REvil
REvil (Ransomware Evil; also known as Sodinokibi) was a Russia-based[1] or Russian-speaking[2] private ransomware-as-a-service (RaaS) operation.[3] After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.
Formation | 2019 |
---|---|
Type | Hacking |
Affiliations | Sodinokibi, GandCrab |
History
REvil recruits affiliates to distribute the ransomware for them. As part of this arrangement, the affiliates and ransomware developers split revenue generated from ransom payments.[4] It is difficult to pinpoint their exact location, but they are thought to be based in Russia due to the fact that the group does not target Russian organizations, or those in former Soviet-bloc countries.[5]
Ransomware code used by REvil resembles the code used by DarkSide, a different hacking group; REvil's code is not publicly available, suggesting that DarkSide is an offshoot of REvil[6] or a partner of REvil.[7] REvil and DarkSide use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.[8]
Cybersecurity experts believe REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab.[9] This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.
May
As part of the criminal cybergang's operations, they are known for stealing nearly one terabyte of information from the law firm Grubman Shire Meiselas & Sacks and demanding a ransom to not publish it.[10][11][12] The group had attempted to extort other companies and public figures as well.
In May 2020 they demanded $42 million from US president Donald Trump.[13][14] The group claimed to have done this by deciphering the elliptic-curve cryptography that the firm used to protect its data.[15] According to an interview with an alleged member, they found a buyer for Trump information, but this cannot be confirmed.[16] In the same interview, the member claimed that they would bring in $100 million ransoms in 2020.
On 16 May 2020, the group released legal documents totaling a size of 2.4 GB related to the singer Lady Gaga.[17] The following day, they released 169 "harmless" e-mails which referred to Donald Trump or contained the word 'trump'.[11]
They were planning on selling Madonna's information,[18] but eventually reneged.[19]
March
On 27 March 2021, REvil attacked Harris Federation and published multiple financial documents of the federation to its blog. As a result, the IT systems of the federation were shut down for some weeks, affecting up to 37,000 students.[20]
On 18 March 2021, an REvil affiliate claimed on their data leak site that they had downloaded data from multinational hardware and electronics corporation Acer, as well as installing ransomware, which has been linked to the 2021 Microsoft Exchange Server data breach by cybersecurity firm Advanced Intel, which found first signs of Acer servers being targeted from 5 March 2021. A US$50 million ransom was demanded to decrypt the undisclosed number of systems and for the downloaded files to be deleted, increasing to US$100 million if not paid by 28 March 2021.[21]
April
In April 2021, REvil stole plans for upcoming Apple products from Quanta Computer, including purported plans for Apple laptops and an Apple Watch. REvil threatened to release the plans publicly unless they receive $50 million.[22][23]
May
On 30 May 2021, JBS S.A. was attacked by ransomware which forced the temporary shutdown of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants. A few days later, the White House announced that REvil may be responsible for the JBS S.A. cyberattack. The FBI confirmed the connection in a follow-up statement on Twitter.[24] JBS paid an $11 million ransom in Bitcoin to REvil.
June
On 11 June 2021, Invenergy reported that they were attacked by ransomware. Later, REvil claimed to be responsible.[25]
July
On 2 July 2021, hundreds of managed service providers had REvil ransomware dropped on their systems through Kaseya desktop management software.[26] REvil demanded $70 million to restore encrypted data.[27] As a consequence the Swedish Coop grocery store chain was forced to close 800 stores during several days.[28][29]
On 7 July 2021, REvil hacked the computers of Florida-based space and weapon-launch technology contractor HX5, which counts the Army, Navy, Air Force, and NASA among its clients, publicly releasing stolen documents on its Happy Blog. The New York Times judged the documents to not be of "vital consequence".[30]
After a July 9 phone call between United States president Joe Biden and Russian president Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not.[31][32]
On 13 July 2021, REvil websites and other infrastructure vanished from the internet.[33] Politico cited an unnamed senior administration official as stating that "we don't know exactly why they've [REvil] stood down;" the official also did not discount the possibility that Russia shut down the group or forced it to shut down.[34]
On 23 July 2021, Kaseya announced it had received the decryption key for the files encrypted in the July 2 Kaseya VSA ransomware attack from an unnamed "trusted third party", later discovered to be the FBI who had withheld the key for three weeks, and was helping victims restore their files.[35] The key was withheld to avoid tipping off REvil of an FBI effort to take down their servers, which ultimately proved unnecessary after the hackers went offline without intervention.[36]
September
