This can make it hard for defenders to know what to expect and look out for. Attackers also try to find and gain access to the management consoles of more advanced security solutions in order to disable all protection just before they launch the ransomware. Criminal customers can lease the REvil ransomware from its developers, adding their own tools and resources for targeting and implementation. Vasinskyi was charged in connection with the attack against Kaseya and was arrested in Poland. REvil (detected as Ransom.Sodinokibi) is a family of ransomware developed by a cybercrime group Symantec calls Leafroller. 'SolarWinds with Ransomware' According to Russia Today REvil was blamed by the FBI in May for the ransomware attack on a Brazilian meat-packing conglomerate. Get a highly customized data risk assessment run by engineers who are obsessed with data security. It is just a question of when, not if.". Russia-linked REvil Group, also known as Sodinokibi, on July 2 launched an international ransomware attack. The same Russia-based hacking group that … The group also led during the previous quarter. Other groups also failed to keep their promises by publishing the data of victims who chose to pay or by showing fake evidence of data deletion. The standard recommendation for backups is to follow the 3-2-1 method: 3 copies of the data, using 2 different systems, 1 of which is offline. No Time to REST: Check Your Jira Permissions for Leaks, Einstein’s Wormhole: Capturing Outlook & Google Calendars via Salesforce Guest User Bug, BlackMatter Ransomware: In-Depth Analysis & Recommendations, Good for Evil: DeepBlueMagic Ransomware Group Abuses Legit Encryption Tools, © 2021 Inside Out Security | Policies | Certifications. Some attackers also apply emotional pressures, with direct employee or business affiliate appeals and threats over email and phone. Last, but definitely not least: you’ll need to contact these and other key people, such as customers, to let them know what’s happening, but the attackers may be eavesdropping so don’t use your normal channels of communication. The gang settled on a $2.3 million … Brian Krebs points to the idea that REvil is the new GrandCrab Ransomware which is logical. It is sold by criminal group PINCHY SPIDER, which sells RaaS und… The Justice Department is seeking extradition of a Ukranian man on ransomware charges and has seized $6.1 million in alleged ransom payments from a Russian man, said Attorney General Merrick Garland on Monday. Most attackers will start publishing stolen data anywhere from a few days to a week after the main attack if no contact from the target is received or negotiations breakdown. It appears that the threat actors knew they were racing against the development of a patch. The REvil ransomware is a part of Ransomware-as-a-Service (RaaS) where a set of people maintain the source code and other affiliate groups distribute the ransomware. But this REvil ransomware attack is one of the biggest yet. The message explains that the victim needs to pay a ransom in bitcoins and that when the ransom is not paid in time the demand doubles. Around 60% of the gang's victims are organizations from the US, followed by UK, Australia and Canada. This is a command line tool that connects to a wide variety of cloud storage providers. Unique TTPs link Hades ransomware to new threat group, 7 steps to protect against ransomware-related lawsuits. The cybercriminal claims the group made over $100 million from its ransomware attacks. As a global crackdown on ransomware gangs continues, the Justice Department announced Monday the arrest of a hacker with alleged ties to the REvil group, as well as the … Block unneeded SMB and RPC communications between endpoints that can be used for lateral movement. The idea is that affiliates gain access to the most powerful software in exchange for a cut of the profits. However, it could be several weeks or even longer before anything gets published. REvil is one of the most prominent providers of ransomware as a service (RaaS). The group is accused of staging several attacks this year against major … REvil, or Ransomware Evil, is a criminal organization that’s famous for employing ransomware as a service (RaaS). The agency noted that these efforts were part of an international law enforcement operation named GoldDust that involved 17 countries and started with an investigation into GandCrab. Kaseya VSA is a popular piece of software for remote network management, used by many managed security providers, or MSPs, companies that provide IT services to other companies. The cyber-extortion industry does not work like that. In general, C2 communications are associated with these sorts of attacks, mainly those that go “low and slow” and/or exfiltrate data as part of “double-extortion” ransomware. Their main goal is to get access to domain admin accounts that can be used to launch the ransomware. A history of ransomware: The motives and methods behind... 