REVil Attacks Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/revil-attacks/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 06 Oct 2023 03:39:55 +0000 en-US hourly 1 https://wordpress.org/?v=69989 200474804 Hack group REvil deceived their partners due to a backdoor https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/ https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/#respond Thu, 23 Sep 2021 21:45:42 +0000 https://blog.gridinsoft.com/?p=5952 The researchers found that the creators of REvil deceived their partners using a scheme that allowed them to decrypt any systems blocked by the ransomware and take the entire ransom for themselves. Their partners ended up with nothing. Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be… Continue reading Hack group REvil deceived their partners due to a backdoor

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

]]>
The researchers found that the creators of REvil deceived their partners using a scheme that allowed them to decrypt any systems blocked by the ransomware and take the entire ransom for themselves.

Their partners ended up with nothing.

Such rumors have been circulating on hacker forums for a long time, but recently they were confirmed by cybersecurity researchers and malware developers. the Bleeping Computer media reports.

Let me remind you that REvil (aka Sodinokibi) has existed since 2019 and is considered to be the heir of the GandCrab ransomware. The ransomware operates according to the Ransomware-as-a-Service (RaaS, ransomware-as-a-Service) scheme, that is, malware developers deal directly with malware and payment sites, and their hired partners hack victims’ networks and encrypt devices. As a result, the ransom payments are distributed between the hack group itself and its partners, with the latter usually receiving 70-80% of the total.

Evgeny Boguslavsky, a specialist at Advanced Intel, told reporters that since at least 2020, there have been rumours on hacker forums that the creators of REvil often negotiate with victims in secret chats, while their partners do not even know about it. These rumours began to appear more often after the sudden disappearance of the ransomware DarkSide and Avaddon (the operators of the latter generally published decryption keys for their victims).

People who worked with REvil took part in these discussions, for example, the group’s partners who provided hackers with access to other people’s networks, ‘penetration testing’ services, VPN specialists, and so on.the expert said.

According to Boguslavsky, REvil administrators sometimes create a second chat, identical to the one that their partners use to negotiate with the victim. When negotiations reach a critical point, the creators of REvil step in and portray a victim who supposedly abruptly breaks off negotiations, refusing to pay the ransom. In fact, the REvil authors themselves continue negotiations with the victims, take the entire ransom and leave their partners with nothing.

Recently, these rumours have become more substantiated, as the reverse engineer reported on hack forums that the REvil malware, which RaaS operators provide to their partners for deployment on victims’ networks, contains a “cryptobackdoor”. The discovery came after Bitdefender released a versatile tool to decrypt data after the REvil attacks.

Interestingly, full control over what is happening and the ability to decrypt any system is a practice that other ransomware uses as well. So, Boguslavsky says that, according to rumours, the DarkSide operators worked the same way. After rebranding to BlackMatter, the attackers openly announced this practice, making everyone understand that they reserve the right to take over negotiations at any time without giving any reason.

The head of Advanced Intelligence, Vitaly Kremez, told Bleeping Computer that the latest REvil samples that have appeared recently, after the group restored activity, no longer has a master key that would allow decrypting any system that was blocked by REvil.

The post Hack group REvil deceived their partners due to a backdoor appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hack-group-revil-deceived-their-partners/feed/ 0 5952
FBI Kept Secret Key To Decrypt Data After REvil Attacks https://gridinsoft.com/blogs/fbi-kept-secret-key-to-decrypt-data-after-revil-attacks/ https://gridinsoft.com/blogs/fbi-kept-secret-key-to-decrypt-data-after-revil-attacks/#respond Wed, 22 Sep 2021 16:11:48 +0000 https://blog.gridinsoft.com/?p=5948 Journalists of The Washington Post found out how the FBI obtained the key to decrypt the data, which was affected in the attacks of the REvil ransomware. First, should be recalled that the background of what is happening: last week Bitdefender published a universal utility for decrypting files affected by the attacks of the ransomware… Continue reading FBI Kept Secret Key To Decrypt Data After REvil Attacks

The post FBI Kept Secret Key To Decrypt Data After REvil Attacks appeared first on Gridinsoft Blog.

]]>
Journalists of The Washington Post found out how the FBI obtained the key to decrypt the data, which was affected in the attacks of the REvil ransomware.

First, should be recalled that the background of what is happening: last week Bitdefender published a universal utility for decrypting files affected by the attacks of the ransomware REvil (Sodinokibi). The tool works for any data encrypted before July 13, 2021.

