Cybersecurity news headlines for November 2021
In November’s edition of cybersecurity news headlines, we talk about three stories. International law enforcement operation GoldDust led to 7 arrests in relation to the REvil/GandCrab cybercrime gangs. NordPass released a list of the year’s most popular passwords, with disappointing but not surprising results. And the US is now offering a $10 million reward for information about REvil and DarkSide leaders.
Without further ado, here are the stories that made the biggest headlines in November 2021.
REvil “mastermind” and others arrested during operation GoldDust
A coordinated law enforcement operation has led to the arrest of 7 hackers associated with the REvil cyber gang. REvil is one of the most notorious cybergangs to emerge in recent history. It is responsible for the massive Kaseya cyberattack that took place in June/July this year. Kaseya is a software company that provides network management tools for businesses. The malicious actors misused a vulnerability in Kaseya’s Virtual System/Server Administrator (VSA) tool. The VSA tool is a remote monitoring/management tool often used by managed service providers (MSPs). By using the VSA vulnerability, REvil hackers were able to carry out a supply chain ransomware attack, infecting 60 MSPs that use the VSA tool and over 1500 of their customers with ransomware. A $70 million ransom was requested by the cyber gang.
The massive cyberattack attracted a lot of attention both from law enforcement agencies and the media. It proved to be more than REvil anticipated as REvil’s whole infrastructure disappeared from the Internet two weeks after the attack. 4 months after the massive attack, Europol announced that arrests have been made. A coordinated law enforcement operation has led to a total of 7 arrests in relation to REvil and its predecessor GandCrab. The arrests are part of GoldDust, an international operation involving 17 countries. According to Europol, law enforcement made the first arrest in early 2021. Three affiliates of REvil and two GandCrab hackers were arrested as a result of the operation earlier this year as well. And most recently, Romanian authorities arrested two hackers associated with the REvil gang. The two are believed to be responsible for at least 5000 infections.
One of the seven hackers in custody is suspected to be the perpetrator behind the Kaseya ransomware attack. The Ukrainian national was arrested at the Polish border in October. Authorities arrested the other suspects in South Korea and Kuwait. In total, it is estimated that the suspects carried attacks against 7000 victims.
One of REvil’s alleged “masterminds” is 22-year old Ukrainian named Yaroslav Vasinskyi. According to US attorney general Merrick Garland, he is now facing charges for the Kaseya attack. He is also believed to be responsible for at least 2500 attacks since joining REvil in 2019, making $2.3 million in ransoms. Russian hacker Yevgeniy Polyanin was also indicted, though he has not been arrested as of yet. He is accused of launching at least 3000 ransomware attacks.
In addition to the arrests, the US Department of State is offering a reward of up to $10 million for any information leading to the identification or location of any individuals holding key positions of power in the REvil/Sodinokibi cyber group. A further $5 million reward is offered for information leading to the arrest and/or conviction of any individuals conspiring to participate or attempting to participate in a REvil/Sodinokibi ransomware incident.
123456 is the most popular password of 2021
The annual list of the most common passwords by NordPass revealed that “123456” is the most popular password of 2021. The detailed list contains 200 of the most common passwords and can be filtered via country. It also shows how many times a password was used and how long it would take to crack it. Unsurprisingly, the majority of passwords on the list take seconds to crack. The list is made up of passwords that have been leaked or been part of data breaches in 2021. NordPass partnered with independent researchers who specialize in the research of cybersecurity incidents who helped them evaluate a 4TB database.
The most popular passwords of 2021 worldwide are:
- 123456 (used 103,170,552 times)
- 123456789 (used 46,027,530 times)
- 12345 (used 32,955,432 times)
- qwerty (used 22,317,280 times)
- password (used 20,958,297 times)
- 12345678 (used 14,745,771 times)
- 111111 (used 13,354,149 times)
- 123123 (used 10,244,398 times)
- 1234567890 (used 9,646,621 times)
- 1234567 (used 9,396,813 times)
Every single password displayed above can be cracked in less than a second. In fact, the majority of passwords in the list can be cracked in less than a second. Filtering by country reveals that users all over the world often use variations of “123456”, “qwerty”, and “password”.
Names are also commonly used as passwords, in many different countries. For example, “michael”, “daniel”, “ashley”, “charlie”, and “jessica” are the most common name passwords in the US. “sakura”, “takahiro”, “masahiro”, “hiroyuki”, and “yamamoto” are the most popular name passwords in Japan. Another tendency that can be noticed is that users all over the world like to use swear words as passwords.
It should be mentioned that these lists do not accurately represent users’ passwords habits because the passwords on the list are ones that have been leaked in past data breaches. Nonetheless, it’s rather worrying that users still use these passwords. Generally, a strong password should consist of upper and lower case letters, numbers, and letters. It’s also a good idea to use a password manager.
The US is offering $10 million for information on DarkSide leaders
The US Department of State is offering a reward of up to $10 million for information leading to the identification or location of individuals holding positions of power in the DarkSide ransomware cybercrime group. In addition, a $5 million reward is also offered to those with information leading to the arrest and/or conviction in any country of any individuals who conspire to participate or are attempting to participate in a DarkSide ransomware attack. The rewards and conditions are the same as the ones offered for information on REvil.
“In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals. The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware,” Department of State spokesperson Ned Price said in a press statement.
The DarkSide ransomware group is responsible for the Colonial Pipeline cyberattack that took place in May 2021. The attack forced the pipeline to temporarily shut down operations, which resulted in fuel shortages on the East Coast of the United States. The downtime lasted for 6 days, though normal operations resumed after 9 days.
Not only did DarkSide encrypt Colonial Pipeline files, but the malicious actors also stole 100GB of information. This is a common tactic used nowadays to force victims to pay the ransom. Had Colonial Pipeline refused to pay the ransom, the data would have been released publicly. However, only a few hours after the attack, the pipeline agreed to pay the 75 Bitcoin ransom ($4.4 million at the time of the attack). While the decision to pay the ransom caused slight controversy, Colonial Pipeline was essentially forced to give in because their downtime led to shortages of fuel in numerous states. However, the decryption tool that Colonial Pipeline received from DarkSide took too long, and the pipeline used their own backups to restore their systems.
DarkSide is likely operated from Eastern Europe, specifically Russia, but it’s not believed that the group is state-sponsored. Because DarkSdie is operated as a ransomware-as-a-service (RaaS), the group renting it attempted to distance themselves from the incident.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives,” DarkSide said in a statement released on May 10. “Our goal is to make money, and not creating problems for society. We [will] introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Soon after the attack, DarkSide rebranded into BlackMatter. However, that proved to be short term and BlackMatter declared they were closing shop right before the US Department of State announced the rewards. Increased pressure from law enforcement is likely the reason for the shutdown.
- Press Release. Five Affiliates to Sodinokibi/REvil unplugged. Europol.
- Top 200 most common passwords. NordPass.
WiperSoft.com is not sponsored, affiliated, linked to or owned by malware developers or distributors that are referred to in this article. The article does NOT endorse or promote malicious programs. The intention behind it is to present useful information that will help users to detect and eliminate malware from their computer by using WiperSoft and/or the manual removal guide.
The article should only be used for educational purposes. If you follow the instructions provided in the article, you agree to be bound by this disclaimer. We do not guarantee that the article will aid you in completely removing the malware from your PC. Malicious programs are constantly developing, which is why it is not always easy or possible to clean the computer by using only the manual removal guide.