In the fall of 2019, after writing about how Sodinokibi ransomware affiliates bragged online about the money they were making, threat intelligence researchers with McAfee Advanced Threat Research received an interesting email.
The sender turned out to be a “disgruntled internal source” upset with how other hackers boasted about earnings while they hadn’t been paid. The insider went on to help researchers understand the inner workings of the group that became known as REvil, whose antics and crimes made headlines after attacking beef producer JBS.
Russian authorities arrested multiple REvil members in January, and Russian officials hailed it as a sign of “cooperation” between Washington and Moscow. But Russia’s invasion of Ukraine on Feb. 24 broke off any cooperation between the two countries, a U.S. official told CyberScoop in April, and it’s unclear how the prosecutions are proceeding, if at all.
John Fokker, principle threat engineer at Trellix — and formerly of McAfee ATR — revealed the interactions with the insider in new research on Thursday. He notes that the source shared screenshots of REvil’s back end pane that helped confirm earlier theories from Fokker’s team about how REvil tracked its associates. It also ..
Support the originator by clicking the read the rest link below.