At the time, experts reported that the tool was created in collaboration with “trusted law enforcement partners,” but the company declined to disclose any details, citing an ongoing investigation. According to people familiar with the matter, the partner was not the FBI.

July 13 is mentioned above for a reason, as on this day the entire REvil infrastructure went offline without explanation. The hacker group completely “disappeared from the radar” for a while, and as a result, many companies were left without the ability to recover their data, even if they were willing to pay the hackers a ransom.

It is important that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks, and law enforcement agencies and authorities became very interested in hackers.

Then, when the group had already “disappeared”, representatives of the injured Kaseya unexpectedly announced that they had a universal key to decrypt customer data. Then the company refused to disclose where this tool came from, limiting itself to a vague “from a trusted third party.”

However, the company assured that it is universal and suitable for all affected MSPs and their clients. Moreover, before sharing the tool with clients, Kaseya required them to sign a non-disclosure agreement.

As the Washington Post now reports, the assumptions of many cybersecurity experts were correct: Kaseya really received the key from the FBI representatives. Law enforcement officials say they infiltrated the servers of the hack group and extracted a key from there, which ultimately helped to decrypt data and 1,500 networks, including in hospitals, schools and enterprises.

However, the FBI did not immediately share the key with the victims and the company. For about three weeks, the FBI kept the key secret, intending to carry out an operation to eliminate the hack group and not wanting to reveal their cards to the criminals. But the law enforcement officers did not have time: as a result, the REvil infrastructure went offline before the operation began. Then Kaseya was given the key to decrypt the data, and Emsisoft experts prepared a special tool for the victims.

We make these decisions collectively, not unilaterally. These are challenging decisions designed to have maximum impact, and fighting such adversaries takes time, which we spend on mobilizing resources not only across the country but around the world.FBI Director Christopher Ray told Congress.

Journalists note that due to the resulting delay, it was already too late for many of the victims. For example, the publication quotes a representative of JustTech, which is one of the clients of MSP Kaseya.

The company spent more than a month restoring the systems of its customers, as restoring from backups or replacing the system is an expensive and time-consuming process:

There were more and more people who cried on the phone, asking how to continue their work. One person said, “Should I just retire? Should I just fire all my employees?.

Swedish grocery chain Coop, also affected by the attack, said it still does not know how much it would cost to temporarily close its stores:

We had to close about 700 stores and it took six days for all of them to reopen. The financial impact of what happened depends on several factors, including lost sales, as well as insurance, and the extent to which it will cover what happened.

The post FBI Kept Secret Key To Decrypt Data After REvil Attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fbi-kept-secret-key-to-decrypt-data-after-revil-attacks/feed/ 0 5948
Added utility for decrypting data after REvil attacks https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/ https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/#respond Fri, 17 Sep 2021 16:13:51 +0000 https://blog.gridinsoft.com/?p=5934 The Romanian company Bitdefender has published a universal utility for decrypting data affected by REvil (Sodinokibi) ransomware attacks. The tool works for any data encrypted before July 13, 2021. However, the company has so far refused to provide any details, citing an ongoing investigation. Let me remind you that on July 13 of this year… Continue reading Added utility for decrypting data after REvil attacks

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.

]]>
The Romanian company Bitdefender has published a universal utility for decrypting data affected by REvil (Sodinokibi) ransomware attacks.

The tool works for any data encrypted before July 13, 2021.

However, the company has so far refused to provide any details, citing an ongoing investigation.

Let me remind you that on July 13 of this year the entire REvil infrastructure went offline without explanation. Then it was a question of shutting down an entire network of regular and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks. In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

As a result, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

Shortly thereafter, REvil went offline for several months, and only returned to service on September 7, 2021. According to information security companies, REvil operators re-activated their old sites, created new profiles on the forums.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil has fully resumed its activity. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/feed/ 0 5934
REvil ransomware resumed attacks https://gridinsoft.com/blogs/revil-ransomware-resumed-attacks/ https://gridinsoft.com/blogs/revil-ransomware-resumed-attacks/#respond Mon, 13 Sep 2021 16:21:31 +0000 https://blog.gridinsoft.com/?p=5918 Last week, the infrastructure of REvil (Sodinokibi) returned online after months of downtime, and now the ransomware has resumed attacks. The fact is that in July 2021, the hack group went offline without giving any reason. Then it was a question of shutting down an entire network of conventional and darknet sites that were used… Continue reading REvil ransomware resumed attacks

The post REvil ransomware resumed attacks appeared first on Gridinsoft Blog.

]]>
Last week, the infrastructure of REvil (Sodinokibi) returned online after months of downtime, and now the ransomware has resumed attacks.

The fact is that in July 2021, the hack group went offline without giving any reason. Then it was a question of shutting down an entire network of conventional and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Let me remind you that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure hackers were able to encrypt approximately 800-1500 corporate networks.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States. At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil was fully resumed. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The publication also notes that in the past, a representative of the group, known under the nicknames Unknown or UNKN, published advertisements or the latest news about REvil operations on hacker forums. Now a new representative of the ransomware, who registered on these sites as REvil, returned to these publications and explained that, according to the hack group, Unknown was arrested and the group’s servers were compromised.

However, Bleeping Computer’s own sources told the media that REvil’s disappearance came as a surprise to law enforcement. For example, the publication provides a screenshot of a chat between an information security researcher and a representative of REvil, where the latter says that the ransomware operators simply took a break.

REvil resumed attacks

Let me also remind you that we wrote that REvil operators blackmailed Apple.

The post REvil ransomware resumed attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/revil-ransomware-resumed-attacks/feed/ 0 5918
Servers of the hack group REvil are back online https://gridinsoft.com/blogs/servers-of-the-revil-are-back-online/ https://gridinsoft.com/blogs/servers-of-the-revil-are-back-online/#respond Wed, 08 Sep 2021 22:11:31 +0000 https://blog.gridinsoft.com/?p=5904 In July 2021, the infrastructure of REvil (Sodinokibi) was turned off without explanation, but now the information security specialists have noticed that the REvil servers are back online. It was about a whole network of conventional and darknet sites that were used to negotiate a ransom, leak data stolen from victims, as well as the… Continue reading Servers of the hack group REvil are back online

The post Servers of the hack group REvil are back online appeared first on Gridinsoft Blog.

]]>
In July 2021, the infrastructure of REvil (Sodinokibi) was turned off without explanation, but now the information security specialists have noticed that the REvil servers are back online.

It was about a whole network of conventional and darknet sites that were used to negotiate a ransom, leak data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July of this year, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. For the attack, the hackers used 0-day vulnerabilities in the company’s product (VSA).

The problem was that most of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other customers. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.

According to official figures, the compromise affected about 60 Kaseya clients, through whose infrastructure the hackers were able to encrypt approximately 800-1500 corporate networks.the media reported.

After this attack, the hackers demanded a ransom of $70 million, and then promised to publish a universal decryptor that can unlock all computers. The group soon “lowered the bar” to $50 million.

In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world. And also REvil attacked the electronics manufacturer Acer.

Since it has long been known that REvil is a Russian-speaking hack group, US President Joe Biden in a telephone conversation asked Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

After shutting down the entire infrastructure of the hack group, many experts believed that the group had broken up and will now rebrand, in an attempt to confuse law enforcement agencies and information security companies in the United States.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now, almost two months after the shutdown, experts at Recorded Future and Emsisoft have noticed that the group’s blog and site where REvil operators used to post lists of victims who refused to negotiate and pay the ransom are back online.

REvil servers back online

The last update on the site was dated July 8, 2021, that is, no new data and messages were published. It is currently unknown if this means that the hack group is back to work, the servers were turned on again by mistake, or if it has something to do with the actions of law enforcement agencies.

Let me also remind you that I talked about the fact that REvil spokesman boasts that hackers have access to ballistic missile launch systems.

The post Servers of the hack group REvil are back online appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/servers-of-the-revil-are-back-online/feed/ 0 5904
REvil ransomware operators attacked Acer and demand $50,000,000 https://gridinsoft.com/blogs/revil-ransomware-attacked-acer/ https://gridinsoft.com/blogs/revil-ransomware-attacked-acer/#respond Mon, 22 Mar 2021 16:56:15 +0000 https://blog.gridinsoft.com/?p=5283 The REvil ransomware attacked the Taiwanese company Acer (the sixth-largest computer manufacturer in the world, accounting for about 6% of all sales). Cybercriminals are demanding from the manufacturer $50,000,000, which is the largest ransom in history. At the end of last week, the hackers posted a message on their website that they had hacked Acer,… Continue reading REvil ransomware operators attacked Acer and demand $50,000,000

The post REvil ransomware operators attacked Acer and demand $50,000,000 appeared first on Gridinsoft Blog.

