REvil ransomware explained: A widespread extortion operation

REvil is a ransomware-as-a-service (RaaS) operation that has extorted large amounts of money from organizations worldwide over the past year. Its name stands for Ransomware Evil and was inspired by the Resident Evil movie series. According to recent reports from security firms, it is the most widespread ransomware threat and the group behind it doubles down on its extortion efforts by also stealing business data and threatening to release it.

REvil, also known as Sodinokibi, first appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. In the early days of REvil, researchers and security firms identified it as a strain of GandCrab, or at least established multiple links between the two. An alleged member of the group, using the handle Unknown, confirmed in a recent interview that the ransomware was not a new creation and that it was built on top of an older codebase that the group acquired.

Developers behind RaaS operations rely on other cybercriminals known as affiliates to distribute the ransomware for them. In fact, ransomware developers earn between 20% to 30% of the illegal proceeds with the rest going to the affiliates who do the legwork of gaining access to corporate networks and deploying the malware.

The more successful a RaaS operation is, the more likely it is to attract skilled affiliates and if one operation closes, affiliates quickly shift to a different one. This happened with GandCrab in the past and more recently with the Maze group, whose members announced their retirement earlier this month and whose affiliates promptly moved to a new ransomware family called Egregor, also known as Sekhmet.

In July 2021, REvil affiliates exploited zero-day vulnerabilities in a systems management and monitoring tool developed by a company called Kaseya to compromise over 30 managed service providers (MSPs) from around the world and over 1,000 business networks managed by those MSPs. The attack attracted widespread media attention and even triggered a discussion on the topic of ransomware between US President Joe Biden and Russia’s President Vladimir Putin. Shortly after the talks, REvil’s websites stopped working and the group went silent, prompting speculation that Russian law enforcement might have taken action against it. Kaseya also received a master decryption key that worked for all victims from an unnamed “trusted third party.”

On September 9, cybercrime analysts from Flashpoint reported that REvil’s websites are back online and that a new representative for the group posted messages on underground forums to explain what happened. According to those posts, the master decryption key was generated accidentally by one of the group’s coders and was bundled with the individual decryption keys for some of the victims. The group is also working to mend relationships with its collaborators and affiliates after its abrupt disappearance, Flashpoint reported.

On November 9, the DOJ announced indictments against two suspected REvil affiliates: Yaroslav Vasinskyi, 22, from Ukraine and Yevgeniy Polyanin, 28, from Russia. Vasinskyi was charged in connection with the attack against Kaseya and was arrested in Poland. Authorities are seeking to extradite him to the US. Polyanin was charged in connection with REvil attacks against other organizations and he has not been apprehended yet, but authorities managed to seize $6.1 million in funds that he allegedly obtained from ransomware payments. 

The same day, Europol announced that five suspected REvil affiliates have been arrested since February, including two in November in Romania. The agency noted that these efforts were part of an international law enforcement operation named GoldDust that involved 17 countries and started with an investigation into GandCrab. When it was shut down in 2019, GandCrab was one of the top ransomware families. Some of the GandCrab affiliates are believed to have later moved to REvil, Europol said.

How successful is REvil?

In September, the IBM Security X-Force Incident Response team reported that one in four cybersecurity incidents it was called to remedy this year in customer networks was a ransomware infection. Furthermore, one in every three ransomware infections involved REvil/Sodinokibi.

“The ransomware strain IBM Security X-Force has seen most frequently in 2020 is Sodinokibi (also known as REvil)—a ransomware-as-a-service (RaaS) attack model that has been capitalizing on blended ransomware and extortion attacks this year,” the researchers said at the time. “This malware has been involved in ransomware and data theft attacks and in some cases, its operators stole and auctioned off sensitive data on the internet when they were not able to coerce victims to pay up. Sodinokibi also makes up 29% of all IBM Security X-Force ransomware engagements in 2020, suggesting that Sodinokibi actors are more skilled at gaining access to victim networks when compared to other ransomware strains.”

IBM Security X-Force estimated that REvil hit at least 140 organizations since it appeared in April 2019 with wholesale, manufacturing, and professional services being the most frequently targeted industries. Around 60% of the gang’s victims are organizations from the US, followed by UK, Australia and Canada.

The company also estimates that a third of REvil victims paid the ransom and that one in ten had their sensitive information auctioned off on the dark web. A third of the group’s victims had their data stolen.

The REvil gang appears to adjust its ransom requests based on the annual revenue of the victim organizations, which is why its requests varied widely between $1,500 and $42 million and up to 9% of the victim’s yearly revenue. IBM has also identified some overlap between REvil and a cybercriminal group known as FIN7, also known as Carbanak, though this might be because an affiliate contracts with both.