5 reasons why the cost of ransomware attacks is rising. | Get the latest from CSO by signing up for our newsletters. Your email address will not be published. REvil is known for demanding high ransoms, often in the millions of dollars. REvil is one of the more notorious ransomware gangs of our time. Justice Department indicts two men over REvil ransomware attacks The attacks shut down a meat processing plant and an internet software provider earlier this year. Mega is popular with attackers because it offers extra levels of anonymity. In approximately 75% of the Sophos-investigated REvil ransomware attacks that included data exfiltration used Mega.nz to temporarily store the stolen information. It seems that Kaseya VSA servers were vulnerable to a SQL injection attack, allowing the threat actors to remotely exploit them. For example, they might use a tool like RClone. Alternatively, they could install an FTP Client like FileZilla or Total Commander FTP and upload the data to their server. This criminal group provides adaptable encryptors and decryptors, infrastructure and services for negotiation communications, and a leak site for publishing stolen data when victims don’t pay the ransom demand. Recent ransomware attacks define the malware's new age, Four states propose laws to ban ransomware payments. This misdirection would seem like a classic move by malware makers to perpetuate their … This happened with GandCrab in the past and more recently with the Maze group, whose members announced their retirement earlier this month and whose affiliates promptly moved to a new ransomware family called Egregor, also known as Sekhmet. In late September, the group deposited $1 million in bitcoin on a hacker forum in an attempt to recruit more skilled hackers to become its affiliates, BleepingComputer reported. © 1997 - 2021 Sophos Ltd. All rights reserved, five early indicators an attacker is present, MTR in Real Time: Hand-to-Hand Combat with REvil Ransomware Chasing a $2.5 Million Pay Day, What to expect when you’ve been hit with Avaddon ransomware, Monitor your network security 24/7 and be aware of the, Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. RaaS is a business model where hackers work with affiliates. REvil has two other interesting characteristics. The company ultimately paid $11m to the hackers. If Mimikatz is blocked by security software, the attackers may instead use something like Microsoft Process Monitor to do a memory dump of LSASS.exe and take that dump file back to their machine to extract the information with Mimikatz. If they are intact, make an offline copy immediately. Ivan Righi, cyber threat intelligence analyst at Digital Shadows, said the REvil ransomware group is known for its high ransom demands and referenced a recent attack in … 12. In … The ransomware is used in targeted attacks, where … However, this image is not completely correct. These cryptographic algorithms use shorter keys, are highly efficient and are uncrackable if implemented correctly. Attackers use legitimate network scanners like “Advanced Port Scanner” and “Angry IP Scanner” due to their effectiveness and the fact that they are unlikely to be blocked. ## What is REvil REvil, a.k.a Sodinokibi, is a Ransomware as a Service (RaaS) operation deployed by a Russian cybercrime group named GOLD SOUTHFIELD or Pinchy Spider. REvil Ransomware Attack on Kaseya VSA: What You Need to Know. Since REvil is distributed by different affiliates, the initial access vectors differ among phishing emails with malicious attachments to compromised RDP (Remote Desktop Protocol) credentials and the exploitation of vulnerabilities in various public-facing services. Were they intercepting communications between the DIVD.nl team and Kaseya? Copyright © 2021 IDG Communications, Inc. CSO provides news, analysis and research on security and risk management, Why small businesses should consider Microsoft Defender for Business, Spike in encrypted malware poses dual challenge for CISOs, How Target's CISO balances customer security and customer experience, The 3 biggest challenges of SASE in hybrid cloud environments, 4 tools to prevent leaks in public code repositories, CSO's guide to the worst and most notable ransomware, Sponsored item title goes here as designed, How ransomware runs the underground economy, REvil gang suddenly goes silent leaving victims unable to recover systems. After its recent activity, which included targeting US IT management software provider Kaseya, its websites went … The average ransom demand for a REvil ransomware infection is a whopping $260,000. Some attackers use more advanced tools such as Cobalt Strike, a post-exploitation pen-testing tool. Editor’s note: This article is part of a series of “What to expect” guides featuring prevalent ransomware