Formation | 2019 |
---|---|
Type | Hacking |
Affiliations | Sodinokibi, GandCrab |
REvil (Ransomware Evil; also known as Sodinokibi) was a Russia-based [1] or Russian-speaking [2] private ransomware-as-a-service (RaaS) operation. [3] After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.
REvil recruits affiliates to distribute the ransomware for them. As part of this arrangement, the affiliates and ransomware developers split revenue generated from ransom payments. [4] It is difficult to pinpoint their exact location, but they are thought to be based in Russia due to the fact that the group does not target Russian organizations, or those in former Soviet-bloc countries. [5]
Ransomware code used by REvil resembles the code used by DarkSide, a different hacking group; REvil's code is not publicly available, suggesting that DarkSide is an offshoot of REvil [6] or a partner of REvil. [7] REvil and DarkSide use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country. [8]
Cybersecurity experts believe REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab. [9] This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.
As part of the criminal cybergang's operations, they are known for stealing nearly one terabyte of information from the law firm Grubman Shire Meiselas & Sacks and demanding a ransom to not publish it. [10] [11] [12] The group had attempted to extort other companies and public figures as well.
In May 2020 they demanded $42 million from US president Donald Trump. [13] [14] The group claimed to have done this by deciphering the elliptic-curve cryptography that the firm used to protect its data. [15] According to an interview with an alleged member, they found a buyer for Trump information, but this cannot be confirmed. [16] In the same interview, the member claimed that they would bring in $100 million ransoms in 2020.
On 16 May 2020, the group released legal documents totaling a size of 2.4 GB related to the singer Lady Gaga. [17] The following day, they released 169 "harmless" e-mails which referred to Donald Trump or contained the word 'trump'. [11]
They were planning on selling Madonna's information, [18] but eventually reneged. [19]
On 27 March 2021, REvil attacked Harris Federation and published multiple financial documents of the federation to its blog. As a result, the IT systems of the federation were shut down for some weeks, affecting up to 37,000 students. [20]
On 18 March 2021, an REvil affiliate claimed on their data leak site that they had downloaded data from multinational hardware and electronics corporation Acer, as well as installing ransomware, which has been linked to the 2021 Microsoft Exchange Server data breach by cybersecurity firm Advanced Intel, which found first signs of Acer servers being targeted from 5 March 2021. A US$50 million ransom was demanded to decrypt the undisclosed number of systems and for the downloaded files to be deleted, increasing to US$100 million if not paid by 28 March 2021. [21]
In April 2021, REvil stole plans for upcoming Apple products from Quanta Computer, including purported plans for Apple laptops and an Apple Watch. REvil threatened to release the plans publicly unless they receive $50 million. [22] [23]
On 30 May 2021, JBS S.A. was attacked by ransomware which forced the temporary shutdown of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants. A few days later, the White House announced that REvil may be responsible for the JBS S.A. cyberattack. The FBI confirmed the connection in a follow-up statement on Twitter. [24] JBS paid an $11 million ransom in Bitcoin to REvil.
On 11 June 2021, Invenergy reported that they were attacked by ransomware. Later, REvil claimed to be responsible. [25]
On 2 July 2021, hundreds of managed service providers had REvil ransomware dropped on their systems through Kaseya desktop management software. [26] REvil demanded $70 million to restore encrypted data. [27] As a consequence the Swedish Coop grocery store chain was forced to close 800 stores during several days. [28] [29]
On 7 July 2021, REvil hacked the computers of Florida-based space and weapon-launch technology contractor HX5, which counts the Army, Navy, Air Force, and NASA among its clients, publicly releasing stolen documents on its Happy Blog. The New York Times judged the documents to not be of "vital consequence". [30]
After a July 9 phone call between United States president Joe Biden and Russian president Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not. [31] [32]
On 13 July 2021, REvil websites and other infrastructure vanished from the internet. [33] Politico cited an unnamed senior administration official as stating that "we don't know exactly why they've [REvil] stood down;" the official also did not discount the possibility that Russia shut down the group or forced it to shut down. [34]
On 23 July 2021, Kaseya announced it had received the decryption key for the files encrypted in the July 2 Kaseya VSA ransomware attack from an unnamed "trusted third party", later discovered to be the FBI who had withheld the key for three weeks, and was helping victims restore their files. [35] The key was withheld to avoid tipping off REvil of an FBI effort to take down their servers, which ultimately proved unnecessary after the hackers went offline without intervention. [36]
In September 2021, Romanian cybersecurity firm Bitdefender published a free universal decryptor utility to help victims of the REvil/Sodinokibi ransomware recover their encrypted files, if they were encrypted before July 13, 2021. [37] From September until early November, the decryptor was used by more than 1,400 companies to avoid paying over $550 million in ransom and allow them to recover their files. [38]
On 22 September 2021, malware researchers identified a backdoor built into REvil malware that allowed the original gang members to conduct double-chats and cheat their affiliates out of any ransomware payments. [39] Ransomware affiliates who were cheated reportedly posted their claims on a "Hacker's Court", undermining trust in REvil by affiliates. Newer versions of REvil malware reportedly had the backdoor removed. [40]
