REvil

REvil (Ransomware Evil; also known as Sodinokibi) was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page ''Happy Blog'' unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

History

REvil recruits affiliates to distribute the ransomware for them. As part of this arrangement, the affiliates and ransomware developers split revenue generated from ransom payments. It is difficult to pinpoint their exact location, but they are thought to be based in Russia due to the fact that the group does not target Russian organizations, or those in former Soviet-bloc countries.

Ransomware code used by REvil resembles the code used by DarkSide, a different hacking group; REvil's code is not publicly available, suggesting that DarkSide is an offshoot of REvil or a partner of REvil. REvil and DarkSide use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.

Cybersecurity experts believe REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab. This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.

2020

May

As part of the criminal cybergang's operations, they are known for stealing nearly one terabyte of information from the law firm Grubman Shire Meiselas & Sacks and demanding a ransom to not publish it. The group had attempted to extort other companies and public figures as well.

In May 2020 they demanded $42 million from US president Donald Trump. The group claimed to have done this by deciphering the elliptic-curve cryptography that the firm used to protect its data. According to an interview with an alleged member, they found a buyer for Trump information, but this cannot be confirmed. In the same interview, the member claimed that they would bring in $100 million ransoms in 2020.

On 16 May 2020, the group released legal documents totaling a size of 2.4 GB related to the singer Lady Gaga. The following day, they released 169 "harmless" e-mails which referred to Donald Trump or contained the word 'trump'.

They were planning on selling Madonna's information, but eventually reneged.

2021

March

On 27 March 2021, REvil attacked Harris Federation and published multiple financial documents of the federation to its blog. As a result, the IT systems of the federation were shut down for some weeks, affecting up to 37,000 students.

On 18 March 2021, an REvil affiliate claimed on their data leak site that they had downloaded data from multinational hardware and electronics corporation Acer, as well as installing ransomware, which has been linked to the 2021 Microsoft Exchange Server data breach by cybersecurity firm Advanced Intel, which found first signs of Acer servers being targeted from 5 March 2021. A US$50 million ransom was demanded to decrypt the undisclosed number of systems and for the downloaded files to be deleted, increasing to US$100 million if not paid by 28 March 2021.

April

In April 2021, REvil stole plans for upcoming Apple products from Quanta Computer, including purported plans for Apple laptops and an Apple Watch. REvil threatened to release the plans publicly unless they receive $50 million.

May

On 30 May 2021, JBS S.A. was attacked by ransomware which forced the temporary shutdown of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants. A few days later, the White House announced that REvil may be responsible for the JBS S.A. cyberattack. The FBI confirmed the connection in a follow-up statement on Twitter. JBS paid an $11 million ransom in Bitcoin to REvil.

June

On 11 June 2021, Invenergy reported that they were attacked by ransomware. Later, REvil claimed to be responsible.

July

On 2 July 2021, hundreds of managed service providers had REvil ransomware dropped on their systems through Kaseya desktop management software. REvil demanded $70 million to restore encrypted data. As a consequence the Swedish Coop grocery store chain was forced to close 800 stores during several days.

On 7 July 2021, REvil hacked the computers of Florida-based space and weapon-launch technology contractor HX5, which counts the Army, Navy, Air Force, and NASA among its clients, publicly releasing stolen documents on its Happy Blog. The New York Times judged the documents to not be of "vital consequence".

After a July 9 phone call between United States president Joe Biden and Russian president Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not.

On 13 July 2021, REvil websites and other infrastructure vanished from the internet. Politico cited an unnamed senior administration official as stating that "we don't know exactly why they've Evilstood down;" the official also did not discount the possibility that Russia shut down the group or forced it to shut down.

On 23 July 2021, Kaseya announced it had received the decryption key for the files encrypted in the July 2 Kaseya VSA ransomware attack from an unnamed "trusted third party", later discovered to be the FBI who had withheld the key for three weeks, and was helping victims restore their files. The key was withheld to avoid tipping off REvil of an FBI effort to take down their servers, which ultimately proved unnecessary after the hackers went offline without intervention.

September

In September 2021, Romanian cybersecurity firm Bitdefender published a free universal decryptor utility to help victims of the REvil/Sodinokibi ransomware recover their encrypted files, if they were encrypted before July 13, 2021. From September until early November, the decryptor was used by more than 1,400 companies to avoid paying over $550 million in ransom and allow them to recover their files.

On 22 September 2021, malware researchers identified a backdoor built into REvil malware that allowed the original gang members to conduct double-chats and cheat their affiliates out of any ransomware payments. Ransomware affiliates who were cheated reportedly posted their claims on a "Hacker's Court", undermining trust in REvil by affiliates. Newer versions of REvil malware reportedly had the backdoor removed.

October

On 21 October 2021, REvil servers were hacked in a multi-country operation and forced offline. VMWare's head of cybersecurity strategy said "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,”. A REvil gang member attempted to restore their servers from backups that had also been compromised.

Investigations and criminal charges

As part of Operation GoldDust involving 17 countries, Europol, Eurojust and INTERPOL, law enforcement authorities arrested five individuals tied to Sodinokibi/REvil and two suspects connected to GandCrab ransomware. They are allegedly responsible for 5000 infections, and collected half a million euros in ransomware payments.

On 8 November 2021, the United States Department of Justice unsealed indictments against Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin. Vasinskyi was charged with conducting ransomware attacks against multiple victims including Kaseya, and was arrested in Poland on 8 October. Polyanin was charged with conducting ransomware attacks against multiple victims including Texas businesses and government entities. The Department worked with the National Police of Ukraine for the charges, and also announced the seizure of $6.1 million tied to ransomware payments. If convicted on all charges, Vasinskyi faces a maximum penalty of 115 years in prison, and Polyanin 145 years in prison.

In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members after being provided information by the US.

References

{{Hacking in the 2020s

Hacker groups
Ransomware
Cybercrime