Attackers compromised up to 1500 companies during massive ransomware attack, which is now reported as one of the largest cyber attacks ever. Victims have been infected with REvil ransomware, which is similar to DarkSide ransomware used recently in Colonial Pipeline attack. However, this time, the deployed REvil ransomware was more obfuscated than versions observed in beginning of 2021. In this article, we will discuss the obfuscation techniques used by REvil in Kaseya incident.
DarkSide Ransomware is a very hot topic now, especially after the Compromise of Colonial Pipeline networks, which has been investigated by FBI, too. It caused so serious problems that even hackers said that they “didn’t mean to create problems”. However, DarkSide ransomware is not something completely new, and it is similar to the infamous Revil/Sodinokibi ransomware. In this post, I would like to highlight some significant similarities between newer samples of both ransomwares with insights about DarkSide victims based on custom ransom notes.
Threat intelligence is one of the most critical weapons we can use in cyber defense. I often use Threat intelligence for enhancing my daily tasks in LIFARS such as incident response, threat hunting, forensics and malware analysis. And because the automation is the key for many tasks, I decided to design a new tool which helps us to speedup our processes. Our great R&D team then developed this tool and we recently released under Open Source MIT License as our gift to the community.
IDA, the Interactive Disassembler, is well known tool. It also comes in Freeware version, however, there are several limitations. For example, it is known, that IDA Freeware doesn’t support IDA Python, scripting language which brings the best from the IDA and from the Python world. For scripting, IDA Freeware supports only IDC, a “toy”  C-like language. In past I was wondering if it is possible to run Python even from IDA Freeware, Recently I played little bit more with IDC and I found a way how to pass data from IDA to external Python, and get back results to the IDA.
Few weeks ago, I saw somewhere on the Internet question about IDA Freeware compatibility with the Fluorescence plugin. And because this plugin is written in IDAPython and IDAPython isn’t officially supported by IDA Freeware, also this plugin isn’t compatible. However, when I checked what this plugin does, it turns out that it is very simple - its purpose is to highlight call instructions. So as an exercise I re-created IDC script with similar feature, and moreover, I also created plugin version of IDC Fluorescence.