Ransomware evil: does REvil stand up to its name?

REvil gang’s websites suddenly went offline. We can speculate the reasons behind it but no matter what, the ransomware nightmare is very far from being over.

REvil may disappear, but evil will come back using a different name,” Shay Siksik, VP Customer Operations & CISO at XM Cyber, told CyberNews.

Russia-linked cybercrime ring REvil (short for ransomware evil), has been in the headlines lately after impactful ransomware attacks. A cyberattack on the US tech provider Kaseya has been named one of the most significant ransomware attacks. Threat actors demanded $70 million to restore the data it’s holding for ransom.

The same group or its affiliates targeted the meat supplier JBS, threatening to disrupt North American food supply chains and increase food prices. JBS admitted paying hackers a ransom of $11M.

Reuters reported that websites run by the ransomware gang REvil suddenly became unreachable, sparking widespread speculation that the group had been knocked offline.

Russian news agency TASS reported that the Kremlin did not specify whether the disappearance of REvil online has anything to do with the recent dialog between Vladimir Putin and Joe Biden.

“I cannot answer your question because I do not have such information. I do not know which group [you are referring to], where it disappeared from,” press secretary of the President of the Russian Federation Dmitry Peskov told reporters when asked if Russia was behind the REvil’s takedown.

But it has little relevance when it comes to the retirement of cybercrime gangs. For example, the Maze cartel, which began operations just last May, was dubbed one of the most prominent ransomware groups that terrorized businesses and organizations. In November 2020, they retired, but ransomware became a more significant problem as the number of cyberattacks and ransom demands skyrocketed.

We talked to Shay Siksik to learn more about how REvil stands out from other cybercriminal groups and what it could do with the $70M.

Firstly, I would like you to give an opinion on the recent REvil attack. How was it different from the others?

What we see these days is that ransomware operators aim to exfiltrate data in addition to data encryption, an act called “double extortion.” Normally, this act also means that the attacker tries to keep his foot in the victim’s networks as long as he can and put his hands on data from critical assets.

While this is very common in REvil attacks, it does not seem, so far, that in the Kaseya attack, data was exfiltrated. The Kaseya attack happened very quickly and grew exponentially. The fact that the entry point was a critical asset, with high-privilege access to manage assets, allowed the adversaries to encrypt and lock the managed assets. The quick act to encrypt data may be evidence that REvil operations knew that Kaseya was working to close the vulnerability.

Does REvil live up to its name (Ransomware evil)? Is it the most dangerous cybercrime gang there is?

Yes, REvil is considered one of the most dangerous ransomware groups out there. Alongside Conti, DarkSide and others, their RaaS (Ransomware-as-a-Service) model with affiliates makes it a successful growing business.

Do you have a clue how big REvil might be in terms of affiliates and ransomware developers they recruit?

We need to think of REvil as a small-medium size business. They run 24x7 operations, with a customer service team that negotiates ransom with victims, developers that are constantly improving the encryption mechanisms, and even security analysts to protect their infrastructure from getting hacked by security experts.

Would experts be able to link attacks to REvil if they would not claim to be responsible?

Experts could try to link attacks to the relevant actor group, however, in the cyber world, sophisticated hackers can hide their footprints and even create misleading evidence to lead security researchers to a wrong conclusion. The fact that there is a malware whitelist (i.e., do not operate) on computers with Russian keyboard layouts doesn’t necessarily mean it comes out of Russia.

What are the common characteristics, similarities of recent REvil attacks, such as Kaseya or JBS?

While the JBS intrusion vector is still unknown, many of the recent attacks come from credential theft or exploitation of 0-day vulnerabilities of exposed services (e.g., VPN).

Attackers are finding their way to critical assets with access to managing assets, and once they get there, it’s ‘game-over.’ They can easily disable security controls, gain access to all asset’s data, deploy the ransomware, and demand the ransom.

This highlights the need of organizations to ‘assume breach’ – at any moment, you need to assume you’re breached, act to find the breach, and work continuously to improve your security posture to minimize the risk. This is exactly what we specialize in at XM Cyber. XM Cyber brings a new approach that uses the attacker’s perspective to find and remediate critical attack paths across on-premises and multi-cloud networks.

How does REvil compare to other cybercriminal gangs? Do you think they are more sophisticated, innovative, maybe more greedy ($70M ransom demand in Kaseya’s case), or something else?

The fact that organizations are paying millions of dollars in ransom is evidence of REvil’s power, both over the technology and the business. The attacks are much more sophisticated than in the past, and we see ransomware that bypasses security controls with very powerful encryption capabilities and operations that are laterally moving within victim networks for months and exfiltrate sensitive data.

From the business side of things, REvil outsources the initial access, data exfiltration, and deployment of the ransomware to affiliates. They then take a fee of 20%-30% of the ransom. They are very well organized, know exactly what they are doing, and operate as a world-class business. This puts the victim in a bad position and leaves with no choice. They don’t want their sensitive data to go public.

The ransom size is defined by many factors. Some are the attack size, victim size, the ability of the victim to pay, and even their own negotiation skills. The bigger the attack is, the more they can demand ransom, which is true for any ransomware gang and not REvil only.

Imagine REvil gets paid $70M or less. What could this kind of money do for the gang? Would they recruit more affiliates and ransomware developers?

Like any business, the more successful they are in collecting money, the more they grow and are able to develop and scale further. Every dollar that’s paid in ransom is invested back in the business in order to develop the next ransomware. The investment is on developers, but they are also investing a lot in their RaaS (Ransomware-as-a-service) infrastructure, to be secured from security researchers, and even in their affiliates' programs.

The fact they decreased the demand from $70M to $50M means they understand they are running out of time and that victims are trying to recover. We’ll see what comes first.

Could the recent Biden-Putin talks about a ceasefire in the cybersecurity area somehow help deal with REvil? The Kremlin has been long blamed for turning a blind eye to cybercrime as long as they do not attack Russian entities.

Well, currently, all REvil darknet websites are down. Is this an act or effect of Biden-Putin talks?

One thing is sure, even if everyone joins forces, taking down operations like REvil is challenging and can take months and even years. REvil may disappear, but the evil will come back using a different name.

There're many speculations and possibilities around REvil sites being offline. It may be an act by them to go dark. Maybe the federals took them down, they rebranded due to all the noise around the gang, security researchers took them down, they suffered from a ransomware attack, etc.

More from CyberNews:

XXI century mafia: criminal enterprises at the heart of ransomware

New leak reveals: global governments exploit the Pegasus cyber-surveillance tool

New ransomware group Hive leaks Altus group sample files

The evolving ransomware landscape

Multiple US energy firms attacked with ransomware in the past 12 months – report

The rise of makeshift ransomware: what is Epsilon Red and should you worry about it?

Subscribe to our newsletter