Share this page!

Maybe Scrolly?
Resecurity Profile picture
Twitter logo
7 Jul, 11 tweets, 10 min read
In light of the recent #SupplyChain attack on @KaseyaCorp by #REvil, it is worth paying attention to decoder[.]re included within the ransom notes, used additionally to 'mirror' in TOR network. #Ransomware #Cybersecurity #ThreatIntel #ThreatHunting #Malware Image
Similar to decryptor[.]cc and decryptor[.]top in previous #REvil/#Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations should their connection be limited via #TOR. Image
To access the page in WWW or TOR - the victim needs to provide a valid UID (e.g. "9343467A488841AC") ImageImage
A unique private key is required to establish a chat with the threat actors. Image
decoder[.]re resolves to IP 82.146.34.4 (AS29182) belonging to Russian ISP / cloud hosting company.

ip2location.com/demo/82.146.34…
ip-adress.com/ip-address/ipv… ImageImageImage
More information about it - could be recovered via AS29182 owner details - ipinfo.io/AS29182
Using dnsdumpster.com we analyzed the available #DNS records - it appears there is a hidden admin panel available on the same WEB-server. ImageImage
Domain used for NS servers goprodns[.]top is registered on johnjrutledge@grr.la, a Disposable Temporary E-Mail Address created via guerrillamail.com.

ns1.goprodns.top > 185.198.57.174 > Host Sailor Ltd (NL)
ns2.goprodns.top > 188.225.38.89 > TimeWeb Ltd. (RU) Image
Visual graph of the current #REvil ecosystem. The domain decoder[.]re and #ransomware page on it are still active. It's hard to believe such malicious activity has gone unnoticed by certain governments resulting in damage to thousands of enterprises globally. #ThreatIntel Image
08 Jul 2021 06:53:00 AM - The domain still points to the same IP address. Reports available via @Site24x7 and @HostTracker2.

site24x7.com/public/t/resul…

host-tracker.com/v3/check/3/5d1… Image
08 Jul 2021 08:38:00 AM - both decoder[.]re and its TOR 'mirror' continues to serve victims. Using valid UIDs and keys collected from ransom notes dropped by #REvil samples available at @hatching_io Triage - both resources return identical content and have the same functionality.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Resecurity

Resecurity Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @resecurity_com has new unrolls!

Check out other threads from @resecurity_com!

Read all threads by @resecurity_com

:(