus establishing a clearer connection between the two.

Another clue tying the malware to the Russian threat actors is the code for checking the language on the infected system to filter out victims in Russia or the Commonwealth of Independent States (CIS), a known tactic adopted by the TrickBot group.

Diavol's links to TrickBot also boil down to the fact that HTTP headers used for command-and-control (C2) communication are set to prefer Russian language content, which matches the language used by the operators.

Cybergangs and Covid-19 Fraud Intertwine 

A joint investigation led by Europol has charged 23 individuals in relation to a business email compromise (BEC) scheme that defrauded companies out of at least $1.2 million. The suspects, who have not been named, were charged on August 10 following a series of raids in 34 cities across the Netherlands, Romania, and Ireland.

Europol has also stated that the cybercrime gang sold fictitious Covid-19 protective gear across 20 different countries. Though the group was being targeted and charged for incidents related to the Covid-19 pandemic, the group has been in operation (and selling fraudulent goods) since 2017.

Accenture Falls Victim to LockBit Attack

Accenture, one of the world’s largest technology consulting firms, has been targeted by ransomware gang LockBit. Russian-speaking ransomware gang LockBit claimed responsibility for the attack and had previously set a ransom deadline for Thursday, August 12. They are demanding $50 million for 6 terabytes of data, according to cybercrime monitoring firm Cyble.

Accenture claims the attack had no impact on it or its systems. VX Underground, which claims to have the largest collection of malware source code on the internet, tweeted that LockBit released more than 2,000 files to the dark web, including case studies and presentations. Whether Accenture will pay or not remains to be seen.

Ransomware Newborns or Rebirths?

Haron and BlackMatter are the “new” ransomware gangs on the block. However, just how new they are remains to be seen. Analysts say they’re either brand new beverages or the same old REvil & DarkSide wine--just in new bottles. Both have a taste for deep-pocketed targets and virtue-signaling. Therefore, it's possible that the two gangs have both decided to rebrand as it is that these are entirely new entities. 

Memorial Health Expects A Weeklong IT System Outage Due To Ransomware Attack

Ohio-based Memorial Health System said its IT systems are still offline after a ransomware attack. They are negotiating with the hackers and simultaneously working with the FBI to retrieve their data. Security experts are monitoring for indications that patient or employee data has been released. There has not been any evidence of this thus far. Moving forward, the health system said they are focused on remediation technology, which will be added to its security systems.

Get a Demo of Morphisec

The T-Mobile Data Breach expands

The mobile carrier has reported that threat actors had illegally accessed one or more associated customer names, addresses, dates of birth, phone numbers, IMEIs and IMSIs of 5.3 million current postpaid customers. T-Mobile also said it had identified an additional 667,000 accounts of former customers that were accessed, with customer names, phone numbers, addresses and dates of birth compromised.

The new numbers push the total number of people affected by the breach past the 50 million mark. The company is reportedly now facing a class-action lawsuit, according to papers filed in a Washington court and seen by Vice News.

Security Vulnerability In COVID-19 Testing Website

T-Mobile’s not the only company that’s treading water. California-based medical startup, Total Testing Solutions, has removed a website that allowed customers to access their test results after a customer found a vulnerability that allowed access to other people’s personal information.

According to TechCrunch, the customer claimed they found a website security flaw that allowed them to access other customers’ information by increasing or decreasing a number in the website’s address by a single digit, thus allowing the customer to see other customers’ names and the date of their test. In response to the potential threat, the company immediately shut down the on-premises software and began migrating that data to the secure cloud-based system to prevent future risk of data breach.

China Adopts A New Law To Protect Personal Information

The law claims to, “makes provisions prohibiting the excessive collection of personal information and big data-enabled price discrimination against existing customers...when pushing information and business marketing to individuals through automated decision-making, personal information processors should provide options that don't target personal characteristics at the same time, or offer ways of rejection”, says the law. It seems like this law is intended to stop corporations from collecting one’s personal information in order to provide them with targeted advertising. It will go into effect on November 1st. 

New call-to-action