Posts

What You Should Know About the Equifax Data Breach Settlement

/0 Comments/in /by

Big-three credit bureau Equifax has reportedly agreed to pay at least $650 million to settle lawsuits stemming from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans. Here’s a brief primer that attempts to break down what this settlement means for you, and what it says about the value of your identity.

 

Q: What happened?

A: If the terms of the settlement are approved by a court, the Federal Trade Commission says Equifax will be required to spend up to $425 million helping consumers who can demonstrate they were financially harmed by the breach. The company also will provide up to 10 years of free credit monitoring to those who had their data exposed.

Q: What about the rest of the money in the settlement?

A: An as-yet undisclosed amount will go to pay lawyers fees for the plaintiffs.

Q: $650 million seems like a lot. Is that some kind of record?

A: If not, it’s pretty close. The New York Times reported earlier today that it was thought to be the largest settlement ever paid by a company over a data breach, but that statement doesn’t appear anywhere in their current story.

Q: Hang on…148 million affected consumers…out of that $425 million pot that comes to just $2.87 per victim, right?

A: That’s one way of looking at it. But as always, the devil is in the details. You won’t see a penny or any other benefit unless you do something about it, and how much you end up costing the company (within certain limits) is up to you.

The Times reports that the proposed settlement assumes that only around seven million people will sign up for their credit monitoring offers. “If more do, Equifax’s costs for providing it could rise meaningfully,” the story observes.

Q: Okay. What can I do?

A: You can visit www.equifaxbreachsettlement.com, although none of this will be official or on offer until a court approves the settlement.

Q: Uh, that doesn’t look like Equifax’s site…

A: Good eyes! It’s not. It’s run by a third party. But we should probably just be grateful for that; given Equifax’s total dumpster fire of a public response to the breach, the company has shown itself incapable of operating (let alone securing) a properly functioning Web site.

Q: What can I get out of this?

A: In a nutshell, affected consumers are eligible to apply for one or more remedies, including:

Free credit monitoring: At least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and Trans Union. The settlement also envisions up to six more years of single bureau monitoring through Experian. Or, if you don’t want to take advantage of the credit monitoring offers, you can opt instead for a $125 cash payment. You can’t get both.

Reimbursement: …For the time you spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This is capped at 20 total hours at $25 per hour ($500). Total cash reimbursement payment will not exceed $20,000 per consumer.

Help with ongoing identity theft issues: Up to seven years of “free assisted identity restoration services.” Again, the existing breach settlement page is light on specifics there.

Q: Does this cover my kids/dependents, too?

A: The FTC says if you were a minor in May 2017 (when Equifax first learned of the breach), you are eligible for a total of 18 years of free credit monitoring.

Q: How do I take advantage of any of these?

A: You can’t yet. The settlement has to be approved first. The settlement Web site says to check back again later. In addition to checking the breach settlement site periodically, consumers can sign up with the FTC to receive email updates about this settlement.

The settlement site said consumers also can call 1-833-759-2982 for more information. Press #2 on your phone’s keypad if you want to skip the 1-minute preamble and get straight into the queue to speak with a real person.

KrebsOnSecurity dialed in to ask for more details on the “free assisted identity restoration services,” and the person who took my call said they’d need to have some basic information about me in order to proceed. He said they needed my name, address and phone number to proceed. I gave him a number and a name, and after checking with someone he came back and said the restoration services would be offered by Equifax, but confirmed that affected consumers would still have to apply for it.

He added that the Equifaxbreachsettlement.com site will soon include a feature that lets visitors check to see if they’re eligible, but also confirmed that just checking eligibility won’t entitle one to any of the above benefits: Consumers will still need to file a claim through the site (when it’s available to do so).

ANALYSIS

We’ll see how this unfolds, but I’ll be amazed if anything related to taking advantage of this settlement is painless. I still can’t even get a free copy of my credit report from Equifax, as I’m entitled to under the law for free each year. I’ve even requested a copy by mail, according to their instructions. So far nothing.

But let’s say for the sake of argument that our questioner is basically right — that this settlement breaks down to about $3 worth of flesh extracted from Equifax for each affected person. The thing is, this figure probably is less than what Equifax makes selling your credit history to potential creditors each year.

In a 2017 story about the Equifax breach, I quoted financial fraud expert Avivah Litan saying the credit bureaus make about $1 every time they sell your credit file to a potential creditor (or identity thief posing as you). According to recent stats from the New York Federal Reserve, there were around 145 million hard credit pulls in the fourth quarter of 2018 (it’s not known how many of those were legitimate or desired).