families. Ransomware group REvil has made their latest attack on a cosmetic surgery clinic with a long list of high-profile clients. In particular, Coveware has seen incidents where victims who already paid were re-extorted by REvil a few weeks later with threats to release the same data. CSO Senior Writer, REvil Ransomware Operation . Justice Department indicts two men over REvil ransomware attacks The attacks shut down a meat processing plant and an internet software provider earlier this year. Criminal customers can lease the REvil ransomware from its developers, adding their own tools … The message explains that you must pay a ransom in bitcoin—and if it’s not paid in time, the demand doubles. REvil (Ransomware Evil; also known as Sodinokibi) is a private ransomware -as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the infomation on their page ' Happy Blog ' unless the ransom is received. NIST has published. Also, as the updates are typically distributed to many nodes, the recovery for infected organizations may be arduous. Note: The encryption process can take hours. The REvil group is also known sometimes by other names such as Sodin and Sodinokibi. These questions remain unanswered presently. In the early days of REvil, researchers and security firms identified it as a strain of GandCrab, or at least established multiple links between the two. REvil is an ambitious criminal ransomware-as-a-service (RAAS) enterprise that first came to prominence in April 2019, following the demise of another ransomware gang GandCrab. Soon after the news about the ransomware group shutdown, another piece of bad news came out. Unless your backups are stored offline, they are within reach of the attackers. It doesn’t matter how good your protection is if the attacker can turn it off or modify its policy. GMER is an anti-rootkit tool that is not inherently malicious, although some security technologies will flag it as a Potentially Unwanted Application (PUA). The REvil ransomware arrests are the fruits of a broader international law enforcement campaign called Operation GoldDust, which involves 17 countries along with … Unknown, the REvil representative, told the Russian blogger that the group is also looking into adopting other techniques, such as launching distributed denial-of-service (DDoS) attacks to force the hand of organizations that suspend negotiations. What is REvil? REvil is an ambitious criminal ransomware-as-a-service (RAAS) enterprise that first came to prominence in April 2019, following the demise of another ransomware gang GandCrab. The REvil group is also known sometimes by other names such as Sodin and Sodinokibi. The following information may help IT admins facing or proactively concerned with the impact of a REvil ransomware attack. The REvil ransomware group is a well-known purveyor of such crimes. REvil (detected as Ransom.Sodinokibi) is a family of ransomware developed by a cybercrime group that Symantec calls Leafroller. IBM Security X-Force estimated that REvil hit at least 140 organizations since it appeared in April 2019 with wholesale, manufacturing, and professional services being the most frequently targeted industries. is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, Also, which machines were protected? Inside local networks, take these actions: "Certain industries, such as healthcare, may seem to be more heavily targeted than others, because of the sensitive data they hold and their relative intolerance of downtime," the Coveware researchers said. REvil ransomware remotely connects to the system and infects the infection using a specific encryption algorithm. Up to this point, the attackers have been trying to stay hidden, but here their tactics change. The track records are too short and evidence that defaults are selectively occurring is already collecting. When it was shut down in 2019, GandCrab was one of the top ransomware families. The message explains that the victim needs to … The REvil gang utilizes a ransomware-as-a-service (RaaS) business model, in which they lease ransomware variants in the same way software developers lease software-as-a-service products. The average ransom payment to the group … It’s a sign that these cyber extortions are only getting worse. A “backup” that is online and available all the time is just a second copy of the files waiting to be encrypted. … This is why most targeted ransomware attacks are launched in the middle of the night, over a weekend or on a holiday, when fewer people are watching. In addition, the payload will try to turn off the firewall and enable network discovery using Defender later on as a redundant step (FW and defender are already terminated and disabled): Once all the files on the server are encrypted, the server’s background will be changed: With a ransom note on both the desktop and “C:\” drive, containing the string to check