The IBM researchers estimate that REvil’s profits over the past year were at least $81 million. An interview by a Russian blogger with the alleged REvil group representative Unknown appears to confirm that. The cybercriminal claims the group made over $100 million from its ransomware attacks. In late September, the group deposited $1 million in bitcoin on a hacker forum in an attempt to recruit more skilled hackers to become its affiliates, BleepingComputer reported.

Data theft, extortion and empty promises

Earlier this month, Coveware, a company that specializes in ransomware incident response, reported that REvil/Sodinokibi had the largest market share among ransomware groups during the third quarter of 2020 being responsible for 16% of infections. The group also led during the previous quarter. Almost half of all ransomware cases investigated by the company also involved threats to release exfiltrated data, with an increasing number of groups adopting this technique.

“Coveware feels that we have reached a tipping point with the data exfiltration tactic,” the security firm said. “Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data.”

In particular, Coveware has seen incidents where victims who already paid were re-extorted by REvil a few weeks later with threats to release the same data. Other groups also failed to keep their promises by publishing the data of victims who chose to pay or by showing fake evidence of data deletion.

“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end,” the company said. “Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future. The track records are too short and evidence that defaults are selectively occurring is already collecting. Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.”

Unknown, the REvil representative, told the Russian blogger that the group is also looking into adopting other techniques, such as launching distributed denial-of-service (DDoS) attacks to force the hand of organizations that suspend negotiations.

How REvil works

REvil is one of the ransomware programs deployed during human-operated ransomware campaigns, similar to Ryuk, WastedLocker and others. This means that after breaking in, hackers use a variety of tools and techniques to map the network, perform lateral movement, obtain domain administrator privileges, and deploy the ransomware on all computers to maximize the impact.

Since REvil is distributed by different affiliates, the initial access vectors differ among phishing emails with malicious attachments to compromised RDP (Remote Desktop Protocol) credentials and the exploitation of vulnerabilities in various public-facing services. For example, last year REvil hackers gained access to systems by exploiting a known vulnerability in Oracle Weblogic (CVE-2019-2725).

According to Coveware’s report, REvil is now distributed primarily through compromised RDP sessions (65%), phishing (16%), and software vulnerabilities (8%). Unknown also confirmed in his interview that many REvil affiliates use brute force attacks to compromise RDP.

REvil stands apart from other ransomware programs through its use of Elliptic-curve Diffie-Hellman key exchange instead of RSA and Salsa20 instead of AES to encrypt files. These cryptographic algorithms use shorter keys, are highly efficient and are uncrackable if implemented correctly.

The ransomware kills some processes on the infected machines, including email clients, SQL and other database servers, Microsoft Office programs, browsers and other tools that might keep important files locked or backed into RAM. It then deletes Windows shadow copies of files and other backups to prevent file recovery.

How to defend against REvil

Organizations should always secure their remote access with strong credentials and two-factor authentication and should consider making such services available over VPN only. All publicly exposed servers, applications, and appliances should be kept updated and should regularly be scanned for vulnerabilities, misconfiguration, and suspicious behavior. Brute force protections that block excessive login attempts with the wrong credentials should also be enabled where possible.

Inside local networks, take these actions:

• Block unneeded SMB and RPC communications between endpoints that can be used for lateral movement.
• Monitor privileged accounts for suspicious behavior.
• Reduce the attack surface on endpoints with stricter access control rules on folders and processes.
• Secure network shares.
• Train employees on how to detect phishing attempts.
• Have a data backup process in place that stores backups offsite and tests that restoring from backups can be done in a timely manner.
• Have clearly defined incident response plans in place so that action can be taken immediately if an attack is detected. It should be clear who is involved in this process and what are their responsibilities. NIST has published a draft guide on detecting and responding to ransomware.

“Certain industries, such as healthcare, may seem to be more heavily targeted than others, because of the sensitive data they hold and their relative intolerance of downtime,” the Coveware researchers said. “However, what we have observed over time is that the presence of cheap-to-exploit vulnerabilities, that happen to be common within a given industry, are what causes an industry concentration to appear.”

The Coveware researchers believe professional services such as law or accounting firms are especially vulnerable. The 4.2 million US professional services firms makes up about 14% of all businesses in the country, but make up 25% of attacks. “These firms are more likely to take the threat of ransomware less seriously,” the researchers said. “They commonly leave vulnerabilities like RDP open to the internet and are victimized much more regularly than companies in other industries. It is critical that small professional services firms recognize that there is no such thing as being ‘too small’ to be targeted. The cyber-extortion industry does not work like that. If you present a cheap vulnerability to the internet, you will get attacked. It is just a question of when, not if.”

Editor’s note: This article, originally published on November 17, 2020, has been updated to include events that occurred in July, September and November of 2021.