Cybercrime and Dark Web Research / REvil Dead, And Other Spooky Security Tales

REvil Dead, And Other Spooky Security Tales

REvil Dead, And Other Spooky Security Tales
Sean Nikkel
Read More From Sean Nikkel
October 27, 2021 | 6 Min Read

I can’t start off this blog with the R-word. You know the one. I’ve poked fun at it before because we say it so much. As an intel provider, we have to write the word a lot. Here’s a hint: It’s been a top news story for months and it’s been in a scene full of upheavals this year, especially in just the last 2 quarters. Much like Jason Voorhees, or Freddy Krueger, or Michael Myers, Chucky, or the Scream guy, there have been so many reboots and sequels, and IT. KEEPS. COMING. BACK.

Don’t turn around!

An aside: To clear a few things up here’s Michael Myers (left), and Mike Myers (right)
Credit: Buzzfeed

RANSOMWARE! *cue screams*

For some ransomware crews we are hitting Fast & Furious or Friday the 13th levels of reboots and sequels, but that’s just the way 2021 has been working out. There’s money to be made, which is a pretty clear sign it’s not going anywhere. Before we dive too deeply into the usual ransomware recap, let’s talk about some other spooky, Halloween-adjacent events in cybersecurity.

Not even the candy’s safe this year

In a sad twist, for a brief moment this month, it seemed as if the actual candy was not safe. Say what you will about candy corn. Personally? Not a fan. However, in case you missed it, the worlds of ransomware and candy corn have finally collided. Ferrara Candy, the largest producer of *gag* candy corn, was recently the victim of a ransomware attack

Rest easy, tasteless friends who enjoy the treat. The factory is still up and working to deliver your “delicious” candy so the rest of us can throw it in the garbage can. As a society, we may have dodged the proverbial bullet. Hitting an institution like candy corn on the eve of a vital US holiday, especially given events of the last (almost) two years, it’s a little much. Who knows? Maybe this serves as the impetus to finally draw a line in the sand in the seemingly endless fight against ransomware.

Enjoying candy corn: a guide. Also probably very boomer to use an iFunny meme.

In another unexpected twist where worlds collide, Kaspersky is now warning the public about hackers using not only Netflix’s runaway hit Squid Game as a lure but Squid Game COSTUMES. According to PC Mag, Kaspersky researchers spotted malware using lures consisting of fake Squid Game apps and merchandise to target users. If you’re planning on going as your favorite Squid Game (I haven’t watched it yet, so I don’t know what I’m talking about here) for Halloween, make sure it’s a legitimate site you’re visiting for costumes or that it’s a vetted app to watch it–as if you’re not already using someone else’s Netflix login.

Once again, though, all of this proves that criminals not only continue to ruin our fun, they continue to seize the zeitgeist to stay relevant and dangerous.

REvil Dead: the final chapter?

OK, here’s the serious bit. Kinda. One of the groups we couldn’t get enough of simply because of all the drama and chaos this year was REvil–a group with more stories than some of the biggest Hollywood franchises: 

  • January 2018 – GandCrab: The Arrival
  • April 2019 – Sodinokibi: GandCrab 2 Electric Boogaloo
  • 2020ish – REvil: Sodinokibi, Tokyo Drift
  • July 2021 – REvil: Catch Me If You Can
  • September 2021 – REvil: The Search for More Money
  • October 2021 – REvil: Dude, Where’s Our Server?
  • October 2021 – FBI: I Know What You Did Last Summer, REvil
  • Coming in 2022 – REvil: The Return (Again)?

To recap, they slowly gained notoriety throughout 2019 and 2020, and suddenly in 2021, they became the subject of a lot of news stories due to some pretty groundbreaking events. We’ve devoted more than a few blogs and podcasts and one analysis of competing hypotheses exercise to them. They’re living in our brains rent-free 24/7. 

All joking aside, the most recent hits in the press about REvil are important. While the FBI typically doesn’t comment publicly about ongoing operations, sources seem to point to a joint operation involving several US agencies and some amount of international cooperation that took them down, as reported in Ars Technica. REvil’s representatives have been banned from certain forums, and theories on the dark web are running rampant, as we wrote about last week. In one quote, VMware’s head of cybersecurity, Tom Kellerman, stated: “The gloves have come off.”

How this will affect other ransomware operations remains to be seen. Arrests of affiliates will likely continue since they play the role of the fall guys in this story, but how long until the core operators also begin to feel the pinch of law enforcement and/or government regulations closing in on them? Recent news about the Biden administration creating an agency centered on cryptocurrency is yet another step in the United States’ toughened stance against ransomware. This newfound hardness all started in the wake of the Colonial Pipeline incident and continued through the mess that was REvil’s making: the JBS and Kaseya attacks.

At least the memes are good

Finally, to switch gears a bit, I will say, as an avid meme historian, memes over the past two years have been fire. They’ve played with themes around the pandemic, cultural awakenings, politics, and so many world events, often with a delightful mix of surrealism, satire, and cynicism. Add cybersecurity to that list now. 

A few users on Twitter recently took the whole “Parents beware, this is what they’re hiding in candy” trope to a new level for us in the security world, and it’s a delight. Behold:

Someone’s putting Kubernetes exploits in the candy! (courtesy @alexwlchan)

There’s also a personal favorite that’s targeting CISOs and security companies:

Gartner will put that Magic Quandrant anywhere! 
(courtesy @eric_capuano) 

So, before you send your trick-or-treaters out this weekend, make sure to let them know not to take any intelligence or security tool vendor demos from strangers, and check their candy to make sure no one slipped a Cobalt Strike beacon in it. 

Oh, and patch your vulnerabilities. Happy Halloween from Digital Shadows!

It’s dangerous to go alone! Take us

Look, it’s truly a scary world out there sometimes, and these days, all of us are under some kind of cybersecurity threat all of the time. Intelligence is a layer in the defenses that adds context to your alerts and your work, with the goal being to make sure you’re secure. Whether it’s good old threat intelligence, the dark web, risk management, or you’re looking to keep an eye on the important assets, we can help you.

The unreleased Digital Shadows X Zelda collab.

Try us out for a 7-day test drive to see if Searchlight works for you, or we can walk you through a demo using your use cases and questions.

Tags: /