Complex Made Simple

REvil feels the heat, disappears out of sites, but return is likely

Websites for a Russian-linked ransomware gang blamed for attacks on hundreds of businesses worldwide have gone offline. A reported group member says they'll be back

Either the US or Russian officials may have taken action against REvil REvil extracted an $11 million payment from the world’s largest meatpacking company REvil is one of the most prominent providers of ransomware as a service (RaaS)

Websites for a Russian-linked ransomware gang blamed for attacks on hundreds of businesses worldwide have gone offline.

Monitors say a payment website and a blog run by the REvil group became suddenly unreachable in mid-July.

It comes amid growing pressure between the US and Russia over cyber-crime.

US President Joe Biden raised the issue with Vladimir Putin during a recent phone call. Biden told reporters that he had “made it very clear to him…we expect them to act” on information and also hinted the US could take direct digital retaliation on servers used for intrusions.

The timing of the outage has sparked speculation that either the US or Russian officials may have taken action against REvil.

Cyber experts say sudden disappearances of groups are not necessarily uncommon.

The development comes after a series of high-profile ransomware attacks which have hit major US businesses this year.

The FBI accused REvil – also known as Sodinokibi – of being behind a ransomware attack on the world’s largest meat processing company JBS.  

The group is considered prolific and demanded a huge bitcoin ransom for an attack that targeted IT firm Kaseya and hundreds more businesses worldwide.

One hacker who claims to be an affiliate of the gang claims that the US “Feds took down” elements of their websites and so they pulled the plug on the rest of their operation. He also said there was pressure from the Kremlin too saying: “Russia is tired of the US and other countries crying to them.”

He says he has no plans to retire and is already planning another unknown venture. “Make one go away, more will rise,” he warned.

Tracking REvil’s growth and revenue model

REvil extracted an $11 million payment from the world’s largest meatpacking company, demanded $5 million from a Brazilian medical diagnostics company, and launched a large-scale attack on dozens, perhaps hundreds, of companies that use IT management software from Kaseya VSA.

 

Unit 42  Threat Intelligence team has been monitoring the threat actors tied to this group for three years. In 2018, they were working with a group known as GandCrab. At the time, they were mostly focused on distributing ransomware through malvertising and exploit kits, which are malicious advertisements and malware tools that hackers use to infect victims through drive-by downloads when they visit a malicious website.

That group morphed into REvil, grew and earned a reputation for exfiltrating massive data sets and demanding multimillion-dollar ransoms. It is now among an elite group of cyber extortion

REvil is one of the most prominent providers of ransomware as a service (RaaS). This criminal group provides adaptable encryptors and decryptors, infrastructure and services for negotiation communications, and a leak site for publishing stolen data when victims don’t pay the ransom demand.

For these services, REvil takes a percentage of the negotiated ransom price as their fee. Affiliates of REvil often use two approaches to persuade victims into paying up: They encrypt data so that organizations cannot access information, use critical computer systems or restore from backups, and they also steal data and threaten to post it on a leak site (a tactic known as double extortion).

REvil and its affiliates pulled in an average payment of about $2.25 million during the first six months of 2021.

When victims fail to meet deadlines for making payments via bitcoin, the attackers often double the demand. Eventually, they post stolen data on the leak site if the victim doesn’t pay up or enter into negotiations.

REvil threat actors continue to use previously compromised credentials to remotely access externally facing assets through Remote Desktop Protocol (RDP).

Another commonly observed tactic is phishing leading to a secondary payload. However, Unit 42 also observed a few unique vectors that relate to the recent Microsoft Exchange Server CVEs, as well as a case that involved a SonicWall compromise.