REvil explained

REvil
Formation:2019
Type:Hacking
Affiliations:Sodinokibi, GandCrab

REvil (Ransomware Evil; also known as Sodinokibi) was a Russia-based[1] or Russian-speaking[2] private ransomware-as-a-service (RaaS) operation.[3] After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

History

REvil recruits affiliates to distribute the ransomware for them. As part of this arrangement, the affiliates and ransomware developers split revenue generated from ransom payments.[4] It is difficult to pinpoint their exact location, but they are thought to be based in Russia due to the fact that the group does not target Russian organizations, or those in former Soviet-bloc countries.[5]

Ransomware code used by REvil resembles the code used by DarkSide, a different hacking group; REvil's code is not publicly available, suggesting that DarkSide is an offshoot of REvil[6] or a partner of REvil.[7] REvil and DarkSide use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.[8]

Cybersecurity experts believe REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab.[9] This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.

2020

May

As part of the criminal cybergang's operations, they are known for stealing nearly one terabyte of information from the law firm Grubman Shire Meiselas & Sacks and demanding a ransom to not publish it.[10] [11] [12] The group had attempted to extort other companies and public figures as well.

In May 2020 they demanded $42 million from US president Donald Trump.[13] [14] The group claimed to have done this by deciphering the elliptic-curve cryptography that the firm used to protect its data.[15] According to an interview with an alleged member, they found a buyer for Trump information, but this cannot be confirmed.[16] In the same interview, the member claimed that they would bring in $100 million ransoms in 2020.

On 16 May 2020, the group released legal documents totaling a size of 2.4 GB related to the singer Lady Gaga.[17] The following day, they released 169 "harmless" e-mails which referred to Donald Trump or contained the word 'trump'.[11]

They were planning on selling Madonna's information,[18] but eventually reneged.[19]

2021

March

On 27 March 2021, REvil attacked Harris Federation and published multiple financial documents of the federation to its blog. As a result, the IT systems of the federation were shut down for some weeks, affecting up to 37,000 students.[20]

On 18 March 2021, an REvil affiliate claimed on their data leak site that they had downloaded data from multinational hardware and electronics corporation Acer, as well as installing ransomware, which has been linked to the 2021 Microsoft Exchange Server data breach by cybersecurity firm Advanced Intel, which found first signs of Acer servers being targeted from 5 March 2021. A US$50 million ransom was demanded to decrypt the undisclosed number of systems and for the downloaded files to be deleted, increasing to US$100 million if not paid by 28 March 2021.[21]

April

In April 2021, REvil stole plans for upcoming Apple products from Quanta Computer, including purported plans for Apple laptops and an Apple Watch. REvil threatened to release the plans publicly unless they receive $50 million.[22] [23]

May

On 30 May 2021, JBS S.A. was attacked by ransomware which forced the temporary shutdown of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants. A few days later, the White House announced that REvil may be responsible for the JBS S.A. cyberattack. The FBI confirmed the connection in a follow-up statement on Twitter.[24] JBS paid an $11 million ransom in Bitcoin to REvil.

June

On 11 June 2021, Invenergy reported that they were attacked by ransomware. Later, REvil claimed to be responsible.[25]

July

On 2 July 2021, hundreds of managed service providers had REvil ransomware dropped on their systems through Kaseya desktop management software.[26] REvil demanded $70 million to restore encrypted data.[27] As a consequence the Swedish Coop grocery store chain was forced to close 800 stores during several days.[28] [29]

On 7 July 2021, REvil hacked the computers of Florida-based space and weapon-launch technology contractor HX5, which counts the Army, Navy, Air Force, and NASA among its clients, publicly releasing stolen documents on its Happy Blog. The New York Times judged the documents to not be of "vital consequence".[30]

After a July 9 phone call between United States president Joe Biden and Russian president Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not.[31] [32]

