Can't Fight That REvil Ransomware Feeling Anymore?Criminals' Beloved Ransomware Brands Seem to Have a Life of Their Own
Does it ever feel like you can't fight that REvil ransomware feeling anymore?
See Also: 2022 Voice of the CISO
Victims might be all out of love for that particular strain of crypto-locking malware, also known as Sodinokibi. It's been one of the notorious ransomware players in recent years, with the U.S. Department of Justice estimating the group has amassed more than $200 million in illicit profits since it debuted in April 2019 as an offshoot of GandCrab ransomware.
"Never underestimate the power of good branding, despite the work involved."
Ultimately, the U.S. and at least one ally appear to have begun directly targeting infrastructure used by REvil, leading to it suffering an outage last July and again last September, before the group seemed to finally go dark for good.
At the beginning of the year, in a seeming bit of "ransomware diplomacy" in the words of one expert, Russia even busted some alleged participants in the REvil operation, although chatter on cybercrime forums was that they were lower-level players.
But REvil still keeps returning, at least in name. On April 21, Israeli threat intelligence firm Kela reported that a signage manufacturer in France had been "listed on a new blog to which visitors are redirected from the former Sodinokibi (REvil) ransomware's blog."
The next day, Brett Callow, a threat analyst at Emsisoft, reported that "the operators of the site to which the URL of REvil's leak site redirects" claimed to have hit a U.S. university.
Suspicion quickly fell on a developer or other individual previously associated with the organization. "The redirect could only have been set up by somebody with access to REvil's servers, but that doesn't necessarily mean it was the work of 'Team REvil,'" he said.
On April 29, Jakub Kroustek, malware research director at Avast, reported finding in the wild a new, perhaps still-in-development version of REvil. Notably, the ransom note associated with the malware says it is from REvil/Sodinokibi.
A few hours ago, we blocked a #ransomware sample in-the-wild that looks like a new #Sodinokibi / #REvil variant. Timestamp 2022-04-27, new config, new mutex, campaign ID, etc. Funny thing... it does not encrypt files; only adds a random extension 42 BTC https://t.co/UL1ECGLpmg pic.twitter.com/A8p5SLjcZr— Jakub Kroustek (@JakubKroustek) April 29, 2022
Since then, the group has claimed more victims.
Branding Demands Commitment
Why does REvil keep coming back? Never underestimate the power of good branding, despite the work involved. As cybercrime syndicates go, it's a well-known brand, and that probably counts for something if your business is extortion.
In the words of British entrepreneur Richard Branson, founder of the Virgin Group: "Branding demands commitment; commitment to continual reinvention; striking chords with people to stir their emotions; and commitment to imagination. It is easy to be cynical about such things, much harder to be successful."
Rebranding isn't the only game in town, as some established players continue to disappear. New players also remain a constant, with Hive in particular appearing in mid-2021 and now accounting for many attacks (see: Cybercrime: Ransomware Attacks Surging Once Again).
Innovation Remains Constant
Many groups, however, have continued to reinvent their strategies for shaking down customers to stay successful. In the mid-2010s, that meant a shift from screen lockers to crypto-locking malware, aided by Bitcoin as a tough-to-trace payment mechanism.
Double extortion followed, beginning in 2019, when Maze began stealing data before encrypting systems and demanding a ransom not just for a decryptor but also a pledge to not release or sell stolen information. Many groups also post nonpaying victims' names to a dedicated data leak site, such as REvil's "Happy Blog."
On the technical front, groups also continue to devote time and energy to building better malware that can more automatically infect victims, more rapidly encrypt systems before being discovered, and use encryption that cannot be broken.
Groups have also invested or outsourced their customer-facing - really, victim-facing - operations, employing call centers to cold-call victims and verbally relay ransom demands. Likewise, for customers that opt to pay a ransom, specialist teams may guide them through the process of procuring Bitcoin - or perhaps Monero - in exchange for a promised decryptor or pledge to not leak stolen data.
At What Price Name Recognition?
Its disruption notwithstanding, REvil currently stands as a massive ransomware success story. Prior victims have included meat processing giant JBS - which paid it an $11 million ransom, Apple device manufacturer Quanta and IT managed service software vendor Kaseya.
None of REvil's likely now-former, core members appear to have been brought to justice. Perhaps that's because they reside in Russia, which has historically ignored cybercrime, provided the criminals never hack Russia or its neighbors, as well as do the occasional favor in return (see: Russia's Cybercrime Rule Reminder: Never Hack Russians).
The new version of REvil's business plan may simply be to bring that name recognition to bear as the group attempts to scare as many victims as possible into paying a seven-figure ransom. The ideal scenario for criminals is that victims pay, quickly and quietly, to avoid news of the attack becoming public, which helps attackers by making their efforts more difficult for law enforcement agencies to trace.
If the ransomware group now using the REvil brand name can keep the operation afloat for even a month before again getting disrupted by law enforcement agencies, its members stand to make a serious profit, so long as they remain out of jail long enough to spend it.
Unfortunately, the odds are on REvil Rebooted's side. On average, 46% of ransomware victims choose to pay a ransom, according to a new report from ransomware incident response firm Coveware.
Might those odds increase if a victim is dealing with attackers bearing the name of one of the worst ransomware groups in history?