Cyber Security Today, Sept. 13, 2021 – The REvil ransomware gang is back, a new botnet is discovered and Formbook malware rises

The REvil ransomware gang is back, a new botnet is discovered and Formbook malware rises.

Welcome to Cyber Security Today. It’s Monday September 13th. I’m Howard Solomon, contributing writer on cybersecurity for

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts


Bad news on the ransomware front: The REvil ransomware gang is definitely back. There was some uncertainty about that last week when after two months of silence the data leak and payment websites of the gang were re-activated. No new victims were listed at that point. However, on Saturday the Bleeping Computer news service reported the gang has published screenshots of stolen data of a new victim. Why the gang was away isn’t clear. Some security researchers suspected that REvil was worried about being tracked by police after news spread internationally of its attack on Kaseya during the summer. A post on a criminal website suggested the gang worried that one of its members had been arrested, so it turned its servers off. A more recent post claimed the gang just wanted a break. It doesn’t matter. No matter who the gang is IT and security leaders have to be ready for ransomware attacks.

A new botnet that launches huge denial of service attacks has been discovered. A Russian cybersecurity firm called Qrator and the Yandex search engine believe more than 200,000 compromised network devices such as routers, gateways and switches are involved. One of the victims was Yandex. Dubbed the Meris botnet, many of the compromised devices are manufactured by a Latvian company called MikroTik. MicroTik says many of the devices were compromised in 2018 when its RouterOS operating system had a vulnerability. That vulnerability was quickly patched. But MikroTik says device operators have to change their passwords as well as apply the patch. On the other hand the Qrator/Yandex report says many of the compromised devices have newer versions of the MikroTik operating system.

A denial of service attack is like someone pounding on a company’s front door, except the front door is a website. Crooks launch denial of service attacks on victim companies to make their websites unavailable, then demand payment to stop. Huge attacks by this botnet have been launched against organizations in the United States, Russia and New Zealand. Most of the compromised devices are in Brazil, Indonesia, India, Bangladesh, Russia and the U.S. This is another reminder to IT departments and individuals to regularly check the website of the manufacturer of your routers and switches for firmware updates. If your manufacturer has stopped offering support for your device it’s time to buy a new one.

Many IT security teams are familiar with a piece of malware called Trickbot, which has many tricks including the ability to steal passwords. However, defenders should also be on the lookout for an information stealer called Formbook. According to the latest research from Check Point Software, Formbook was the most common malware caught by Check Point’s network last month. Trickbot was number two. Formbook, which is distributed by infected email attachments, copies usernames and passwords from web browsers, takes screenshots, monitors and logs users’ keystrokes and can download malware onto victims’ computers.

Japanese electronics giant Fujitsu says data allegedly stolen from the company and being sold on the Marketo criminal marketplace really came from another firm. Fujitsu told the ZDNet news service that the data really from another Japanese firm it partners with. Marketo’s description of the information for sale now describes it as relating to that other company.

Finally, WhatsApp is about to offer users the option of encrypting their message backups as extra privacy protection. The company said the option will be available in the next few weeks to users of the iOS and Android service. The backup protection will be secured either manually or with a user password. Neither WhatsApp nor the backup service provider will be able to access these backups. WhatsApp users’ messages are already protected from interception with encryption.

That’s it for now Remember links to details about podcast stories are in the text version at That’s where you’ll also find other stories of mine.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Follow this Cyber Security Today

More Cyber Security Today