On 13 July 2021, REvil websites and other infrastructure vanished from the internet.[33] Politico cited an unnamed senior administration official as stating that "we don't know exactly why they've [REvil] stood down;" the official also did not discount the possibility that Russia shut down the group or forced it to shut down.[34]

On 23 July 2021, Kaseya announced it had received the decryption key for the files encrypted in the July 2 Kaseya VSA ransomware attack from an unnamed "trusted third party", later discovered to be the FBI who had withheld the key for three weeks, and was helping victims restore their files.[35] The key was withheld to avoid tipping off REvil of an FBI effort to take down their servers, which ultimately proved unnecessary after the hackers went offline without intervention.[36]

September

In September 2021, Romanian cybersecurity firm Bitdefender published a free universal decryptor utility to help victims of the REvil/Sodinokibi ransomware recover their encrypted files, if they were encrypted before July 13, 2021.[37] From September until early November, the decryptor was used by more than 1,400 companies to avoid paying over $550 million in ransom and allow them to recover their files.[38]

On 22 September 2021, malware researchers identified a backdoor built into REvil malware that allowed the original gang members to conduct double-chats and cheat their affiliates out of any ransomware payments.[39] Ransomware affiliates who were cheated reportedly posted their claims on a "Hacker's Court", undermining trust in REvil by affiliates. Newer versions of REvil malware reportedly had the backdoor removed.[40]

October

On 21 October 2021, REvil servers were hacked in a multi-country operation and forced offline. VMWare's head of cybersecurity strategy said "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,”. A REvil gang member attempted to restore their servers from backups that had also been compromised.[41]

Investigations and criminal charges

As part of Operation GoldDust involving 17 countries, Europol, Eurojust and INTERPOL, law enforcement authorities arrested five individuals tied to Sodinokibi/REvil and two suspects connected to GandCrab ransomware. They are allegedly responsible for 5000 infections, and collected half a million euros in ransomware payments.[42]

On 8 November 2021, the United States Department of Justice unsealed indictments against Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin. Vasinskyi was charged with conducting ransomware attacks against multiple victims including Kaseya, and was arrested in Poland on 8 October. Polyanin was charged with conducting ransomware attacks against multiple victims including Texas businesses and government entities. The Department worked with the National Police of Ukraine for the charges, and also announced the seizure of $6.1 million tied to ransomware payments. If convicted on all charges, Vasinskyi faces a maximum penalty of 115 years in prison, and Polyanin 145 years in prison.[43]

In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members after being provided information by the US.[44]

The Fluffy

There is a hacker group called Fluffy with Headquarters in Corrèze, known to have an affiliation with REvil, that primarily uses typosquatting, cybersquatting and keyword stuffing. This hacker group has distributed Magniber ransomware, Sodinokibi, and GandCrab, BlueCrab (It is the next version of GandCrab is the same variant that was used in the Kaseya VSA ransomware attack[45]). In France, it is known as Fluffy,[46] in Germany as Talentfrei,[47] in Australia and English speaking countries as "Emma Hill",[48] and in South Korea as Nebomi (meaning "Four Seasons Blossom" in Korean). Fluffy is known to have claimed a number of victims, especially in South Korea.[49] [50]

The campaign in which Fluffy first targeted South Korea is known as Magniber,[51] and it utilized an exploit kit before the emergence of various modified payloads. The techniques employed by these modified payloads vary, but they share a commonality in utilizing standardized technologies supported by web browsers or operating systems, such as URI scheme and BASE64, unlike exploit kits that leverage zero-day vulnerabilities. Users receive security warnings from their operating systems before executing the files; however, the information provided by the attackers is often sufficient for users to decide to disregard the security alerts.