In September 2021, Romanian cybersecurity firm Bitdefender published a free universal decryptor utility to help victims of the REvil/Sodinokibi ransomware recover their encrypted files, if they were encrypted before July 13, 2021.[37] From September until early November, the decryptor was used by more than 1,400 companies to avoid paying over $550 million in ransom and allow them to recover their files.[38]
On 22 September 2021, malware researchers identified a backdoor built into REvil malware that allowed the original gang members to conduct double-chats and cheat their affiliates out of any ransomware payments.[39] Ransomware affiliates who were cheated reportedly posted their claims on a "Hacker's Court", undermining trust in REvil by affiliates. Newer versions of REvil malware reportedly had the backdoor removed.[40]
October
On 21 October 2021, REvil servers were hacked in a multi-country operation and forced offline. VMWare's head of cybersecurity strategy said "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,”. A REvil gang member attempted to restore their servers from backups that had also been compromised.[41]
Investigations and criminal charges
As part of Operation GoldDust involving 17 countries, Europol, Eurojust and INTERPOL, law enforcement authorities arrested five individuals tied to Sodinokibi/REvil and two suspects connected to GandCrab ransomware. They are allegedly responsible for 5000 infections, and collected half a million euros in ransomware payments.[42]
On 8 November 2021, the United States Department of Justice unsealed indictments against Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin. Vasinskyi was charged with conducting ransomware attacks against multiple victims including Kaseya, and was arrested in Poland on 8 October. Polyanin was charged with conducting ransomware attacks against multiple victims including Texas businesses and government entities. The Department worked with the National Police of Ukraine for the charges, and also announced the seizure of $6.1 million tied to ransomware payments. If convicted on all charges, Vasinskyi faces a maximum penalty of 115 years in prison, and Polyanin 145 years in prison.[43]
In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members after being provided information by the US.[44]
The Fluffy
There is a hacker group called Fluffy with Headquarters in Corrèze, known to have an affiliation with REvil, that primarily uses typosquatting and keyword stuffing. This hacker group has distributed Magniber ransomware, Sodinokibi, and GandCrab, BlueCrab (It is the next version of GandCrab is the same variant that was used in the Kaseya VSA ransomware attack[45]). In France, it is known as Fluffy, in Germany as Talentfrei,[46] in Australia and English speaking countries as "Emma Hill",[47] and in South Korea as Nebomi (meaning "Four Seasons Blossom" in Korean). Fluffy is known to have claimed a number of victims, especially in South Korea.[48][49][50]
References
- Bowden, John (July 13, 2021). "Russian-based ransomware group 'REvil' disappears after hitting US businesses". The Independent. Archived from the original on August 13, 2021.
- Collier, Kevin (July 13, 2021). "Prolific ransomware gang suddenly disappears from internet. The timing is noteworthy". NBC News. Archived from the original on November 12, 2021.
- Fokker, John (2019-10-02). "McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - The All-Stars". McAfee Blogs. Archived from the original on 2021-11-11. Retrieved 2020-10-07.
- Abrams, Lawrence. "Sodinokibi Ransomware: Following the Affiliate Money Trail". Bleeping Computer. Archived from the original on 2021-07-05. Retrieved 2020-10-07.
- Saarinen, Juha (January 29, 2020). "No let up on REvil ransomware-as-a-service attacks". it news.
- SangerPerlroth>David E. Sanger & Nicole Perlroth, F.B.I. Identifies Group Behind Pipeline Hack, New York Times (May 10, 2021).
- Charlie Osborne, Researchers track down five affiliates of DarkSide ransomware service, ZDNet (May 12, 2021).
- What We Know About the DarkSide Ransomware and the US Pipeline Attack, Trend Micro Research (May 14, 2021).
- Vijayan, Jai (September 25, 2019). "GandCrab Developers Behind Destructive REvil Ransomware". DARKReading.
- Cimpanu, Catalin. "Ransomware gang asks $42m from NY law firm, threatens to leak dirt on Trump". ZDNet. Retrieved 2020-05-17.
- Winder, Davey. "Hackers Publish First 169 Trump 'Dirty Laundry' Emails After Being Branded Cyber-Terrorists". Forbes. Retrieved 2020-05-17.
- Sykes, Tom (2020-05-15). "'REvil' Hackers Double Their Allen Grubman Ransom Demand To $42m, Threaten To Dump Donald Trump Dirt". The Daily Beast. Retrieved 2020-05-17.
- "Criminal group that hacked law firm threatens to release Trump documents". NBC News. Retrieved 2020-05-17.
- Adler, Dan (15 May 2020). "What Do These Hackers Have On Trump, and Why Would Allen Grubman Pay to Suppress It?". Vanity Fair. Retrieved 2020-05-17.
- "Forbes". Forbes.
- Seals, Tara (October 29, 2020). "REvil Gang Promises a Big Video-Game Hit; Maze Gang Shuts Down". threatpost.
- Dazed (2020-05-16). "Hackers have leaked Lady Gaga's legal documents". Dazed. Retrieved 2020-05-17.
- Coble, Sarah (2020-05-19). "REvil to Auction Stolen Madonna Data". Infosecurity Magazine. Retrieved 2020-07-17.
- Coble, Sarah (2020-09-23). "Thieves Fail to Auction Bruce Springsteen's Legal Documents". Infosecurity Magazine. Retrieved 2020-12-10.