against the ransom negotiation site (can be seen in the appendix). Like most other ransomware strains, after … Multiple organizations throughout Europe and APAC have been forced to shut down their business entirely while they remediate. The REvil ransomware gang is in the news again! Train employees on how to detect phishing attempts. REvil, also known as Sodinokibi, is a widely used, conventional ransomware-as-a-service (RaaS) offering that has been around since 2019. The attackers exploited vulnerable, internet-facing VSA servers commonly running upstream of many victims, in networks of MSPs, using them as backdoors, making it difficult or impossible for the victims to detect or prevent infection as the ransomware flowed “downstream.”. The ransomware works in targeted attacks … 73% of Ransomware Detections in Q2 2021 Credited to REvil/Sodinokibi McAfee’s cyber threat report revealed that healthcare was the second-most targeted sector for cloud … Secureworks® Counter Threat Unit™ (CTU) analysis suggests that REvil is likely associated with the GandCrab ransomware due to similar code and the emergence of REvil as GandCrab activity declined. CTU™ researchers attribute GandCrab to the GOLD GARDEN threat group. REvil can perform the following tasks. The recent crackdown on cybercriminals, especially the targeting of the REvil aka Sodinokibi ransomware group, has been fascinating to watch. Third party reporting suggests REvil was developed by … Sodinokibi also makes up 29% of all IBM Security X-Force ransomware engagements in 2020, suggesting that Sodinokibi actors are more skilled at gaining access to victim networks when compared to other ransomware strains.". The gang was branded by … An alleged member of the group, using the handle Unknown, confirmed in a recent interview that the ransomware was not a new creation and that it was built on top of an older codebase that the group acquired. Editor's note: This article, originally published on November 17, 2020, has been updated to include events that occurred in July, September and November of 2021. Also test your ability to perform a restore, Prevent attackers from getting access to and disabling your security: choose a solution with a cloud-hosted management console with multi-factor authentication enabled and Role Based Administration to limit access rights, Remember, there is no single silver bullet for protection, and a, Have an effective incident response plan in place and update it as needed. In essence, this means that REvil creates the ransomware tools that launch dangerous attacks on systems. The ransomware as a service (RaaS) group has built a reputation for targeting critical infrastructure and employing double extortion techniques. REvil ransomware group is also attributed to the Travelex ransomware attack in 2020 that attracted an initial $6 million ransom demand. Have a data backup process in place that stores backups offsite and tests that restoring from backups can be done in a timely manner. Two unique MUTEX’s were observed as part of this campaign: “BlackLivesMatter” was part of REvil’s Sodinokibi piece, observed in previous campaigns from January 2019, while the second MUTEX is considered new. Are your backups still intact or has the attacker deleted them? This means that after breaking in, hackers use a variety of tools and techniques to map the network, perform lateral movement, obtain domain administrator privileges, and deploy the ransomware on all computers to maximize the impact. REvil is the infamous group behind the U.S. Colonial Pipeline ransomware attack, the JBS Meat Supplier exploit, and what’s been coined as “The “Biggest Ransomware Attack on Record,” Kaseya — just to name a few of their highly publicized cyber attacks. ransomware will encrypt all files that are not contained within the whitelisted filenames and extension fields, which are stored in the configuration. Instead, REvil acts as a Ransomware as a Service (RaaS) exchange provider. This makes it seem like the ransomware is “spreading” when it is just caused by the GPO. REvil Ransomware affiliates have been ramping up their threats to sell stolen data from law firms, Trump, celebrities, and now a food … REvil is an ambitious criminal ransomware-as-a-service (RAAS) enterprise that first came to prominence in April 2019. According to those posts, the master decryption key was generated accidentally by one of the group's coders and was bundled with the individual decryption keys for some of the victims. Attackers can then capture this admin’s credentials. The exact forum is dedicated to REvil ransomware is a ransomware computer virus or form of malware that is similar to the Locky and CryptoWall malware strains. One of the first things attackers will do when they get onto a network is identify what access they have on the local machine. These scanners will generate a list of IPs and