In light of the recent #SupplyChain attack on @KaseyaCorp by #REvil, it is worth paying attention to decoder[.]re included within the ransom notes, used additionally to 'mirror' in TOR network. #Ransomware #Cybersecurity #ThreatIntel #ThreatHunting #Malware

Similar to decryptor[.]cc and decryptor[.]top in previous #REvil/#Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations should their connection be limited via #TOR.

To access the page in WWW or TOR - the victim needs to provide a valid UID (e.g. "9343467A488841AC")

A unique private key is required to establish a chat with the threat actors.

decoder[.]re resolves to IP 82.146.34.4 (AS29182) belonging to Russian ISP / cloud hosting company.

ip2location.com/demo/82.146.34…
ip-adress.com/ip-address/ipv…

Using dnsdumpster.com we analyzed the available #DNS records - it appears there is a hidden admin panel available on the same WEB-server.

Domain used for NS servers goprodns[.]top is registered on johnjrutledge@grr.la, a Disposable Temporary E-Mail Address created via guerrillamail.com.

ns1.goprodns.top > 185.198.57.174 > Host Sailor Ltd (NL)
ns2.goprodns.top > 188.225.38.89 > TimeWeb Ltd. (RU)

Visual graph of the current #REvil ecosystem. The domain decoder[.]re and #ransomware page on it are still active. It's hard to believe such malicious activity has gone unnoticed by certain governments resulting in damage to thousands of enterprises globally. #ThreatIntel

08 Jul 2021 06:53:00 AM - The domain still points to the same IP address. Reports available via @Site24x7 and @HostTracker2.

site24x7.com/public/t/resul…

host-tracker.com/v3/check/3/5d1…