- "Evidence suggests REvil behind Harris Federation ransomware attack". IT PRO. Retrieved 2021-04-30.
- Abrams, Lawrence (19 March 2021). "Computer giant Acer hit by $50 million ransomware attack". BleepingComputer. Retrieved 2021-03-20.
- "Ransomware hackers steal plans for upcoming Apple products". the Guardian. 2021-04-22. Retrieved 2021-04-22.
- "A Notorious Ransomware Gang Claims to Have Stolen Apple's Product Designs". Gizmodo. 20 April 2021. Retrieved 2021-04-22.
- "FBI Statement on JBS Cyberattack". Twitter. 2021-06-02. Retrieved 2021-06-03.
- "Hacker group REvil claims responsibility for Invenergy data breach". pv magazine USA. June 14, 2021.
- "Important Notice July 2nd, 2021 – Kaseya". July 3, 2021. Archived from the original on 2021-07-03.
- Satter, Raphael (2021-07-05). "Up to 1,500 businesses affected by ransomware attack, U.S. firm's CEO says". Reuters. Archived from the original on 2021-11-24. Retrieved 2021-07-05.
- Ahlander, Johan; Menn, Joseph (2021-07-03). "Major ransomware attack against U.S. tech provider forces Swedish store closures". Reuters. Archived from the original on 2021-10-25. Retrieved 2021-07-05.
- Lily Hay Newman (2021-07-04). "How REvil Ransomware Took Out Thousands of Business at Once". Wired. Archived from the original on 2021-11-10. Retrieved 2021-12-03.
- Sanger, David E.; Perlroth, Nicole (July 7, 2021). "Biden Weighs a Response to Ransomware Attacks". The New York Times. Retrieved July 8, 2021.
- Miller, Zeke; Tucker, Eric (July 9, 2021). "Biden tells Putin Russia must crack down on cybercriminals". Associated Press. Archived from the original on November 11, 2021.
- Sanger, David E. (July 13, 2021). "Russia's most aggressive ransomware group disappeared. It's unclear who disabled them". The New York Times.
- Fung, Brian; Cohen, Zachary; Sands, Geneva (July 13, 2021). "Ransomware gang that hit meat supplier mysteriously vanishes from the internet". CNN Business. Archived from the original on September 27, 2021.
- Toosi, Nahal (July 20, 2021). "Biden official: 'We don't know exactly why' ransomware gang vanished from the web". POLITICO. Retrieved July 21, 2021.
- "Ransomware key to unlock customer data from REvil attack". BBC News. BBC. July 23, 2021. Retrieved July 23, 2021.
- Ellen Nakishima; Rachel Lerman (September 21, 2021). "FBI held back ransomware decryption key from businesses to run operation targeting hackers". The Washington Post.
- "Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware". Bitdefender. September 16, 2021. Archived from the original on November 26, 2021. Retrieved December 3, 2021.
- Botezatu, Bogdan (November 8, 2021). "Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand". Bitdefender. Archived from the original on November 11, 2021. Retrieved December 3, 2021.
- Vaas, Lisa (September 22, 2021). "How REvil May Have Ripped Off Its Own Affiliates". ThreatPost.com. Archived from the original on October 5, 2021. Retrieved December 3, 2021.
- Vaas, Lisa (September 23, 2021). "REvil Affiliates Confirm: Leadership Were Cheating Dirtbags". ThreatPost.com. Archived from the original on October 8, 2021. Retrieved December 3, 2021.
- Menn, Joseph; Bing, Christopher (October 21, 2021). "EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline". Reuters. Archived from the original on December 1, 2021. Retrieved December 3, 2021.
- "FIVE AFFILIATES TO SODINOKIBI/REVIL UNPLUGGED". Europol. 8 November 2021. Archived from the original on 12 November 2021. Retrieved 12 November 2021.
- "Ukrainian Arrested and Charged with Ransomware Attack on Kaseya". United States Department of Justice. November 8, 2021. Archived from the original on November 11, 2021. Retrieved November 12, 2021.
- "REvil ransomware gang arrested in Russia". BBC News. 2022-01-14. Retrieved 2022-01-14.
- "AhnLab, Kaseya supply-chain targeted ransomware, 'BlueCrab' identified". inews24 (in Korean). 2021-07-11.
- "German users targeted with Gootkit banker or REvil ransomware". MalwareBytes Labs. November 30, 2020.
- Ford, Eric; Nichols, Ben (September 2022). "Is Gootloader Working with a Foreign Intelligence Service?" (PDF). deepwatch.
- "Security advice to respond to 'MY DECRYPTER' ransomware attack". KrCERT Security Notice (in Korean). 2017-10-23.
- "GandCrab ransomware: it lurks behind free fonts and resumes". boannews (in Korean). 2018-11-12.
- "BlueCrab ransomware: use optimized attack scenarios for individuals and companies. Be careful when downloading files". inews24 (in Korean). 2021-02-02.