EclecticIQ Threat Research Team
November 10, 2021

The Analyst Prompt #39 Ransomware; Falsified Covid Certificates; US Blacklists NSO Group

Intelligence Research

Policy and Governance: Tensions Rise between Ransomware Gangs and Western Governments

After the second government takedown of ransomware group REvil’s online infrastructure on 22 October 2021 [1], ransomware gangs Arvin, Groove, and Conti all posted comments sympathetic to REvil and inflammatory toward the U.S. on their respective data leak sites.

Groove operators called for partner programs to stop competing with one another and coordinate attacks on the US Public Sector. They urged their partners to not attack Chinese interests in case they need to flee their “homeland”. Shortly after making this announcement, the Groove operator announced that the Groove project was a hoax to troll western media. The next day both posts had been removed from the site and replaced with a new victim [2]. A few days prior, a Groove associate posted on the RAMP cybercrime forum that they will target U.S. hospitals, government agencies and will also consider some EU countries specifically “Italian Hospitals” as targets [3]. While the credibility of such threats is questionable these actions do speak the general sentiment of some ransomware operators towards western media and interests.

The Conti gang stopped short of asking partners to coordinate an attack on the U.S. private sector, but their post does show a similar disdain as Groove toward the United States. The Arvin Club posted a Simpsons meme which suggested the takedown of REvil was not warranted and wished REvil success [4].

As of 1 November 2021, the Arvin and Groove leaks sites and the RAMP forum were no longer accessible by EclecticIQ researchers. At this time, it is unknown if there has been a coordinated government effort to take down these sites or if the site administrators shut them down.

While some ransomware gangs are looking to counter recent efforts by Western law enforcements by ramping up the targeting of the U.S. private sector, others such as BlackMatter appear content to lay low and shut down operations. On 1 November 2021, BlackMatter announced in an apparent message to affiliates they would shut down their “entire infrastructure” within 48 hours. The group cites “pressure from authorities” and “part of the team is no longer available, after the latest news” as the reasons for the shutdown [5]. While it is not clear what the group is referring to by the “latest news,” that the timing suggests they are referring to the coordinated Europol effort to target 12 individuals who have been involved in ransomware attacks against critical infrastructure [6]. The BlackMatter leak and support pages were no longer accessible by the EclecticIQ Research Team as of 4 November 2021.

Despite the efforts of law enforcement, the EclecticIQ Threat Research Team has not identified a significant reduction in reports of ransomware nor a reduction in the infrastructure used in attacks. For this reason, organizations should continue to prioritize defenses against the ransomware threat.

New and Noteworthy: Falsified Digital COVID Certificates Under Investigation

As countries continue to recover from the Coronavirus pandemic, a number of countries are creating COVID certificates to allow the vaccinated, and those who have recently tested negative or recovered, to travel, access the hospitality, cultural and events industries. The implementation of such a system has sparked concerns over privacy and protests throughout Europe. This has also created a marketplace for falsified COVID certificates.

In the past week, falsified certificates for Adolf Hitler, Mikey Mouse, and SpongeBob were posted online that return valid results from official COVID19 validator apps of certain countries. The European Commission immediately launched an investigation into how these valid certificates were generated [7]. The Italian wire service, ANSA, reported on October 27th that some of the private keys used to sign the health certificates were stolen [8]. However just a day later the French and Polish authorities announced there was “no cryptographic compromise”[7]. Security researchers tracking fake certificates via a github repository speculate that it is more plausible that the chain of trust between the government and those authorized to generate certificates was compromised, or that someone managed to install malware on system with access to generate certificates [10].

EclecticIQ Researchers also believe it is very unlikely the private keys were stolen. Stealing the keys would likely require significant technical capabilities as protecting these keys is a high priority. The theft of such keys would allow threat actors the ability to mark any COVID19 certificate as valid. Every individual would require a reissued COVID19 certificates. It is more likely either authorized individuals are generating the false certificates to be sold, or unauthorized individuals have gained access to a system that can generate certificates. It is likely European governments will implement new measures to protect the chain of trust and improve security to systems with access to generate certificates.

Policy and Governance: NSO Group Added to US Trade Blacklist

On 5 November 2021, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) announced that the Israeli military-grade spyware manufacturer, NSO Group, would be added the Entity List for developing and suppling spyware to “foreign government officials, journalists, businesspeople, activists, academics and embassy workers [11].” The Entity List is a tool leveraged by the BIS to restrict exports to an individual, organization, or company.

The NSO Group’s spyware, Pegasus, was linked to the killing and dismemberment of Washington Post Columnist Jamal Khashoggi by Saudi Operatives, the targeting of human rights activists and even found on French President Emmanuel Marcon’s Phone [11] [12].

Three other offensive security companies were added to the Entity List on Wednesday including Candiru (Israel), Positive Technologies (Russia) and Computer Security Initiative Consultancy PTE. LTD (Singapore) [11].

Being subjected to the Entity List essentially cuts these organization off from the US technology industry. EclecticIQ Researchers expect this to cause significant disruption to business operations for these companies and could lead to shutting down operations unless they are able to retool without utilizing U.S. software and hardware technologies.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

Appendix:

  1. https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/ 
  2. https://twitter.com/nokae8/status/1452781456481153025.
  3. https://www.bleepingcomputer.com/news/security/groove-ransomware-calls-on-all-extortion-gangs-to-attack-us-interests/ 
  4. https://twitter.com/BleepinComputer/status/1451579282023665675.
  5. https://twitter.com/vxunderground/status/1455750066560544769.
  6. https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure.
  7. https://threatpost.com/eus-green-pass-vaccination-id-private-key-leaked/175857/.
  8. https://www.ansa.it/english/news/general_news/2021/10/27/eu-green-pass-generation-keys-stolen-sources_e231d1e5-8eab-429b-ae6d-c70991469d41.html.
  9. https://github.com/denysvitali/covid-cert-analysis.
  10. https://www.commerce.gov/news/press-releases/2021/11/commerce-adds-nso-group-and-other-foreign-companies-entity-list.
  11. https://www.nytimes.com/2021/11/03/business/nso-group-spyware-blacklist.html.
  12. https://www.ft.com/content/e381b556-c859-4a3b-8f7c-5fe80d3272d2

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo