How REvil evolved into a ransomware collective capable of extorting Kaseya, JBS
The Russian ransomware gang REvil is loud, ambitious and particularly nasty. Even by hackers’ standards.
Before claiming responsibility for a breach at the software company Kaseya, which has resulted in breaches at perhaps thousands of other businesses and newfound attention from the White House, the group accounted for less than 10% of known ransomware victims, according to the threat intelligence firm Recorded Future. Now, it accounts for 42%.
As U.S. national security officials and much of the cybersecurity community race to mitigate the fallout from the Kaseya incident, the incident serves as yet another reminder of how groups of scammers are making millions of dollars after years of honing their tradecraft. A “conservative estimate” by IBM placed REvil’s 2020 profits at $123 million, first among ransomware gangs, while multiple firms said the gang’s malware was the most common digital extortion tool.
That was before the REvil group also struck the global meat supplier JBS, earning a reported $11 million payment in June.
“Some groups simply go quietly about their business, and conduct their negotiations in a robotic-like manner, whereas REvil are far more flamboyant and seek to cause headlines,” said Brett Callow, a threat analyst at Emsisoft.
It’s a method that stands to benefit the gang when they seek to impress upon victims that they’ll go all-out to embarrass victims who refuse to pay, Callow said. In recent weeks, on its “Happy Blog” dark web extortion site, REvil has published purported nude photos of not only a wealthy target, but their family members, too.
A beneficial business model
How much REvil itself is behind the Kaseya outbreak remains unclear.
It’s one of the more prominent ransomware-as-a-service groups, experts say, in which other criminals can use a strain of ransomware on a rental or subscription basis, or in exchange for a share of the payments. That business model lowers the barrier for anyone to get into the business of ransomware, because it requires no technical expertise in developing the code itself. It’s a trend that’s contributed to the rise of the ransomware phenomenon.
While REvil’s “Happy Blog” discusses how “we launched an attack on MSP providers,” the blog often “uses the royal ‘we,'” said Allan Liska, a Recorded Future analyst. The blog’s goal, similar to those of other ransomware gangs, is to threaten to leak data of victims and then publish the information sans payment. It also has used it to auction data when victims don’t pay.
In a swaggering interview published in March, an anonymous REvil representative said affiliates had “access to a ballistic missile launch system, one to a U.S. Navy cruiser, a third to a nuclear power plant, and a fourth to a weapons factory.”
“It is quite feasible to start a war,” the representative said. “But it’s not worth it — the consequences are not profitable.”
Over the first six months of 2021, REvil payments averaged $2.25 million, Palo Alto Networks said of the cases it observed. In the early part of this year, the overall average ransom payment industry-wide was $850,000.
“They are among the top in terms of ransom sums, big game hunters and typically try to ask for ransom amounts in the millions, based on the data they are able to exfiltrate and the size of the organization,” said John Martineau, principal consultant with the company’s cybersecurity consulting group.
The REvil gang mainly speaks Russian, and its ransomware is written to avoid computers that use Russian — a common practice for malware that originates from the country. It also traces its lineage to other organizations thought to be Russian.
Tracing REvil’s history
The group’s origins seem to trace back to 2018, a virtual eternity in a world where many ransomware operators aim to strike it rich, then disappear.
The earliest sign of them was via work with a now-defunct group called GandCrab, according to Palo Alto Networks.
“At the time, they were mostly focused on distributing ransomware through malvertising and exploit kits, which are malicious advertisements and malware tools that hackers use to infect victims through drive-by downloads when they visit a malicious website,” the company wrote in a blog primer on Tuesday. “That group morphed into REvil, grew and earned a reputation for exfiltrating massive data sets and demanding multimillion dollar ransoms.”
An early hallmark attack came in 2019, in the eyes of Allison Wikoff, senior researcher at IBM Security X-Force. That’s when the group’s ransomware — also called Sodinokibi — struck 22 Texas municipalities, curbing governments’ abilities to accept utility payments, for instance. The Texas incident was an early precursor to the Kaseya breach, Wikoff said, as attackers hit an IT provider with access to multiple systems.
The group, or someone using its malware, then graduated to carrying out an extortion of the law firm Grubman Shire Meiselas & Sacks, which counted Madonna and Elton John among its clients. Hackers leaked documents like Lady Gaga contracts after the firm refused to pay, then threatened to air the “dirty laundry” of then-President Donald Trump.
That threat ended in a fizzle, with REvil claiming to sell those documents to an unidentified buyer.
It’s a pattern of unprovable boasting common not only to the group, but to the ransomware business in general. This spring, REvil said it had accessed the internal files of Apple supplier Quanta to obtain schematics of unreleased Apple products, only for any references to the claims to later disappear from its dark web extortion blog.
Now, REvil claims that its attack on managed service providers via Kaseya locked up more than 1 million systems, compared to Kaseya’s estimate of up to 1,500.
“It’s such a mess,” Liska said, suggesting the latest incident is the work of an affiliate group. “The main operators are fairly competent. This is just a complete disaster.”