But there is something you can do to stop the Equifax and the other bureaus from profiting this way: Freeze your credit files with them.

A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you. And it’s now free for all Americans.

This post explains in detail what’s involved in freezing your files; how to place, thaw or remove a freeze; the limitations of a freeze and potential side effects; and alternatives to freezes.

What’s wrong with just using credit monitoring, you might ask? These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.

If past experience is any teacher, anyone with a freeze on their credit file will need to briefly thaw their file at Equifax before successfully signing up for the service when it’s offered. Since a law mandating free freezes across the land went into effect, all three bureaus have made it significantly easier to place and lift security freezes.

Probably too easy, in fact. Especially for people who had freezes in place before Equifax revamped its freeze portal. Those folks were issued a numeric PIN to lift, thaw or remove a freeze, but Equifax no longer lets those users do any of those things online with just the PIN.

These days, that PIN doesn’t play a role in any freeze or thaw process. To create an account at the MyEquifax portal, one need only supply name, address, Social Security number, date of birth, any phone number  (all data points exposed in the Equifax breach, and in any case widely available for sale in the cybercrime underground) and answer 4 multiple-guess questions whose answers are often available in public records or on social media.

And so this is yet another reason why you should freeze your credit: If you don’t sign up as you at MyEquifax, someone else might do it for you.

What else can you do in the meantime? Be wary of any phone calls or emails you didn’t sign up for that invoke this data breach settlement and ask you to provide personal and/or financial information.

And if you haven’t done so lately, go get a free copy of your credit report from annualcreditreport.com; by law all Americans are entitled to a free report from each of the major bureaus annually. You can opt for one report, or all three at once. Either way, make sure to read the report(s) closely and dispute anything that looks amiss.

It has long been my opinion that the big three bureaus are massively stifling innovation and offering consumers so little choice or say in the bargain that’s being made on the backs of their hard work, integrity and honesty. The real question is, if someone or something eventually serves to dis-intermediate the big three and throw the doors wide open to competition, what would the net effect for consumers?

Obviously, there is no way to know for sure, but a company that truly offered to pay consumers anywhere near what their data is actually worth would probably wipe these digital dinosaurs from the face of the earth.

That is, if the banks could get on board. After all, the banks and their various fingers are what drive the credit industry. And these giants don’t move very nimbly. They’re massively hard to turn on the simplest changes. And they’re not known for quickly warming to an entirely new model of doing business (i.e. huge cost investments).

My hometown Sen. Mark Warner (D-Va.) seems to suggest the $650 million settlement was about half what it should be.

“Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”

Sen. Warner sponsored a bill along with Sen. Elizabeth Warren (D-Ma.) called “The Data Breach Prevention and Compensation Act,” which calls for “robust compensation to consumers for stolen data; mandatory penalties on credit reporting agencies (CRAs) for data breaches; and giving the FTC more direct supervisory authority over data security at CRAs.

“Had the bill been in effect prior to the 2017 Equifax breach, the company would have had to pay at least $1.5 billion for their failure to protect Americans’ personal information,” Warner’s statement concludes.

Update, 4:44 pm: Added statement from Sen. Warner.

QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack

/0 Comments/in /by

Cloud hosting provider iNSYNQ says it is trying to recover from a ransomware attack that shut down its network and has left customers unable to access their accounting data for the past three days. Unfortunately for iNSYNQ, the company appears to be turning a deaf ear to the increasingly anxious cries from its users for more information about the incident.

A message from iNSYNQ to customers.

Gig Harbor, Wash.-based iNSYNQ specializes in providing cloud-based QuickBooks accounting software and services. In a statement posted to its status page, iNSYNQ said it experienced a ransomware attack on July 16, and took its network offline in a bid to contain the spread of the malware.

“The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible,” the company said. “As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment.”

iNSYNQ said it has engaged outside cybersecurity assistance and to determine whether any customer data was accessed without authorization, but that so far it has no estimate for when those files might be available again to customers.

Meanwhile, iNSYNQ’s customers — many of them accountants who manage financial data for a number of their own clients — have taken to Twitter to vent their frustration over a lack of updates since that initial message to users.

In response, the company appears to have simply deleted or deactivated its Twitter account (a cached copy from June 2019 is available here). Several customers venting about the outage on Twitter also accused the company of unpublishing negative comments about the incident from its Facebook page.

