In late October, the operators of the REvil (also known as Sodinokibi) ransomware announced they were shutting down their operations due to an infrastructure compromise. Subsequently, it was confirmed that this compromise was conducted as part of a joint operation by multiple law enforcement and intelligence agencies from various countries. The initial takedown of REvil infrastructure in mid-July was also part of this operation. German authorities also claim to have identified a Russian citizen who they believe is one of the core members of REvil, though it is unclear if any attempt at extradition has been made. This revelation that the authorities were responsible for this infrastructure makes it unlikely that REvil will return in its current form, as potential affiliates are unlikely to trust them. However, the possibility that members of REvil will turn as a new ransomware group cannot be discounted.
AvosLocker continues to grow its presence in the criminal landscape. After launching their data leaks site in July, the operators have now stated they will begin auctioning stolen data rather than simply leaking it for free. This is an attractive strategy for ransom groups, as it provides them with an opportunity to generate some profit from what would otherwise be a failed attack. However, other groups who publicly adopted this strategy often ended up releasing the stolen data for free later, suggesting demand is limited, though this likely fluctuates depending on the victim and sensitivity of data available. The AvosLocker operators have also begun advertising their Ransomware-as-a-Service product on darknet forums, where they confirmed that alongside Avos2, they also have a new variant developed specifically for Linux systems known as AvosLinux. Public representatives of AvosLocker have been more active recently, which could lead to an increase in affiliates and an increase in the rate of attacks utilising this ransomware. The most recent high-profile attack involving AvosLocker was against the Taiwanese computer hardware manufacturer Gigabyte.
Finally, multiple new leak sites also launched this month. The first is Moses Staff, which has solely targeted organisations based in Israel, a likely deliberate choice given their reference to “exposing the crimes of the Zionists in occupied Palestine”. Moses Staff, makes no mention of ransomware or extortion, indicating its purpose is to leak data rather than force victims to pay for its return. Another site, known as 54bb47h, has also been launched, though currently no victims have been named on it. Finally, a leaks site operated by a group referred to as Midas has been launched. There are already a significant number of victims named on the site. Notably, many had previously been named on the leaks site operated by the Haron ransomware group, meaning it is highly likely that Midas is simply a rebrand of this group.
Key Events
4 October – Two Ukrainian ransomware operators arrested by law enforcement
5 October – AvosLocker announces they will begin auctioning off stolen victim data.
11 October – Pacific City Bank (PCB), a US-based financial institution, discloses a ransomware attack involving AvosLocker. The attack reportedly occurred several months prior to the disclosure.
15 October – National Beverage, one of the largest manufacturers and distributors of soft drinks in the US, hit by the BlackMatter ransomware.
15 October – The operators of the LockBit ransomware now publicly reach out to the operators of Trickbot, suggesting there is potential for a partnership between the two.
18 October – REvil public representative announce the group are shutting down after an infrastructure compromise.
18 October – Moses Staff data leaks site launches.
19 October – Sinclair Broadcast Group (SBG), a major US broadcaster, hit by ransomware.
19 October – FinCEN, the US Treasury Department financial crimes investigation unit, confirms they identified around $5.2 billion in outgoing Bitcoin transactions tied to ransomware payments during the first half of 2021.
19 October – The FBI, CISA, and NSA issue a joint security advisory on the BlackMatter ransomware.
20 October – Gigabyte, a Taiwanese manufacturer of computer hardware, hit by AvosLocker.
21 October – Papua New Guinea Finance Department hit by ransomware.
22 October – Confirmation that authorities were responsible for the REvil infrastructure compromise.
25 October – Emsisoft publicly discloses the existence of a decryptor for the BlackMatter ransomware.
27 October – 54bb47h data leaks site launches.
27 October – Eberspächer Group, a large German manufacturing conglomerate, hit by ransomware.
28 October – Midas data leaks site launches.
28 October – Avast publicly releases decryptors for LockFile, Babuk and AtomSilo.
29 October – Europol announces the detention of twelve individuals suspected of working as affiliates for various Ransomware-as-a-Service (RaaS) groups, including LockerGoga, MegaCortex, and Dharma.
29 October – AvosLocker begin advertising for affiliates on RAMP forum. They also disclose the existence of a new variant developed specifically for Linux systems known as AvosLinux.