REvil

REvil (Ransomware Evil; also known as Sodinokibi) was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page ''Happy Blog'' unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

History

REvil recruits affiliates to distribute the ransomware for them. As part of this arrangement, the affiliates and ransomware developers split revenue generated from ransom payments. It is difficult to pinpoint their exact location, but they are thought to be based in Russia due to the fact that the group does not target Russian organizations, or those in former Soviet-bloc countries.

Ransomware code used by REvil resembles the code used by DarkSide, a different hacking group; REvil's code is not publicly available, suggesting that DarkSide is an offshoot of REvil or a partner of REvil. REvil and DarkSide use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.

Cybersecurity experts believe REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab. This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.

2020

May

As part of the criminal cybergang's operations, they are known for stealing nearly one terabyte of information from the law firm Grubman Shire Meiselas & Sacks and demanding a ransom to not publish it. The group had attempted to extort other companies and public figures as well.

In May 2020 they demanded $42 million from US president Donald Trump. The group claimed to have done this by deciphering the elliptic-curve cryptography that the firm used to protect its data. According to an interview with an alleged member, they found a buyer for Trump information, but this cannot be confirmed. In the same interview, the member claimed that they would bring in $100 million ransoms in 2020.

On 16 May 2020, the group released legal documents totaling a size of 2.4 GB related to the singer Lady Gaga. The following day, they released 169 "harmless" e-mails which referred to Donald Trump or contained the word 'trump'.

They were planning on selling Madonna's information, but eventually reneged.

2021

March

On 27 March 2021, REvil attacked Harris Federation and published multiple financial documents of the federation to its blog. As a result, the IT systems of the federation were shut down for some weeks, affecting up to 37,000 students.

On 18 March 2021, an REvil affiliate claimed on their data leak site that they had downloaded data from multinational hardware and electronics corporation Acer, as well as installing ransomware, which has been linked to the 2021 Microsoft Exchange Server data breach by cybersecurity firm Advanced Intel, which found first signs of Acer servers being targeted from 5 March 2021. A US$50 million ransom was demanded to decrypt the undisclosed number of systems and for the downloaded files to be deleted, increasing to US$100 million if not paid by 28 March 2021.

April

In April 2021, REvil stole plans for upcoming Apple products from Quanta Computer, including purported plans for Apple laptops and an Apple Watch. REvil threatened to release the plans publicly unless they receive $50 million.

May

On 30 May 2021, JBS S.A. was attacked by ransomware which forced the temporary shutdown of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants. A few days later, the White House announced that REvil may be responsible for the JBS S.A. cyberattack. The FBI confirmed the connection in a follow-up statement on Twitter. JBS paid an $11 million ransom in Bitcoin to REvil.

June

On 11 June 2021, Invenergy reported that they were attacked by ransomware. Later, REvil claimed to be responsible.

July

On 2 July 2021, hundreds of managed service providers had REvil ransomware dropped on their systems through Kaseya desktop management software. REvil demanded $70 million to restore encrypted data. As a consequence the Swedish Coop grocery store chain was forced to close 800 stores during several days.

On 7 July 2021, REvil hacked the computers of Florida-based space and weapon-launch technology contractor HX5, which counts the Army, Navy, Air Force, and NASA among its clients, publicly releasing stolen documents on its Happy Blog. The New York Times judged the documents to not be of "vital consequence".

After a July 9 phone call between United States president Joe Biden and Russian president Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not.

On 13 July 2021, REvil websites and other infrastructure vanished from the internet. Politico cited an unnamed senior administration official as stating that "we don't know exactly why they've Evilstood down;" the official also did not discount the possibility that Russia shut down the group or forced it to shut down.

On 23 July 2021, Kaseya announced it had received the decryption key for the files encrypted in the July 2 Kaseya VSA ransomware attack from an unnamed "trusted third party", later discovered to be the FBI who had withheld the key for three weeks, and was helping victims restore their files. The key was withheld to avoid tipping off REvil of an FBI effort to take down their servers, which ultimately proved unnecessary after the hackers went offline without intervention.

September

In September 2021, Romanian cybersecurity firm Bitdefender published a free universal decryptor utility to help victims of the REvil/Sodinokibi ransomware recover their encrypted files, if they were encrypted before July 13, 2021. From September until early November, the decryptor was used by more than 1,400 companies to avoid paying over $550 million in ransom and allow them to recover their files.