Following the introduction of these altered payloads in South Korea, Fluffy immediately referred to themselves as Nebomi and continued with ransomware attacks. The Seoul Central District Prosecutors' Office announced in November 2023 that accomplices assisting them in South Korea were prosecuted. According to the announcement, during the process of investigating the suspects, records of funds being transferred to Lazarus Group were also discovered.[52] It is unclear whether it is related to the ongoing ransomware investigation, but according to a media report in December 2023, The Supreme Court of Korea claimed that it experienced a cyberattack by the Lazarus Group, resulting in the leakage of sensitive data.[53]

Fluffy is presumed to assist in the distribution of various types of ransomware, ranging from Magniber and REvil to LockBit, leveraging successful cases of watering hole attacks they have executed. For example, it is believed that they may be implicated in incidents such as the successful cyber attack on Toshiba's French branch in May 2021, the claimed cyber attack on the Doosan Group in August 2022, and the claimed cyber attack on the National Tax Service (South Korea) in March 2023.[54]

At times, they employed relatively simple methods, such as emails, for the distribution of REvil ransomware (also known as GandCrab). The content of these emails typically involved impersonating law enforcement agencies. The senders of these emails were two individuals under the age of 19, who claimed to have committed such crimes in response to a proposition that said, "If you join in sending ransomware, we'll share the profits." In the trial held at the Seoul Central District Court in August 2021, they were sentenced to 2 years and 1 year 6 months of imprisonment. One of them had already received a 10-year prison sentence for participating in another campaign.