]]>
The REvil ransomware attacked the Taiwanese company Acer (the sixth-largest computer manufacturer in the world, accounting for about 6% of all sales). Cybercriminals are demanding from the manufacturer $50,000,000, which is the largest ransom in history.

At the end of last week, the hackers posted a message on their website that they had hacked Acer, and as proof of this statement, they shared screenshots of the files allegedly stolen from the company. Published images include documents, financial spreadsheets, bank balances, and messages.

ransomware REvil attacked Acer

Acer representatives have already commented on what is happening, but so far they avoid talking openly about the ransomware attack. Instead, the company said it had already reported the “emergency” to law enforcement agencies, but they cannot disclose details while the investigation continues.

Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries. We have continuously enhanced our cybersecurity infrastructure to protect business continuity and information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices and be vigilant to any network activity abnormalities. reported Acer representatives.

The Record reports that analysts at Malwarebytes were able to track down another hacker site on the darknet, where victims are negotiating a ransom with attackers. Here you can see that the Acer representative was shocked by the demand of $50 million, and the negotiations were at an impasse. Journalists note that at some point, REvil operators turned to threats and vaguely advised Acer “not to repeat the fate of SolarWinds”.

ransomware REvil attacked Acer

The $50,000,000 ransom is the largest to date. The previous “record” was $30,000,000: the same REvil operators demanded the same amount from the hacked Dairy Farm company.

According to Bleeping Computer, specialist Vitaly Kremez discovered that some time ago, the REvil hack group was targeting a Microsoft Exchange server in the Acer domain.

Recently, the attackers behind the DearCry ransomware have already exploited ProxyLogon vulnerabilities to deploy the ransomware on vulnerable systems of small companies. Probably the REvil operators could have gone the same way.

Let me remind you that REvil spokesman boasts that hackers have access to ballistic missile launch systems.

The post REvil ransomware operators attacked Acer and demand $50,000,000 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/revil-ransomware-attacked-acer/feed/ 0 5283
REvil Operators Demand $7.5 Million Ransom from Argentine Internet Provider https://gridinsoft.com/blogs/revil-operators-demand-7-5-million-ransom-from-argentine-internet-provider/ https://gridinsoft.com/blogs/revil-operators-demand-7-5-million-ransom-from-argentine-internet-provider/#respond Tue, 21 Jul 2020 16:25:02 +0000 https://blog.gridinsoft.com/?p=4079 Last weekend, one of Argentina’s largest internet providers, Telecom Argentina, suffered from REvil (Sodinokibi) ransomware attack. Malware has infected about 18,000 computers, and now REvil operators demand $7.5 million from the company. The ZDNet magazine writes that the attackers managed to gain domain administrator rights, thanks to which the ransomware quickly spread to 18,000 workstations.… Continue reading REvil Operators Demand $7.5 Million Ransom from Argentine Internet Provider

The post REvil Operators Demand $7.5 Million Ransom from Argentine Internet Provider appeared first on Gridinsoft Blog.

]]>
Last weekend, one of Argentina’s largest internet providers, Telecom Argentina, suffered from REvil (Sodinokibi) ransomware attack. Malware has infected about 18,000 computers, and now REvil operators demand $7.5 million from the company.

The ZDNet magazine writes that the attackers managed to gain domain administrator rights, thanks to which the ransomware quickly spread to 18,000 workstations.

“Oddly enough, this incident did not lead to problems with the Internet connection for the provider’s customers and did not affect the operation of telephony and cable TV services. However, due to the consequences of the attack, a number of Telecom Argentina’s official websites are still not working”, – according to journalists ZDNet.

Several employees of the affected company share on social media how the provider is coping with the crisis. It seems that immediately after the attack was detected, the company began to warn employees about what was happening, asking them to limit interaction with the corporate network, not to connect to the internal VPN network, and not to open emails with archives in attachments.

Reporters think that responsibility o the attack lies on the REvil hack group, based on a tweeted post that showed a screenshot of the ransomware site. Based on this image, the attackers demanded a ransom 109,345.35 Monero (approximately $7.53 million) from the company. The hackers promised that in case of non-payment, this amount would double in three days, making this ransom demand one of the largest this year.

REvil demand $7.5 million

Telecom Argentina officials have not yet commented on the situation, and it is not known whether the company intends to pay the cybercriminals.

Interestingly, according to local media reports, the ISP considers a malicious attachment from a letter received by one of its employees to be the starting point of this attack.