Some of those customers also said iNSYNQ initially blamed the outage on an alleged problem with U.S.-based nationwide cable ISP giant Comcast. Meanwhile, competing cloud hosting providers have been piling on to the tweetstorms about the iNSYNQ outage by marketing their own services, claiming they would never subject their customers to a three-day outage.

iNSYNQ has not yet responded to requests for comment.

Update, 4:35 p.m. ET: I just heard from iNSYNQ’s CEO Elliot Luchansky, who shared the following:

While we have continually updated our website and have emailed customers once if not twice daily during this malware attack, I acknowledge we’ve had to keep the detail fairly minimal.

Unfortunately, and as I’m sure you’re familiar with, the lack of detailed information we’ve shared has been purposeful and in an effort to protect our customers and their data- we’re in a behind the scenes trench warfare doing everything we possibly can to secure and restore our system and customer data and backups. I understand why our customers are frustrated, and we want more than anything to share every piece of information that we have.

Our customers and their businesses are our number one priority right now. Our team is working around the clock to secure and restore access to all impacted data, and we believe we have an end in sight in the near future.

You know as well as we that no one is 100% impervious to this – businesses large and small, governments and individuals are susceptible. iNSYNQ and our customers were the victims of a malware attack that’s a totally new variant that hadn’t been detected before, confirmed by the experienced and knowledgeable cybersecurity team we’ve employed.

Original story: There is no question that a ransomware infestation at any business — let alone a cloud data provider — can quickly turn into an all-hands-on-deck, hair-on-fire emergency that diverts all attention to fixing the problem as soon as possible.

But that is no excuse for leaving customers in the dark, and for not providing frequent and transparent updates about what the victim organization is doing to remediate the matter. Particularly when the cloud provider in question posts constantly to its blog about how companies can minimize their risk from such incidents by trusting it with their data.

Ransomware victims perhaps in the toughest spot include those providing cloud data hosting and software-as-service offerings, as these businesses are completely unable to serve their customers while a ransomware infestation is active.

The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files.

In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual. It’s not hard to see why: Having customer data ransomed or stolen can send many customers scrambling to find new providers. As a result, the temptation to simply pay up may become stronger with each passing day.

That’s exactly what happened in February, when cloud payroll data provider Apex Human Capital Management was knocked offline for three days following a ransomware infestation.

On Christmas Eve 2018, cloud hosting provider Dataresolution.net took its systems offline in response to a ransomware outbreak on its internal networks. The company was adamant that it would not pay the ransom demand, but it ended up taking several weeks for customers to fully regain access to their data.

KrebsOnSecurity will endeavor to update this story as more details become available. Any iNSYNQ affected by the outage is welcome to contact this author via Twitter (my direct messages are open to all) or at krebsonsecurity @ gmail.com.

Party Like a Russian, Carder’s Edition

/0 Comments/in /by

“It takes a certain kind of man with a certain reputation
To alleviate the cash from a whole entire nation…”

KrebsOnSecurity has seen some creative yet truly bizarre ads for dodgy services in the cybercrime underground, but the following animated advertisement for a popular credit card fraud shop likely takes the cake.

The name of this particular card shop won’t be mentioned here, and its various domain names featured in the video have been pixelated so as not to further promote the online store in question.

But points for knowing your customers, and understanding how to push emotional buttons among a clientele that mostly views America’s financial system as one giant ATM that never seems to run out of cash.

WARNING: Some viewers may find this video disturbing. Also, it is almost certainly Not Safe for Work.

The above commercial is vaguely reminiscent of the slick ads produced for and promoted by convicted Ukrainian credit card fraudster Vladislav “BadB” Horohorin, who was sentenced in 2013 to serve 88 months in prison for his role in the theft of more than $9 million from RBS Worldpay, an Atlanta-based credit card processor. (In February 2017, Horohorin was released and deported from the United States. He now works as a private cybersecurity consultant).

The clip above is loosely based on the 2016 music video, “Party Like a Russian,” produced by British singer-songwriter Robbie Williams.

Tip of the hat to Alex Holden of Hold Security for finding and sharing this video.

Meet the World’s Biggest ‘Bulletproof’ Hoster

/0 Comments/in /by

For at least the past decade, a computer crook variously known as “Yalishanda,” “Downlow” and “Stas_vl” has run one of the most popular “bulletproof” Web hosting services catering to a vast array of phishing sites, cybercrime forums and malware download servers. What follows are a series of clues that point to the likely real-life identity of a Russian man who appears responsible for enabling a ridiculous amount of cybercriminal activity on the Internet today.