On 21 October 2021, REvil servers were hacked in a multi-country operation and forced offline. VMWare's head of cybersecurity strategy said "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,”. A REvil gang member attempted to restore their servers from backups that had also been compromised. [41]
As part of Operation GoldDust involving 17 countries, Europol, Eurojust and INTERPOL, law enforcement authorities arrested five individuals tied to Sodinokibi/REvil and two suspects connected to GandCrab ransomware. They are allegedly responsible for 5000 infections, and collected half a million euros in ransomware payments. [42]
On 8 November 2021, the United States Department of Justice unsealed indictments against Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin. Vasinskyi was charged with conducting ransomware attacks against multiple victims including Kaseya, and was arrested in Poland on 8 October. Polyanin was charged with conducting ransomware attacks against multiple victims including Texas businesses and government entities. The Department worked with the National Police of Ukraine for the charges, and also announced the seizure of $6.1 million tied to ransomware payments. If convicted on all charges, Vasinskyi faces a maximum penalty of 115 years in prison, and Polyanin 145 years in prison. [43]
In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members after being provided information by the US. [44]
There is a hacker group called Fluffy with Headquarters in Corrèze, known to have an affiliation with REvil, that primarily uses typosquatting, cybersquatting and keyword stuffing. This hacker group has distributed Magniber ransomware, Sodinokibi, and GandCrab, BlueCrab (It is the next version of GandCrab is the same variant that was used in the Kaseya VSA ransomware attack [45] ). In France, it is known as Fluffy, [46] in Germany as Talentfrei, [47] in Australia and English speaking countries as "Emma Hill", [48] and in South Korea as Nebomi (meaning "Four Seasons Blossom" in Korean). Fluffy is known to have claimed a number of victims, especially in South Korea. [49] [50]
The campaign in which Fluffy first targeted South Korea is known as Magniber, [51] and it utilized an exploit kit before the emergence of various modified payloads. The techniques employed by these modified payloads vary, but they share a commonality in utilizing standardized technologies supported by web browsers or operating systems, such as URI scheme and BASE64, unlike exploit kits that leverage zero-day vulnerabilities. Users receive security warnings from their operating systems before executing the files; however, the information provided by the attackers is often sufficient for users to decide to disregard the security alerts.
Following the introduction of these altered payloads in South Korea, Fluffy immediately referred to themselves as Nebomi and continued with ransomware attacks. The Seoul Central District Prosecutors' Office announced in November 2023 that accomplices assisting them in South Korea were prosecuted. According to the announcement, during the process of investigating the suspects, records of funds being transferred to Lazarus Group were also discovered. [52] It is unclear whether it is related to the ongoing ransomware investigation, but according to a media report in December 2023, The Supreme Court of Korea claimed that it experienced a cyberattack by the Lazarus Group, resulting in the leakage of sensitive data. [53]
Fluffy is presumed to assist in the distribution of various types of ransomware, ranging from Magniber and REvil to LockBit, leveraging successful cases of watering hole attacks they have executed. For example, it is believed that they may be implicated in incidents such as the successful cyber attack on Toshiba's French branch in May 2021, the claimed cyber attack on the Doosan Group in August 2022, and the claimed cyber attack on the National Tax Service (South Korea) in March 2023. [54]
At times, they employed relatively simple methods, such as emails, for the distribution of REvil ransomware (also known as GandCrab). The content of these emails typically involved impersonating law enforcement agencies. The senders of these emails were two individuals under the age of 19, who claimed to have committed such crimes in response to a proposition that said, "If you join in sending ransomware, we'll share the profits." In the trial held at the Seoul Central District Court in August 2021, they were sentenced to 2 years and 1 year 6 months of imprisonment. One of them had already received a 10-year prison sentence for participating in another campaign.
Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.
Bitdefender is a Romanian cybersecurity technology company headquartered in Bucharest, Romania, with offices in the United States, Europe, Australia and the Middle East.
Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.
Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.
FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat.
On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.
DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.
Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.
Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, is a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.
On May 30, 2021, JBS S.A., a Brazil-based meat processing company, suffered a cyberattack, disabling its beef and pork slaughterhouses. The attack impacted facilities in the United States, Canada, and Australia.
On 2 July 2021, a number of managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group, causing widespread downtime for over 1,000 companies. The attack was carried out by exploiting a vulnerability in VSA, a remote monitoring and management software package developed by Kaseya. Two suspects were identified and one sentenced.
On October 27, 2021, a Russian hacker group known as Grief published 13 documents attributed to the National Rifle Association of America (NRA) in a ransomware scam, claimed to have hacked the organization, and threatened to release more NRA documents if the undisclosed ransom was not paid.
Ransomware as a service (RaaS) is a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.
Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.
Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.
LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.
BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.