X-Industry

A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to nefarious use by the now-defunct Conti ransomware gang members, indicating collaboration between the two crews.  The malware, named Domino, is primarily designed to facilitate follow-on exploitation of compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021.

Former TrickBot/Conti syndicate me

The Russian invasion of Ukraine in early 2022 appears to have led to a double-digit decrease in stolen payment card records published to the dark web, according to researchers.

In a recent report, investigators analyzed detailed threat intelligence gleaned from the cybercrime underground to compile a report.  It reported a 24% year-on-year decrease in the volume of card-not-present records on dark web carding shops in 2022 to 45.6 million and a 62% slump in card present records, to 13.8 million.

Activity Summary - Week Ending on 21 October 2022:

• Red Sky Alliance identified 32,517 connections from new IP’s checking in with our Sinkholes
• NoVa hit 17x
• Analysts identified 1,515 new IP addresses participating in various Botnets
• “Alchimist” Attack
• REvil
• Good News from Brazil
• Khan Academy
• Vinomofo
• Japanese Crypto Funds
• Oh Canada

Link to full report: IR-22-295-001_weekly295.pdf

Has the notorious REvil, aka Sodinokibi, ransomware operation come back? Researchers suspect former developers may have restarted the server and data leak site. On 20 April 2022, the original Happy Blog leak site began redirecting to the new blog, which lists both old and seemingly new victims, including Oil India Limited.  Cybersecurity researchers on Twitter attributed a recent ransomware attack at Oil India Limited to either REvil or imposters using the gang's name.

In early April 2022, at th

Activity Summary - Week Ending on 21 January 2022:

• Red Sky Alliance identified 34,423 connections from new IP’s checking in with our Sinkholes
• Microsoft IP hit again
• Analysts identified 4,093 new IP addresses participating in various Botnets
• SysJoker Backdoor
• Konni Campaign
• Take Down of VPNLab.net
• Russia shuts down REvil, huh?
• Brookings Blog on Russia
• SilverTerrier sent to the Kennel
• China and the Olympics
• Up-Date on Ukraine Hit

Link to full report: IR-22-021-001_weekly021.pdf

In 2010, Iran’s uranium enrichment centrifuges were attacked and rendered useless through a computer virus that became known as Stuxnet.  It was the first case in which a hacker attack, coordinated by nations (presumably the US and Israel), hit a large military target in the “real world.”  A worldwide race to create or acquire cyber weapons was then just taking shape. 

Fast forward to last week (11 years later), Ukraine was hit by a massive cyber-attack that targeted government websites.  Posted

Mailing Malware.  You just can’t make this up: but the oldest cyber threat tactic is back again.   A cybercrime group has been mailing out USB thumb drives in the hope that recipients will plug them into their PCs and install ransomware on their networks, according to the FBI.  The USB drives contain so-called 'BadUSB' attacks.  They were sent in the mail through the US Postal Service and United Parcel Service.  One type contained a message impersonating the US Department of Health and Human Ser

The FBI has seized 39.9 bitcoins from an alleged affiliate of the notorious REvil ransomware group, which has been tied to illicit profits of more than $200 million. The seizure occurred 03 August 2021 and was reported on 30 November 2021 in a complaint for forfeiture filed by acting U.S. Attorney Chad E. Meacham in the U.S. District Court for the Northern District of Texas, backed by FBI Special Agent Joshua Jacobs. It says the funds were seized from an Exodus wallet, which refers to a piece of

Activity Summary - Week Ending 17 September 2021:

• Red Sky Alliance identified 37,866 connections from new unique IP addresses
• Analysts identified 765 new IP addresses participating in various Botnets
• Compromised IP: 107.172.100.248
• Is it REvil or is it the Feds?
• BazarLoader
• QakBot
• BlackMatter and Cameras?
• Grayfly – an Arm of APT41
• EasyJet in the Crosshairs
• Just Who’s Winning the Cyber War?
• Tiananmen Square Memorials

Link to full report: IR-21-260-001_weekly_260.pdf

Our friends at several cyber media outlets are reporting that the operators behind the REvil ransomware-as-a-service (RaaS) is back.  In a surprise return, REvil reappeared after a two-month break following the widely publicized attack on technology services provider Kaseya on 4 July 2021.  In fact, Red Sky Alliance analysts observed its return this past week.