Image: Intel471

KrebsOnSecurity began this research after reading a new academic paper on the challenges involved in dismantling or disrupting bulletproof hosting services, which are so called because they can be depended upon to ignore abuse complaints and subpoenas from law enforcement organizations. We’ll get to that paper in a moment, but for now I mention it because it prompted me to check and see if one of the more infamous bulletproof hosters from a decade ago was still in operation.

Sure enough, I found that Yalishanda was actively advertising on cybercrime forums, and that his infrastructure was being used to host hundreds of dodgy sites. Those include a large number of cybercrime forums and stolen credit card shops, ransomware download sites, Magecart-related infrastructure, and a metric boatload of phishing Web sites mimicking dozens of retailers, banks and various government Web site portals.

I first encountered Yalishanda back in 2010, after writing about “Fizot,” the nickname used by another miscreant who helped customers anonymize their cybercrime traffic by routing it through a global network of Microsoft Windows computers infected with a powerful malware strain called TDSS.

After that Fizot story got picked up internationally, KrebsOnSecurity heard from a source who suggested that Yalishanda and Fizot shared some of the same infrastructure.

In particular, the source pointed to a domain that was live at the time called mo0be-world[.]com, which was registered in 2010 to an Aleksandr Volosovyk at the email address stas_vl@mail.ru. Now, normally cybercriminals are not in the habit of using their real names in domain name registration records, particularly domains that are to be used for illegal or nefarious purposes. But for whatever reason, that is exactly what Mr. Volosovyk appears to have done.

WHO IS YALISHANDA?

The one or two domain names registered to Aleksandr Volosovyk and that mail.ru address state that he resides in Vladivostok, which is a major Pacific port city in Russia that is close to the borders with China and North Korea. The nickname Yalishanda means “Alexander” in Mandarin (亚历山大).

Here’s a snippet from one of Yalishanda’s advertisements to a cybercrime forum in 2011, when he was running a bulletproof service under the domain real-hosting[.]biz:

-Based in Asia and Europe.
-It is allowed to host: ordinary sites, doorway pages, satellites, codecs, adware, tds, warez, pharma, spyware, exploits, zeus, IRC, etc.
-Passive SPAM is allowed (you can spam sites that are hosted by us).
-Web spam is allowed (Hrumer, A-Poster ….)

-Forbidden: Any outgoing Email spam, DP, porn, phishing (exclude phishing email, social networks)

There is a server with instant activation under botnets (zeus) and so on. The prices will pleasantly please you! The price depends on the specific content!!!!

Yalishanda would re-brand and market his pricey bulletproof hosting services under a variety of nicknames and cybercrime forums over the years, including one particularly long-lived abuse-friendly project aptly named abushost[.]ru.

In a talk given at the Black Hat security conference in 2017, researchers from Cisco and cyber intelligence firm Intel 471 labeled Yalishanda as one the “top tier” bulletproof hosting providers worldwide, noting that in just one 90-day period in 2017 his infrastructure was seen hosting sites tied to some of the most advanced malware contagions at the time, including the Dridex and Zeus banking trojans, as well as a slew of ransomware operations.

“Any of the actors that can afford his services are somewhat more sophisticated than say the bottom feeders that make up the majority of the actors in the underground,” said Jason Passwaters, Intel 471’s chief operating officer. “Bulletproof hosting is probably the biggest enabling service that you find in the underground. If there’s any one group operation or actor that touches more cybercriminals, it’s the bulletproof hosters.”

Passwaters told Black Hat attendees that Intel471 wasn’t convinced Alex was Yalishanda’s real name. I circled back with Intel 471 this week to ask about their ongoing research into this individual, and they confided that they knew at the time Yalishanda was in fact Alexander Volosovyk, but simply didn’t want to state his real name in a public setting.

KrebsOnSecurity uncovered strong evidence to support a similar conclusion. In 2010, this author received a massive data dump from a source that had hacked into or otherwise absconded with more than four years of email records from ChronoPay — at the time a major Russian online payment provider whose CEO and co-founders were the chief subjects of my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime.

Querying those records on Yalishanda’s primary email address — stas_vl@mail.ru — reveal that this individual in 2010 sought payment processing services from ChronoPay for a business he was running which sold counterfeit designer watches.

