The perpetrators of the ransomware attack that affected more than 1,500 businesses worldwide early this month demanded a $70 million ransom via a hack into software from the company Kaseya. And although the price quickly dropped to 50 million, if someone pays that amount for the “universal key” that would make all the hostage files available again “within an hour”, it is probably still the biggest blow that the hacker gang REvil has committed. has struck its two-year anniversary.
Read also Ransomware Attack Affects Over 1,000 Businesses
The scale of the hack shows the brutality of REvil, which is believed to be Russia-based, which has been in the news many times with large and far-reaching attacks. In early June, the gang collected $11 million from the world’s largest meat processor, the Brazilian company JBS. That had to shut down its slaughterhouses in the United States and Australia for some time after ransomware from REvil had disabled crucial computer systems. And previously, the group stole plans for new Apple laptops from Taiwanese supplier Quanta, and large amounts of sensitive information from US media attorney Alan Grubman. In both cases, REvil demanded tens of millions not to publish the stolen files. To enforce that demand, REvil placed contracts and emails from singer Lady Gaga and the then US President Donald Trump on the dark web – a part of the internet that normally remains hidden.
Grubman did not pay, but according to an interview with one of the REvil hackers last October by the Russian video channel OSINT – of which recently an English transcription was published by a security company – several of Grubman’s clients did, to avoid publishing evidence of their tax evasion.
Researcher Allan Liska of the American security company Recorded Future does not think that REvil deliberately chooses such large victims. But unlike many competitors, the gang doesn’t shy away from large prey.
“They are occasional actions,” says Liska in a video chat. “They choose the victims where they get in. But other gangs may shy away from grabbing an overly large victim, REvil doesn’t. They feel like they can get away with it. They operate out of reach of the US authorities, we cannot reach them with drones.” The group also likes to brag about it. “That helps REvil in acquiring customers.”
REvil emerged in 2019, presumably as a continuation of GandCrab, the largest cyber gang at the time. It announced its closure after the hackers said they had left about $2 billion from their criminal activities in a year and a half — a claim that is unverifiable, and presumably exaggerated. According to researchers who studied the ransomware, large portions of REvil’s code matched GandCrab’s.
Virtually nothing is known about the individual members of the gang. Supposedly, REvil is run by a hacker known in Russian forums as ‘UNKN’ or ‘Unknown’. He is also probably the one who gave the interview to OSINT.
Though not conclusively proven, the evidence is strong that the gang operates out of Russia: the ransomware the group uses controls the victim is located in Russia or one of its allies, such as most former Soviet republics, as well as Syria. For example, the program checks whether an affected system uses Russian keyboard settings and tries to geographically trace the victim’s Internet address. If the victim is in Russian spheres of influence, the software switches itself off. Moreover, REvil only works with cyber criminals who speak Russian fluently, and without knowledge of all kinds of Russian snake the conversations on their underground web forums cannot be followed, says Liska.
Loot is shared
The hackers offer Ransomware-as-a-Service where criminal customers take REvil ransomware. Previously, REvil advertised on forums for cyber criminals to acquire customers, but now this is only done by invitation, says Liska. “You purchase the ransomware from REvil, and then you make your own way into the system you want to attack to install it. REvil then handles the negotiation and payment, and you split the loot.” According to Liska, REvil usually retains 15 to 30 percent of the proceeds, the rest goes to the client. Fair enough, REvil leader UNKN says in the OSINT interview, “because it does most of the work”. It would nevertheless bring REvil about $100 million a year – although Liska thinks that amount is “much higher” in reality.
While REvil isn’t afraid to attack large prey, REvil may have choked on the Kaseya hack. Initially, the attackers demanded a ransom of 45,000 (for small businesses) or $5 million (for larger victims) from each individual victim, but on Monday REvil posted a different offer on its dark web blog: for $70 million the group would provide a universal key to disable all affected systems in one fell swoop. “They have become a bit of a victim of their own success,” Liska thinks. “If you log in to the dashboard to which you are referred as a victim, you end up in a queue. It can sometimes take weeks for a REvil representative to respond to your messages.”
According to Liska, the group is also weeks behind in posting messages on their extortion blog. It usually shows snippets of sensitive, stolen information to increase the pressure on the negotiations, but “they are only now on business from early June.”
Kaseya has developed into a logistical disaster for REvil, he thinks. “They like to brag about the scale of the intrusion – the largest ransomware attack ever – but their systems fail.” One large payment – for example from an insurer – to complete the whole case quickly would therefore suit the group. In chat conversations with representatives of REvil, it turned out that the requested $ 70 million can also be discussed: the demand has now fallen to $ 50 million.
The question is also whether the hackers have not drawn too much attention to themselves with the break-in at Kaseya and the earlier extortion of JBS. US President Joe Biden said in a telephone conversation with his Russian counterpart Putin on Friday that he expects Kremlin action to stop the ongoing ransomware attacks from Russia, “even if they are not carried out by the Russian state itself”. He reiterated his threat that the US would otherwise act on its own, for example by attacking computer systems involved in the attacks itself.
In May, the FBI seized the servers and much of the ransom money collected from another major ransomware gang, DarkSide, after it extorted $4.4 million from the US fuel pipeline Colonial Pipeline. The American Justice Department also decided to give ransomware the same investigation priority as terrorism from now on.
“This could be a logical time for REvil’s hackers to get out and spend more time with their families,” said Liska. “They may well announce their retirement soon. Usually this is a sign that the ground is getting too hot under their feet. But usually they reappear after that, just like GandCrab, under a different name.”
Read also When cyber criminals shoot with hail