REvil ransomware builders say that they made greater than $one hundred million in 12 months with the aid of using extorting big companies the world over from numerous sectors.
They are pushed with the aid of using income and need to make $2 billion from their ransomware service, adopting the maximum rewarding developments of their pursuit of wealth.
Affiliates do the heavy lifting
A REvil consultant that makes use of the aliases “UNKN” and “Unknown” on cybercriminal boards talked to tech blog Russian OSINT presenting a few information about the organization’s hobby and pointers of what they have got in shop for the future.
Like nearly all ransomware gangs today, REvil runs a ransomware-as-a-service (RaaS) operation. Per this version, builders deliver file-encrypting malware to associates, who earn the lion’s proportion from the cash extorted from sufferers.
With REvil, the builders take 20-30% and the relaxation of the paid ransom is going to associates, who run the assaults, scouse borrow information, and detonate the ransomware on company networks.
“Most paintings is completed with the aid of using vendors and ransomware is only a tool, in order that they assume that’s a honest break up,” REvil consultant, Unknown, instructed Russian OSINT.
This way that the builders set the ransom amount, run the negotiations, and acquire the cash this is later break up with associates.
Long listing of sufferers
The cybercriminal operation has encrypted computer systems at big-call corporations, amongst them Travelex, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, SeaChange International, CyrusOne, Artech Information Systems, Albany International Airport, Kenneth Cole, and GEDIA Automotive Group.
Unknown says that REvil associates have been capable of breach the networks of Travelex and GSMLaw in only 3 mins with the aid of using exploiting a vulnerability in Pulse Secure VPN left unpatched for months after the repair have become available [1, 2].
REvil’s public-dealing with consultant says that the syndicate has hit the community of a “primary gaming business enterprise” and could quickly announce the assault.
They additionally say that REvil turned into accountable for the assault in September in opposition to Chile’s public financial institution, BancoEstado. The incident precipitated the financial institution to shut all its branches for an afternoon however did now no longer have an effect on on-line banking, apps, and ATMs.
Along with controlled offerings providers (MSPs) which have get entry to to networks of more than one organizations, the maximum worthwhile goals for REvil are corporations withinside the insurance, legal, and agriculture sectors
As for preliminary get entry to, Unknown referred to brute-pressure assaults in addition to faraway laptop protocol (RDP) mixed with new vulnerabilities.
One instance are vulnerabilities tracked as CVE-2020-0609 and CVE-2020-0610 insects and recognised as BlueGate. These permit faraway code execution on structures jogging Windows Server (2012, 2012 R2, 2016, and 2019).
New cash-making avenues
REvil to start with made its take advantage of sufferers paying the ransom to free up encrypted documents. Since the attackers additionally locked backup servers, sufferers had few alternatives to get better, and paying turned into the fastest way.
The ransomware enterprise modified final 12 months whilst operators noticed an possibility in stealing information from breached networks and commenced to threaten sufferers with negative leaks that might have a far worse effect at the business enterprise.
Even if it takes longer and reasons a vast setback, big companies can get better encrypted documents from offline backups. Having touchy information withinside the public area or bought to involved parties, though, may be synonymous with dropping the aggressive benefit and recognition harm this is tough to rebuild.
This approach proved to be so rewarding that REvil now makes extra money from now no longer publishing stolen information than from decryption ransom.
Unknown says that one in 3 sufferers are presently inclined to pay the ransom to save you the leaking of business enterprise information. This can be the following step withinside the ransomware enterprise.
REvil is likewise wondering to undertake every other tactic designed to boom their odds of having paid: hitting the sufferer with allotted denial-of-service (DDoS) assaults to pressure them to at least (re)begin negotiating a payment.
SunCrypt ransomware used this tactic lately on a business enterprise that had stopped negotiations. The attackers made it clean that they released the DDoS assault and terminated it whilst negotiations resumed. REvil plans to enforce this idea.
REvil’s version for getting cash is running and the crowd already has lots of their coffers. In their look for new associates, they deposited $1 million in bitcoins on a Russian-talking forum.
The flow turned into designed to reveal that their operation generates lots of income. According to Unknown, this step is to recruit new blood to distribute the malware, because the ransomware scene is complete to the brim with expert cybercriminals.
Although they have got truckloads of cash, REvil builders are restrained to the borders of the Commonwealth of Independent States (CIS, international locations withinside the former Soviet Union) region.
A purpose for that is attacking a big variety of high-profile sufferers that precipitated investigations from regulation enforcement companies from all around the world. As such, touring is a threat REvil builders aren’t inclined to take.
REvil constructed on older code
This ransomware syndicate is likewise known as Sodin or Sodinokibi however the call REvil is stimulated with the aid of using the Resident Evil film and stands for Ransomware Evil.
Their malware turned into first noticed in April 2019 and the organization commenced seeking out professional hackers (elite penetration testers) rapidly after GandCrab ransomware closed shop.
Unknown says that the organization did now no longer create the file-encrypting malware from scratch however offered the supply code and evolved on pinnacle of it to make it greater effective.
It makes use of elliptic curve cryptography (ECC) that has a smaller key length than the RSA-primarily based totally public-key system, and not using a compromise on security. Unknown says that that is one purpose associates select REvil over different RaaS operations like Maze or LockBit.
Before shutting their enterprise, GandCrab builders stated they made $a hundred and fifty million, whilst the whole operation gathered greater than $2 billion in ransom payments.