As part of his application for service, the person using that email address forwarded six documents to ChronoPay managers, including business incorporation and banking records for companies he owned in China, as well as a full scan of his Russian passport.

That passport, pictured below, indicates that Yalishanda’s real name is Alexander Alexandrovich Volosovik. The document shows he was born in Ukraine and is approximately 36 years old.

The passport for Alexander Volosovyk, a.k.a. “Yalishanda,” a major operator of bulletproof hosting services.

According to Intel 471, Yalishanda lived in Beijing prior to establishing a residence in Vladivostok (that passport above was issued by the Russian embassy in Beijing). The company says he moved to St. Petersburg, Russia approximately 18 months ago.

His current bulletproof hosting service is called Media Land LLC. This finding is supported by documents maintained by Rusprofile.ru, which states that an Alexander Volosovik is indeed the director of a St. Petersburg company by the same name.

ARMOR-PIERCING BULLETS?

Bulletproof hosting administrators operating from within Russia probably are not going to get taken down or arrested, provided they remain within that country (or perhaps within the confines of the former republics of the Soviet Union, known as the Commonwealth of Independent States).

That’s doubly so for bulletproof operators who are careful to follow the letter of the law in those regions — i.e., setting up official companies that are required to report semi-regularly on various aspects of their business, as Mr. Volosovik clearly has done.

However, occasionally big-time bulletproof hosters from those CIS countries do get disrupted and/or apprehended. On July 11, law enforcement officials in Ukraine announced they’d conducted 29 searches and detained two individuals in connection with a sprawling bulletproof hosting operation.

The press release from the Ukrainian prosecutor general’s office doesn’t name the individuals arrested, but The Associated Press reports that one of them was Mikhail Rytikov, a man U.S. authorities say was a well-known bulletproof hoster who operated under the nickname “AbdAllah.”

Servers allegedly tied to AbdAllah’s bulletproof hosting network. Image: Gp.gov.ua.

In 2015, the U.S. Justice Department named Rytikov as a key infrastructure provider for two Russian hackersVladimir Drinkman and Alexandr Kalinin — in a cybercrime spree the government called the largest known data breach at the time.

According to the Justice Department, Drinkman and his co-defendants were responsible for hacks and digital intrusions against NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

Whether AbdAllah ever really faces justice for his alleged crimes remains to be seen. Ukraine does not extradite citizens, as the U.S. authorities have requested in this case. And we have seen time and again how major cybercriminals get raided and detained by local and federal authorities there, only to quickly re-emerge and resume operations shortly thereafter, while the prosecution against them goes nowhere.

Some examples of this include several Ukrainian men arrested in 2010 and accused of running an international crime and money laundering syndicate that used a custom version of the Zeus trojan to siphon tens of millions of dollars from hacked small businesses in the U.S. and Europe. To my knowledge, none of the Ukrainian men that formed the core of that operation were ever prosecuted, reportedly because they were connected to influential figures in the Ukrainian government and law enforcement.

Intel 471’s Passwaters said something similar happened in December 2016, when authorities in the U.S., U.K. and Europe dismantled Avalanche, a distributed, cloud-hosting network that was rented out as a bulletproof hosting enterprise for countless malware and phishing attacks.

Prior to that takedown, Passwaters said, somehow an individual using the nickname “Sosweet” who was connected to another bulletproof hoster that occurred around the same time as Avalanche got a tip about an impending raid.

“Sosweet was raided in December right before Avalanche was taken down, [and] we know that he was tipped off because of corruption [because] 24 hours later the guy was back in service and has all his stuff back up,” Passwaters said.

The same also appears to be true for several Ukrainian men arrested in 2011 on suspicion of building and disseminating Conficker, a malware strain that infected millions of computers worldwide and prompted an unprecedented global response from the security industry.

So if a majority of bulletproof hosting businesses operate primarily out of countries where the rule of law is not strong and/or where corruption is endemic, is there any hope for disrupting these dodgy businesses?

Here we come full circle to the academic report mentioned briefly at the top of this story: The answer seems to be — like most things related to cybercrime — “maybe,” provided the focus is on attempting to interfere with their ability to profit from such activities.

That paper, titled Platforms in Everything: Analyzing Ground-Truth Data on the Anatomy and Economics of Bulletproof Hosting, was authored by researchers at New York University, Delft University of Technology, King Saud University and the Dutch National High-Tech Crimes Unit. Unfortunately, it has not yet been released publicly, and KrebsOnSecurity does not have permission yet to publish it.