machine names. On July 3rd, at 10:00 AM EST, a malicious hotfix was released and pushed by Kaseya VSA servers that propagated to servers managed by Kaseya, resulting in the compromise and encryption of thousands of nodes at hundreds of different businesses. It has emerged as one of the world’s most notorious ransomware operators. Neither worm capabilities (following the “PrintNightmare” exploit leak) nor attempts to “beacon” and communicate with C2 server during the infection process were observed, hints about the goals and priorities of the threat actors. REvil’s name is an amalgam of “ransomware” and “evil,” said Satnam Narang, a staff research engineer for the security firm Tenable. REvil ransomware is a new file blocking virus. A cyberattack on the US tech provider Kaseya has been named one of the most significant ransomware attacks. REvil, one of the world’s most active ransomware gangs, have updated their blog claiming responsibility. "Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data.". The REvil ransomware gang, also known as Sodinokibi, is publicly demanding $70 million to restore the data it's holding ransom after their data-scrambling software affected … An attacker might create a batch script that loops through a list of your IP addresses, using PsExec to copy the ransomware to each machine and then execute it. After encryption, … However, they also target specific admin accounts that have access to sensitive data, backup systems and security management consoles. Certified CISSP and OSCP, Dvir loves to solve problems, coding automations (PowerShell ❤, Python), and breaking stuff. After an attack, REvil would threaten to publish the … In addition, two REvil … Should you report the incident to law enforcement and/or inform data protection authorities? The same day, Europol announced that five suspected REvil affiliates have been arrested since February, including two in November in Romania. REvil ransomware is a file blocking virus considered a serious threat that encrypts files after infection and discards a ransom request message. Unknown also confirmed in his interview that many REvil affiliates use brute force attacks to compromise RDP. Shortly after the talks, REvil's websites stopped working and the group went silent, prompting speculation that Russian law enforcement might have taken action against it. Sophos experts investigating a recent REvil attack found a direct link between an inbound phishing email and a multi-million-dollar ransom attack two months later. The group is also working to mend relationships with its collaborators and affiliates after its abrupt disappearance, Flashpoint reported. REvil (Ransomware Evil; also known as Sodinokibi) is a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. The DOJ's second announcement was the seizure of funds believed to have belonged to a second REvil operator, 28-year-old Russian national Yevgeniy Polyanin, who was … For example, “MyReport.docx” might become “MyReport.docx.encrypted.” The ransom notes are often displayed prominently in multiple places, adding to the chaos and stress. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. The gang previously attacked meatpacking giantJBS. On Saturday, October 17, the REvil group member (0_neday) started a topic on a Darknet forum. The phishing email, which succeeded in capturing an employee’s access credentials, probably came from an Initial Access Broker, who, a few weeks later, appears to have used PowerSploit and Bloodhound to move through the breached network to locate high value domain admin credentials. Other guides cover Conti ransomware and Avaddon ransomware. Both men were part of the REvil cybercriminal gang linked to an attack that shut down JBS cattle slaughter plants in the United States, Canada and Australia in … The REvil (also known as Sodin or Sodinokibi) ransomware has been known since 2019 and it can both encrypt data and steal it. REvil says they have more than a million infected systems, but As of July 6th, roughly 60 of Kaseya’s direct customers appear to have been impacted according to reporting by Bleeping Computer, resulting in about 800 to 1,500 compromised businesses downstream. Another high-profile ransomware attack took place this May on JBS Foods, one of the biggest meat processing companies in the world. Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Note: In one REvil attack that Sophos investigated, the adversaries had installed the Screen Connect remote access tool onto 130 devices, roughly a third of the network, in order to maintain access if they were removed or blocked elsewhere. Attackers typically compromise multiple accounts during an attack. REvil shutdown. REvil disappeared after its biggest ransomware heist in July 2021, attacking Kaseya VSA remote management platform. The group, called REvil, short for “Ransomware evil,” has been identified by U.S. intelligence agencies as responsible for the attack on one of … Sophos experts have also seen REvil ransomware attackers rebooting the computer into Safe Mode before data encryption in order to bypass endpoint protection tools. Security management consoles hosted locally are especially at risk as attackers could access them with the accounts they have already compromised. Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection. Once published, the hotfix created a folder under the C: drive called kworking, consistent with the behavior of a hotfix. REvil Ransomware Hackers Are Ramping Up Efforts. “They commonly leave vulnerabilities like RDP open to the internet and are victimized much more regularly than companies in other industries. REvil ( Sodinokibi) ransomware also uses IOCPs to achieve … REvil attackers have used GMER to try to disable security software. Affiliates of REvil often use two approaches to persuade victims into paying up: They encrypt data so that organizations cannot access information, use critical computer systems or restore from backups, and they also steal data and threaten to post it on a leak site (a tactic known as double extortion ). There are some proactive steps you can take to enhance your IT security for the future, including: Further advice and technical information related to REvil ransomware can be found in MTR in Real Time: Hand-to-Hand Combat with REvil Ransomware Chasing a $2.5 Million Pay Day, and Relentless REvil, Revealed: RaaS as Variable as the Criminals Who Use It. This latest attack appears to be its largest ever. The more successful a RaaS operation is, the more likely it is to attract skilled affiliates and if one operation closes, affiliates quickly shift to a different one. If the intruders have been in your network for a while, they’ll probably have access to email, for instance. Even if RDP is disabled by default, it is very easy for an attacker with admin access to the machine to re-enable it. Terminates Windows Defender’s real-time monitoring, network monitoring, folder protections, live script and file scanning, host-based IPS, cloud auto-submission, and turns on audit mode, Decrypts the dropped certificate for the payload to use, utilizing Windows built-in “certutil”, “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” -> “DefaultPassword”=”, netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes, d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20, d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f, cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6, 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402, 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd, 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e, 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8, dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f, aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7, d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e, e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2, df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e, 81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471, 8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f, 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752, 45AEBD60E3C4ED8D3285907F5BF6C71B3B60A9BCB7C34E246C20410CF678FC0C. Some of the GandCrab affiliates are believed to have later moved to REvil, Europol said. One of the most common ways that Sophos experts have seen is through a combination of batch scripts and the Microsoft PsExec tool, a great tool for executing commands on remote machines. On September 9, cybercrime analysts from Flashpoint reported that REvil's websites are back online and that a new representative for the group posted messages on underground forums to explain what happened. Once you have managed to contain and neutralize the attack, take time to investigate what happened so you can reduce the likelihood of it happening again. As one of … The blast radius of administrators or administrative servers is enormous. Brute force protections that block excessive login attempts with the wrong credentials should also be enabled where possible. Sodinokibi, is the gang reportedly behind a high-profile recent attack on the Sol Oriens nuclear contractor, the $11 million JBS Foods attack, the $50 million squeeze placed on Apple just hours before its splashy new product launch, an attack on Quanta, which is contracted to assemble Apple products, and on and on. The ransomware gang known as REvil appears to have disappeared from the internet.

Noaa Weather Radio All Hazards, Dear Heart Sharon Cuneta, Billing Boats Uss Constitution, An American Force Structure For The 21st Century, Spanish Argument Phrases, Stakeholder Mapping Of Unilever, Wild Kratts Games Monkey Mayhem, 3 Disadvantages Of 360 Degree Feedback, Just Dial Add Contact Number, Revell 1/72 Gato Class Submarine,