“This is not entirely consistent with regular REvil attacks, as the group usually penetrates companies’ networks through unprotected network equipment. In particular, attackers are actively exploiting vulnerabilities in Pulse Secure and Citrix VPN”, – reported in ZDNet.

However, the specialists of the information security company Bad Packets told ZDNet journalists that Telecom Argentina not only worked with Citrix VPN servers, but among them there were systems vulnerable to the CVE-2019-19781 problem (although the patch was released many months ago).

let me remind you that, information security specialists of the Danish provider KPN applied sinkholing to REvil (Sodinokibi) cryptographic servers and studied the working methods of one of the largest ransomware threats today. A very interesting analysis – I recommend it.

The post REvil Operators Demand $7.5 Million Ransom from Argentine Internet Provider appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/revil-operators-demand-7-5-million-ransom-from-argentine-internet-provider/feed/ 0 4079
IS specialists studied working methods of the REvil (Sodinokibi) ransomware operators https://gridinsoft.com/blogs/is-specialists-studied-working-methods-of-the-revil-sodinokibi-ransomware-operators/ https://gridinsoft.com/blogs/is-specialists-studied-working-methods-of-the-revil-sodinokibi-ransomware-operators/#respond Thu, 30 Jan 2020 16:28:05 +0000 https://blog.gridinsoft.com/?p=3405 Information security specialists of the Danish provider KPN applied sinkholing to REvil (Sodinokibi) cryptographic servers and studied the working methods of one of the largest ransomware threats today. Recall that REvil works under the “ransomware as a service” (RaaS) scheme, which means malware is leased to various criminal groups. “Because there are many groups, as… Continue reading IS specialists studied working methods of the REvil (Sodinokibi) ransomware operators

The post IS specialists studied working methods of the REvil (Sodinokibi) ransomware operators appeared first on Gridinsoft Blog.

]]>
Information security specialists of the Danish provider KPN applied sinkholing to REvil (Sodinokibi) cryptographic servers and studied the working methods of one of the largest ransomware threats today.

Recall that REvil works under the “ransomware as a service” (RaaS) scheme, which means malware is leased to various criminal groups.

“Because there are many groups, as well as because of the high customizability of REvil, it is extremely difficult to monitor all the operations of the encryptor and the numerous affiliate campaigns for its distribution”, – write KPN specialists.

KPN experts succeeded in synching and intercepting the messages that were exchanged infected by the ransomware computers and REvil management servers.

“We collected unique information about REvil operations, including the number of active infections, the number of infected computers per attack, and even found out a range of sums that hackers demand from their victims as a ransom”, – write researchers.

Analysts watched REvil for about five months and found more than 150,000 unique infections worldwide. All 150,000 infected machines were linked to only 148 REvil samples. Each of these samples represents a successful infection of a network of a company. Moreover, some attacks are huge, encrypting more than 3,000 unique systems. Researchers note that only a few of these attacks were discussed in the media, while many companies were silent about compromise.

REvil (Sodinokibi) working methods
REVil Attacks

According to KPN, in recent months REvil operators have requested ransoms totaling more than $38,000,000 and, on average, extort $260,000 from affected companies. In some cases, the ransom amount was $48,000, which is less than the average REvil level, but still higher than the usual $1,000-$2,000 that other extortionists demand from home users.

“If REvil manages to infect several workstations in the company’s network, the average ransom amount rises to $470,000, and in many cases, the demands of the attackers even exceeded $1,000,000”, — report KPN researchers.

It is not clear how many compromised companies agreed to pay a buyback to REvil operators, but the KPN study points to the fact that discussed above sums may be far from reality.

For example, according to Coverware, which helps victims recover from ransomware attacks and sometimes negotiates ransom on behalf of the victims, in the fourth quarter of 2019, the average ransom amount increased by 104% to $84,116, compared to $41,198 in the third quarter of 2019. Thus, REvil operators demand much more from their victims than other ransomware. Most likely, the fact is that REvil targets companies and large corporate networks, but not individual users.

Recall that according to a study, Emotet topped the rating of the most common threats in 2019. There is no good study on ransomware that appeared last year, though I think that in such a rating REvil (Sodinokibi) will take the leading place. Because some information security researchers believe that REvil is a reboot of the famous GandCrab ransomware, we can assume that we are dealing with one of the most dangerous ransomware of the decade.

The post IS specialists studied working methods of the REvil (Sodinokibi) ransomware operators appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/is-specialists-studied-working-methods-of-the-revil-sodinokibi-ransomware-operators/feed/ 0 3405