Notes and References

  1. Web site: Bowden . John . Russian-based ransomware group 'REvil' disappears after hitting US businesses . July 13, 2021 . . live . https://web.archive.org/web/20210813111845/https://www.independent.co.uk/news/world/americas/us-politics/revil-ransomware-russia-us-latest-b1883490.html . August 13, 2021.
  2. Web site: Collier . Kevin . July 13, 2021 . Prolific ransomware gang suddenly disappears from internet. The timing is noteworthy. . . live . https://web.archive.org/web/20211112203147/https://www.nbcnews.com/tech/tech-news/russian-speaking-ransomware-gang-goes-offline-rcna1403 . November 12, 2021.
  3. Web site: Fokker . John . 2019-10-02 . McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - The All-Stars . 2020-10-07 . McAfee Blogs . en-US . live . https://web.archive.org/web/20211111160641/https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-the-all-stars/ . 2021-11-11.
  4. Web site: Sodinokibi Ransomware: Following the Affiliate Money Trail . Abrams . Lawrence . 2020-10-07 . . en-US . live . https://web.archive.org/web/20210705110616/https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-following-the-affiliate-money-trail/ . 2021-07-05.
  5. Web site: Saarinen. Juha. January 29, 2020. No let up on REvil ransomware-as-a-service attacks. it news.
  6. SangerPerlroth>David E. Sanger & Nicole Perlroth, F.B.I. Identifies Group Behind Pipeline Hack, New York Times (May 10, 2021).
  7. Charlie Osborne, Researchers track down five affiliates of DarkSide ransomware service, ZDNet (May 12, 2021).
  8. https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html What We Know About the DarkSide Ransomware and the US Pipeline Attack
  9. Web site: Vijayan. Jai. September 25, 2019. GandCrab Developers Behind Destructive REvil Ransomware. DARKReading.
  10. Web site: Ransomware gang asks $42m from NY law firm, threatens to leak dirt on Trump. Cimpanu. Catalin. ZDNet. en. 2020-05-17.
  11. Web site: Hackers Publish First 169 Trump 'Dirty Laundry' Emails After Being Branded Cyber-Terrorists. Winder. Davey. Forbes. en. 2020-05-17.
  12. News: Sykes. Tom. 2020-05-15. 'REvil' Hackers Double Their Allen Grubman Ransom Demand To $42m, Threaten To Dump Donald Trump Dirt. en. The Daily Beast. 2020-05-17.
  13. Web site: Criminal group that hacked law firm threatens to release Trump documents. NBC News. 16 May 2020 . en. 2020-05-17.
  14. What Do These Hackers Have On Trump, and Why Would Allen Grubman Pay to Suppress It?. Adler. Dan. Vanity Fair. 15 May 2020. en. 2020-05-17.
  15. Web site: Forbes. Forbes.
  16. Web site: Seals. Tara. October 29, 2020. REvil Gang Promises a Big Video-Game Hit; Maze Gang Shuts Down. threatpost.
  17. Web site: Hackers have leaked Lady Gaga's legal documents. Dazed. 2020-05-16. Dazed. en. 2020-05-17.
  18. Web site: Coble. Sarah. 2020-05-19. REvil to Auction Stolen Madonna Data. 2020-07-17. Infosecurity Magazine.
  19. Web site: Coble. Sarah. 2020-09-23. Thieves Fail to Auction Bruce Springsteen's Legal Documents. 2020-12-10. Infosecurity Magazine.
  20. Web site: Evidence suggests REvil behind Harris Federation ransomware attack. 2021-04-30. IT PRO. 9 April 2021 . en.
  21. News: 19 March 2021. Computer giant Acer hit by $50 million ransomware attack. Abrams. Lawrence. 2021-03-20. BleepingComputer. en-us.
  22. Web site: 2021-04-22. Ransomware hackers steal plans for upcoming Apple products. 2021-04-22. the Guardian. en.
  23. Web site: A Notorious Ransomware Gang Claims to Have Stolen Apple's Product Designs. 2021-04-22. Gizmodo. 20 April 2021 . en-us.
  24. Web site: 2021-06-02. FBI Statement on JBS Cyberattack. 2021-06-03. Twitter. en.
  25. Web site: Hacker group REvil claims responsibility for Invenergy data breach. June 14, 2021. pv magazine USA.
  26. Web site: Important Notice July 2nd, 2021 – Kaseya. July 3, 2021. https://web.archive.org/web/20210703040259/https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689. 2021-07-03.
  27. Web site: Satter . Raphael . 2021-07-05 . Up to 1,500 businesses affected by ransomware attack, U.S. firm's CEO says . 2021-07-05 . . live . https://web.archive.org/web/20211124021820/https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/ . 2021-11-24.
  28. Web site: Ahlander . Johan . Menn . Joseph . 2021-07-03 . Major ransomware attack against U.S. tech provider forces Swedish store closures . 2021-07-05 . . live . https://web.archive.org/web/20211025220720/https://www.reuters.com/technology/cyber-attack-against-us-it-provider-forces-swedish-chain-close-800-stores-2021-07-03/ . 2021-10-25.
  29. Lily Hay Newman . 2021-07-04 . How REvil Ransomware Took Out Thousands of Business at Once . live . . https://web.archive.org/web/20211110083212/https://www.wired.com/story/revil-ransomware-supply-chain-technique/ . 2021-11-10 . 2021-12-03.