The study examined the day-to-day operations of MaxiDed, a bulletproof hosting operation based in The Netherlands that was dismantled last summer after authorities seized its servers. The paper’s core findings suggest that because profit margins for bulletproof hosting (BPH) operations are generally very thin, even tiny disruptions can quickly push these businesses into the red.

“We demonstrate the BPH landscape to have further shifted from agile resellers towards marketplace platforms with an oversupply of resources originating from hundreds of legitimate upstream hosting providers,” the researchers wrote. “We find the BPH provider to have few choke points in the supply chain amenable to intervention, though profit margins are very slim, so even a marginal increase in operating costs might already have repercussions that render the business unsustainable.”

Is ‘REvil’ the New GandCrab Ransomware?

/0 Comments/in /by

The cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.”

“We are getting a well-deserved retirement,” the GandCrab administrator(s) wrote in their farewell message on May 31. “We are a living proof that you can do evil and get off scot-free.”

However, it now appears the GandCrab team had already begun preparations to re-brand under a far more private ransomware-as-a-service offering months before their official “retirement.”

In late April, researchers at Cisco Talos spotted a new ransomware strain dubbed Sodinokibi that was used to deploy GandCrab, which encrypts files on infected systems unless and until the victim pays the demanded sum. A month later, GandCrab would announce its closure.

A payment page for a victim of REvil, a.k.a. Sodin and Sodinokibi.

Meanwhile, in the first half of May an individual using the nickname “Unknown” began making deposits totaling more than USD $130,000 worth of virtual currencies on two top cybercrime forums. The down payments were meant to demonstrate the actor meant business in his offer to hire just a handful of affiliates to drive a new, as-yet unnamed ransomware-as-a-service offering.

“We are not going to hire as many people as possible,” Unknown told forum members in announcing the new RaaS program. “Five affiliates more can join the program and then we’ll go under the radar. Each affiliate is guaranteed USD 10,000. Your cut is 60 percent at the beginning and 70 percent after the first three payments are made. Five affiliates are guaranteed [USD] 50,000 in total. We have been working for several years, specifically five years in this field. We are interested in professionals.”

Asked by forum members to name the ransomware service, Unknown said it had been mentioned in media reports but that he wouldn’t be disclosing technical details of the program or its name for the time being.

Unknown said it was forbidden to install the new ransomware strain on any computers in the Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.

The prohibition against spreading malware in CIS countries has long been a staple of various pay-per-install affiliate programs that are operated by crooks residing in those nations. The idea here is not to attract attention from local law enforcement responding to victim complaints (and/or perhaps to stay off the radar of tax authorities and extortionists in their hometowns).

But Kaspersky Lab discovered that Sodinokobi/REvil also includes one other nation on its list of countries that affiliates should avoid infecting: Syria. Interestingly, latter versions of GandCrab took the same unusual step.

What’s the significance of the Syria connection? In October 2018, a Syrian man tweeted that he had lost access to all pictures of his deceased children after his computer got infected with GandCrab.

“They want 600 dollars to give me back my children, that’s what they’ve done, they’ve taken my boys away from me for a some filthy money,” the victim wrote. “How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?”

That heartfelt appeal apparently struck a chord with the developer(s) of GandCrab, who soon after released a decryption key that let all GandCrab victims in Syria unlock their files for free.

But this rare display of mercy probably cost the GandCrab administrators and its affiliates a pretty penny. That’s because a week after GandCrab released decryption keys for all victims in Syria, the No More Ransom project released a free GandCrab decryption tool developed by Romanian police in collaboration with law enforcement offices from a number of countries and security firm Bitdefender.

The GandCrab operators later told affiliates that the release of the decryption keys for Syrian victims allowed the entropy used by the random number generator for the ransomware’s master key to be calculated. Approximately 24 hours after NoMoreRansom released its free tool, the GandCrab team shipped an update that rendered it unable to decrypt files.

There are also similarities between the ways that both GandCrab and REvil generate URLs that are used as part of the infection process, according a recent report from Dutch security firm Tesorion.

“Even though the code bases differ significantly, the lists of strings that are used to generate the URLs are very similar (although not identical), and there are some striking similarities in how this specific part of the code works, e.g., in the somewhat far-fetched way that the random length of the filename is repeatedly recalculated,” Tesorion observed.

My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators. It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise.