Intelligence Briefing #74

Welcome to the Nucleon Cyber Intelligence podcast.

This podcast will give you a summary of the latest news related to cyber intelligence and proactive cyber security in only a few minutes.

The podcast is aimed at professionals who are short on time, or for anyone who would like to know a bit more about what is REALLY happening out there in the cyber world.

The focus of this podcast will be on the latest cyber events for non-technical people; anyone can listen and understand.

If you have been following the adventures of the hackers group called Revil cyber gang then they have fully returned and are once again attacking new victims and publishing stolen files on a data leak site.

If you haven’t heard about Revil gang , here is a short recap, 

Since 2019, the REvil ransomware operation, also known as Sodinokibi, has been conducting attacks on organizations worldwide where they demand million-dollar ransoms to receive a decryption key and prevent the leaking of stolen files.

We covered some of their attacks right here on big cases such as JBS, Coop, Travelex and many others.

REvil shut down their infrastructure and completely disappeared after their biggest hack yet.

A massive attack on July 2nd that encrypted over 50 service providers and over 1,500 businesses using a zero-day vulnerability in the Kaseya VSA remote management platform which had no patch.

This attack had such wide-ranging consequences worldwide that it brought the full attention of international law enforcement to bear on the group.

Maybe because of the pressure, the REvil gang suddenly shut down all their servers and went offline, leaving many victims in a lurch with no way of decrypting their files. 

Few days later, Kaseya (the company that have been hacked) received a universal decryptor that victims could use to decrypt files for free. It is unclear how Kaseya received the decryptor but stated it came from a “trusted third party.”

No one know the reason for Revil disappearance and no one knows how they universal decryptor recieved. 

REvil demanded $50 million for a universal decryptor for all Kaseya victims, did someone pay them or was it a leak ?

After their shutdown, researchers and law enforcement believed that REvil would rebrand as a new ransomware operation at some point. 

However, the REvil group chose to come back under the same name. 

Almost two months after their disappearance, the Tor payment/negotiation and data leak sites suddenly turned back on and became accessible. A day later, it was once again possible to log in to the payment site and negotiate with the ransomware gang.

There are two versions why they chose to disappear

  • Version One: The contact with one of the members was lost so the other members shutdown the operations and waited till they find out if he got caught by law enforcement or not. after a while they chose to resume operations from the backups.
  • Version Two: They went on vacation! a security researcher claims to have confirmed with the group that nothing happened and they simply went on vacation. 

Which version do you think is correct ? It’s Probably version 3 or 4.

On a different subject, cybersecurity experts warned that cybercriminal forums had in recent months been selling access to login credentials for software that the United Nations uses to manage internal projects. The software could provide valuable access to intruders looking to extort the UN or steal data.

The cyber security firm Resecurity contacted UN officials after noticing the login credentials for sale on the dark web.
Another Security firm reported to observe one prominent cybercriminal gang claiming access to the UN software. 

This caused the UN to release an official statement saying:
“Unidentified hackers breached computer systems at the United Nations in April and the multinational body has had to fend off related hacks in the months since.”

There are different rumors and stories about this incident, so we just thought to briefly mention it here in case this case evolves and we will pay more attention to it in the future.

That’s it for this podcast, stay safe and see you in the next podcast.

Don’t forget to visit for the latest podcasts on cyber intelligence.


Leave a Reply