  30. News: Perlroth . Nicole . Sanger . David E. . July 7, 2021 . Biden Weighs a Response to Ransomware Attacks . . July 8, 2021.
  31. News: Biden tells Putin Russia must crack down on cybercriminals . July 9, 2021 . . Miller . Zeke . Tucker . Eric . live . https://web.archive.org/web/20211111230810/https://apnews.com/article/joe-biden-europe-technology-government-and-politics-russia-df7ef73f02bcba61ad6e628aa95a9f84 . November 11, 2021.
  32. News: Russia's most aggressive ransomware group disappeared. It's unclear who disabled them.. David E.. Sanger. The New York Times. July 13, 2021.
  33. Web site: Ransomware gang that hit meat supplier mysteriously vanishes from the internet . Fung . Brian . Cohen . Zachary . Sands . Geneva . CNN Business . July 13, 2021 . live . https://web.archive.org/web/20210927090747/https://www.cnn.com/2021/07/13/tech/revil-ransomware-disappears/index.html . September 27, 2021.
  34. News: Toosi . Nahal . July 20, 2021 . Biden official: 'We don't know exactly why' ransomware gang vanished from the web . . July 21, 2021.
  35. News: . Ransomware key to unlock customer data from REvil attack . . . July 23, 2021 . July 23, 2021.
  36. News: FBI held back ransomware decryption key from businesses to run operation targeting hackers . . September 21, 2021 . Ellen Nakishima . Rachel Lerman.
  37. News: September 16, 2021 . Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware . live . . https://web.archive.org/web/20211126021627/https://www.bitdefender.com/blog/labs/bitdefender-offers-free-universal-decryptor-for-revil-sodinokibi-ransomware/ . November 26, 2021 . December 3, 2021.
  38. News: Botezatu . Bogdan . November 8, 2021 . Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand . live . . https://web.archive.org/web/20211111141148/https://www.bitdefender.com/blog/labs/bitdefender-law-enforcement-partnership-saves-revil-victims-half-a-billion-in-ransom-demand/ . November 11, 2021 . December 3, 2021.
  39. News: Vaas . Lisa . September 22, 2021 . How REvil May Have Ripped Off Its Own Affiliates . live . ThreatPost.com . https://web.archive.org/web/20211005234753/https://threatpost.com/how-revil-may-have-ripped-off-its-own-affiliates/174887/ . October 5, 2021 . December 3, 2021.
  40. News: Vaas . Lisa . September 23, 2021 . REvil Affiliates Confirm: Leadership Were Cheating Dirtbags . live . ThreatPost.com . https://web.archive.org/web/20211008163917/https://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/ . October 8, 2021 . December 3, 2021.
  41. News: Menn . Joseph . Bing . Christopher . October 21, 2021 . EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline . live . . https://web.archive.org/web/20211201020150/https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/ . December 1, 2021 . December 3, 2021.
  42. News: 8 November 2021 . FIVE AFFILIATES TO SODINOKIBI/REVIL UNPLUGGED . live . . https://web.archive.org/web/20211112144918/https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged . 12 November 2021 . 12 November 2021.
  43. Web site: November 8, 2021 . Ukrainian Arrested and Charged with Ransomware Attack on Kaseya . live . . https://web.archive.org/web/20211111153625/https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya . November 11, 2021 . November 12, 2021.
  44. News: 2022-01-14. REvil ransomware gang arrested in Russia. en-GB. BBC News. 2022-01-14.
  45. News: 2021-07-11. AhnLab, Kaseya supply-chain targeted ransomware, 'BlueCrab' identified. ko-KR. inews24.
  46. Web site: 2021-03-01 . "Gootloader" expands its payload delivery options . Sophos News .
  47. Web site: November 30, 2020 . German users targeted with Gootkit banker or REvil ransomware . MalwareBytes Labs .
  48. Web site: Ford . Eric . Nichols . Ben . September 2022 . Is Gootloader Working with a Foreign Intelligence Service? . deepwatch .
  49. News: 2018-11-12. GandCrab ransomware: it lurks behind free fonts and resumes.. ko-KR. boannews.
  50. News: 2021-02-02. BlueCrab ransomware: use optimized attack scenarios for individuals and companies. Be careful when downloading files. ko-KR. inews24.
  51. Web site: 2017-10-23 . Security advice to respond to 'MY DECRYPTER' ransomware attack . KrCERT Security Notice . ko-KR.
  52. News: 2023-11-20. Infecting with ransomware and demanding recovery fees... Arrest and prosecution of company representatives who collected 2.6 billion won.. ko-KR. KBS Korea Broadcasting System.
  53. News: 2023-12-05. The Supreme Court of Korea concealed the hacking incident carried out by North Korea hackers for six months. The password was 123qwe.. ko-KR. Nocut News.
  54. News: 2023-03-30. International hacking organization 'Lockbit' announces plans to disclose data claiming to have hacked the National Tax Service.. ko-KR. KBS Korea Broadcasting System.