On 22 September 2021, malware researchers identified a backdoor built into REvil malware that allowed the original gang members to conduct double-chats and cheat their affiliates out of any ransomware payments. Ransomware affiliates who were cheated reportedly posted their claims on a "Hacker's Court", undermining trust in REvil by affiliates. Newer versions of REvil malware reportedly had the backdoor removed.

October

On 21 October 2021, REvil servers were hacked in a multi-country operation and forced offline. VMWare's head of cybersecurity strategy said "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,”. A REvil gang member attempted to restore their servers from backups that had also been compromised.

Investigations and criminal charges

As part of Operation GoldDust involving 17 countries, Europol, Eurojust and INTERPOL, law enforcement authorities arrested five individuals tied to Sodinokibi/REvil and two suspects connected to GandCrab ransomware. They are allegedly responsible for 5,000 infections, and collected half a million euros in ransomware payments.

On 8 November 2021, the United States Department of Justice unsealed indictments against Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin. Vasinskyi was charged with conducting ransomware attacks against multiple victims including Kaseya, and Polyanin was charged with conducting ransomware attacks against multiple victims including Texas businesses and government entities. The Department worked with the National Police of Ukraine for the charges, and also announced the seizure of $6.1 million tied to ransomware payments. Vasinskyi, also known as Rabotnik, was arrested while crossing the border from Ukraine to Poland on 8 October 2021 and was extradited to the United States in 2022. He pleaded guilty to cybercrime and money laundering charges, and on 1 May 2024 was sentenced to 13 years and seven months in prison and ordered to pay $16 million in restitution. , Polyanin remains at large, and is thought by the FBI to reside in Russia, possibly in Barnaul.

In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members after being provided information by the US.

The Fluffy

There is a hacker group called Fluffy with Headquarters in Corrèze, known to have an affiliation with REvil, that primarily uses typosquatting, cybersquatting and keyword stuffing. This hacker group has distributed Magniber ransomware, Sodinokibi, and GandCrab, BlueCrab (It is the next version of GandCrab is the same variant that was used in the Kaseya VSA ransomware attack). In France, it is known as Fluffy, in Germany as Talentfrei, in Australia and English speaking countries as "Emma Hill", and in South Korea as Nebomi (meaning "Four Seasons Blossom" in Korean). Fluffy is known to have claimed a number of victims, especially in South Korea.

The campaign in which Fluffy first targeted South Korea is known as Magniber, and it utilized an exploit kit before the emergence of various modified payloads. The techniques employed by these modified payloads vary, but they share a commonality in utilizing standardized technologies supported by web browsers or operating systems, such as URI scheme and BASE64, unlike exploit kits that leverage zero-day vulnerabilities. Users receive security warnings from their operating systems before executing the files; however, the information provided by the attackers is often sufficient for users to decide to disregard the security alerts.

Following the introduction of these altered payloads in South Korea, Fluffy immediately referred to themselves as Nebomi and continued with ransomware attacks. The Seoul Central District Prosecutors' Office announced in November 2023 that accomplices assisting them in South Korea were prosecuted. According to the announcement, during the process of investigating the suspects, records of funds being transferred to Lazarus Group were also discovered. It is unclear whether it is related to the ongoing ransomware investigation, but according to a media report in December 2023, The Supreme Court of Korea claimed that it experienced a cyberattack by the Lazarus Group, resulting in the leakage of sensitive data.

Fluffy is presumed to assist in the distribution of various types of ransomware, ranging from Magniber and REvil to LockBit, leveraging successful cases of watering hole attacks they have executed. For example, it is believed that they may be implicated in incidents such as the successful cyber attack on Toshiba's French branch in May 2021, the claimed cyber attack on the Doosan Group in August 2022, and the claimed cyber attack on the National Tax Service (South Korea) in March 2023.

At times, they employed relatively simple methods, such as emails, for the distribution of REvil ransomware (also known as GandCrab). The content of these emails typically involved impersonating law enforcement agencies. The senders of these emails were two individuals under the age of 19, who claimed to have committed such crimes in response to a proposition that said, "If you join in sending ransomware, we'll share the profits." In the trial held at the Seoul Central District Court in August 2021, they were sentenced to 2 years and 1 year 6 months of imprisonment. One of them had already received a 10-year prison sentence for participating in another campaign.

References

{{Hacking in the 2020s

Hacker groups
Ransomware
Cybercrime