Two of the dark web portals, including the gang's Happy Blog data leak site and its payment/negotiation site, have reappeared online, wit

Recently, ransomware criminals claimed as trophies at least three North American insurance brokerages that offer policies to help others survive the very network-paralyzing, data-pilfering extortion attacks they themselves apparently suffered.

Cybercriminals who hack into corporate and government networks to steal sensitive data for extortion routinely try to learn how much cyber insurance coverage the victims have. Knowing what victims can afford to pay can give them an edge in ransom negotiati

Activity Summary - Week Ending 9 July 2021:

• Red Sky Alliance identified 56,261 connections from new unique IP addresses
• Analysts identified 2,346 new IP addresses participating in various Botnets
• 12 unique email accounts compromised were seen with Keyloggers
• RevengeRAT & Aviation
• Kaseya Attack
• Babuk Locker
• PayLoad Bin
• Space ISAC & Microsoft
• SideCopy
• A change in social media collection?
• DuckDuckGo, Good to Go

Link to full report: IR-21-190-001_weekly_190.pdf

Last weekend did not start out so nice.  The hacking group behind what media is calling ‘colossal ransomware attack’ has demanded $70m (£50.5m) paid in Bitcoin in return for a "universal decryptor" that it says will unlock the files of all victims.  The Russian associated REvil group is saying its malware, which initially targeted US IT firm Kaseya, has hit one million "systems." 

This number has not been totally verified and the exact total of victims is unknown.  Yet, victims include 500 Swedi

The decision to pay the ransom demanded by the cybercriminal group was to avoid any further issues or potential problems for its customers, according to the company’s CEO.  JBS Foods paid the equivalent of $11 million in ransom after a cyber-attack that forced the company to shut down some operations in the United States and Australia over the Memorial Day weekend.

The company made the payment to cybercriminals to ensure the protection of its data and mitigate any further damage to its customers

The threat group behind the Sodinokibi ransomware claimed to have recently compromised nine organizations.  The REvil ransomware threat group is on a cyberattack tear, claiming over the past three weeks to have infected ten organizations across Africa, Europe, Mexico and the US.  The organizations include two law firms, an insurance company, an architectural firm, a construction company and an agricultural co-op, all located in the US; as well as two large international banks (one in Mexico and

No one needs reminding that ransomware has reached incredible proportions; one widely reported statistic from Purplesec suggests that $20 billion was paid out in 2020. That's almost double its $11.5 billion estimate from 2019, with a commensurately huge increase in the number of attacks, while BitDefender suggested a 715% increase in the first half of the year.

The "crews" have multiplied, adopted tactics that are reminiscent of nation-state attacks, and developed partnerships and relationships

Activity Summary - Week Ending 5 February 2021:

• Red Sky Alliance identified 34,976 connections from new unique IP addresses
• Greek Bank, Alpha Bank Group has an Attack Server (C2) Compromise
• DigitalOcean has a Compromised (C2) IP
• Analysts identified 2,089 new IP addresses participating in various Botnets
• PowerShell Dropping REvil
• Ursnif/Gozi using INPS as Bait
• How the World Ends
• US – Russia Cyber Strategy
• Rocket Chat (Al Qaeda) urging Cyber Terrorism
• Operation Lady-Bird
• Electric Grids – Still a

Remember the Dark Side comics?  Well, the DarkSide criminal hacking group is no laughing matter.  The DarkSide Ransomware gang claims they are creating a distributed storage system in Iran to store and leak data stolen from victims.  DarkSide is operated as a Ransomware-as-a-Service (RaaS) where developers control programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices.

DarkSide is the latest ransomware criminal gang to anno

Activity Summary - Week Ending 13 November 2020:

• Red Sky Alliance observed 67 unique email accounts compromised with Keyloggers
• Analysts identified 42,222 connections from new unique IP addresses
• 2,563 new IP addresses were observed Participating in various Botnets
• Hezbollah is the Top Threat actor this week targeting Israel, US, Lebanon, Syria and Iran
• TrickBot and BazarLoader
• WatchBogMiner
• Ransomware blocks electronic Stadium Entrances
• A UK Premier League soccer club's Managing Director was H