We’re starting this month’s newsletter off with some good news, with a hat tip to Emisoft Threat Analyst
Brett Callow for the tip.
A coding bug helped researchers build a secret BlackMatter ransomware decryption tool. The headline tells the tale, but we do so love it when the bad guys goof up.
REvil Down
Russia says it has neutralized the cutthroat REvil ransomware gang. For anyone who has been involved in information security (or international politics) any time in the past 25 years, headlines that contain the words “Russia says” and “ransomware gang” normally elicit skepticism, especially when the topic is REvil, a.k.a. Sodinokibi.
Russia is widely understood to both operate a number of advanced cyber warfare units, and either directly or indirectly support a number of threat actors, including numerous ransomware operators. So long as they don’t attack Russian citizens or infrastructure, the hypothesis goes, Russia allows them to continue their activities because they impede the interests of Russia’s geopolitical rivals.
REvil was behind a number of devastating cyberattacks in 2021, including the pillaging of Microsoft Exchange Servers, the JBS S.A. Cyberattack, and the Kaseya VSA Ransomware attack.
There is, however, some reason to believe that Russia may well have been willing to offer up some or all of REvil ransomware gang’s members. In October 2021 many of the world’s most powerful nations
got together to discuss counter-ransomware co-operation. An international effort of that scope could change the rules with regards to both cybercrime and espionage.
Russia may also have offered up REvil as a negotiating tactic as part of an unfolding geopolitical brouhaha centered on Ukraine. The espionage and cyber warfare activities of all parties to the Ukraine situation have been one of the negotiation tracks. Cyber warfare capabilities are also on full display as all parties bring their “A” game in an attempt to “prepare the battlefield” should negotiations fail.
Everything about this situation is fluid. State-sponsored and private threat actors are engaging as much in disinformation campaigns as they are direct information warfare; but for the time being, Russia probably has to at least maintain the pretense that REvil is off the board. So let’s call that a win.
Memento/APT35 Attribution
As a general rule, any time we have to talk about specific threat actors, the news isn’t good. We do, however, enjoy it when there are steps made toward attribution, as there are in this case:
Iranian state-sponsored group APT35 linked to Memento ransomware. Knowing your enemy is one step on the road to defeating them.
The attribution was revealed in a
report by Cybereason, and links the long-active
APT35 (a.k.a., Charming/Imperial Kitten, Phosphorus, Tortoiseshell, TA453, Newsbeef, and Ajax Security) to the infrastructure behind the Memento ransomware that infected numerous exchange servers in 2021.
Raspberry Pi vs. IoT Malware
On the list of unexpected – not to mention expensive – anti-malware tools is the unlikely marriage of an RPI, an Oscilloscope, and a few other odds and ends. The result being that you can Detect malware with electromagnetic waves and Raspberry Pi.
We have officially reached the point where we can wave one box of flattened sand over another box of flattened sand and get the caged lightning in the first box to tell you whether or not the caged lightning in the second box of flattened sand is going to try to infect any of your other boxes of flattened sand. “Computers are boxes of flattened sand with caged lightning we trick into doing math” may be a popular meme, but honestly, detecting IoT malware using a Raspberry Pi and an Oscilloscope is just this side of outright magic. It’s also really, really cool.