Interesting #threatintel thread on Twitter this morning from Resecurity (Full disclosure: I worked with one of their team a number of years ago.).
Their research findings do not seem to be up on their web site at this time, so hopefully you can access it on Twitter. The thread begins here.
In light of the recent #SupplyChain attack on @KaseyaCorp by #REvil, it is worth paying attention to decoder[.]re included within the ransom notes, used additionally to ‘mirror’ in TOR network. #Ransomware#Cybersecurity#ThreatIntel#ThreatHunting#Malwarepic.twitter.com/G32IrY2GxD
In light of the recent #SupplyChain attack on @KaseyaCorp by #REvil, it is worth paying attention to decoder[.]re included within the ransom notes, used additionally to ‘mirror’ in TOR network. #Ransomware #Cybersecurity #ThreatIntel #ThreatHunting #Malware pic.twitter.com/G32IrY2GxD
— Resecurity (@resecurity_com) July 7, 2021
They note that “Similar to decryptor[.]cc and decryptor[.]top in previous #REvil/#Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations should their connection be limited via #TOR.”
Their research found that decoder[.]re resolves to IP 82.146.34.4 (AS29182) “belonging to Russian ISP / cloud hosting company.”
They dig further and share additional details from their findings. The thread concludes (so far) with a depiction of the hypothesized REvil ecosystem:
For the full thread and other tweets by Resecurity, follow @resecurity_com on Twitter.