REvil is a notorious ransomware gang responsible for multiple high-profile cyber attacks targeting companies of all sizes. This article explores REvil’s origins, the types of malware payloads used by REvil, and some of the most infamous attacks featuring the gang’s malware variants.

REvil: A Brief Background

REvil (Ransomware Evil) is a private group that runs a ransomware-as-a-service operation. The service model of ransomware works as follows:

• The gang’s developers create one or more functioning ransomware variants.
• The gang makes these ransomware variants available to paying customers—threat actors seeking to compromise organizations—for some form of payment.
• The type of payment can be a monthly subscription fee or an affiliate model in which the gang receives a percentage of any ransom payments received by customers.
• The developers focus most of their efforts on creating more effective ransomware strains.
• A typical service offering comes bundled with other features, such as 24/7 support, to further attract customers.

REvil’s members speak Russian and are likely to be Russian citizens. In 2019, security researcher Brian Krebs speculated that REvil was a probable rebranding by a group formerly known as GandCrab. Subsequent investigations have found that both REvil and GandCrab ransomware operations were run by the Russian-based group PINCHY SPIDER.

REvil Malware Analysis

The execution of ransomware strains on multiple machines is the final phase of a complex chain of events that starts with infiltrating a network. The payload used to carry out ransomware attacks involving REvil is known as Sodinokibi (Ransom.Sodinokibi). This payload encrypts multiple local files on the affected system and displays a ransomware note demanding payment to remove the encryption.

Sodinokibi malware has inbuilt features that help it evade detection, such as deleting the virus definition database used by Windows Defender. The malware uses a complex combination of symmetric and asymmetric encryption to lock down files. Ransom demands appear on the desktop background of infected systems with instructions to make payment using Monero cryptocurrency. Monero has additional privacy features, such as hidden addresses, that other cryptocurrencies lack, which makes payments much harder to trace.

High-Profile REvil Attacks

Security researchers and investigators believe that hundreds of companies have been victims of REvil ransomware strains. Here are four of the most high-profile incidents that exemplify the scale of REvil’s operations.

Travelex, January 2020

Foreign currency exchange and travel insurance company Travelex became one of the earliest high-profile casualties of REvil ransomware. The attack exploited security vulnerabilities in Pulse Secure, which is a corporate VPN application that facilitates remote connections to the network. Travelex paid a ransom of at least $2.3 million in the aftermath of the attack, and the financial impacts of dealing with the attack resulted in the company going into administration with the loss of 1,300 UK jobs.

From a security perspective, the mistakes made by Travelex were particularly shocking given that patches were available for the exploited vulnerabilities well over four months before the attack. Up to seven Pulse Secure VPN servers remained unpatched, which allowed threat actors to gain access without a username or password. From this initial access point, moving laterally through the network, the intruders installed REvil’s Sodinokibi ransomware strain.

Grubman Shire Meiselas & Sacks, May 2020

Another high-profile incident bearing the name of REvil was a May 2020 ransomware attack on law firm Grubman Shire Meiselas & Sacks. The law firm focuses on the media and entertainment sector, and the clients on its books include names such as Rod Stewart, Madonna, and Lady Gaga. In the attack, REvil managed to exfiltrate 756 gigabytes of private documents and correspondence from GSMS’ network.

REvil claimed responsibility for this attack on the dark web and demanded a payment of up to $21 million. REvil also attempted to auction stolen information about Bruce Springsteen on the dark web to the highest bidder, however, no bidders came forward. GSMS ultimately chose not to pay the ransom.

JBS, June 2021

JBS, the world’s largest meat supplier, became the victim of REvil’s ransomware operations in June 2021. The attack on JBS resulted in operational disruptions at slaughterhouses in the United States and Australia. Data exfiltration, in which threat actors first steal data from systems before installing ransomware, was a prominent aspect of this incident.

The JBS attack was particularly profitable for REvil. The victim paid a substantial $11 million worth of Bitcoin to decrypt systems and resume operations. The consensus among national bodies is that victims should avoid paying ransoms because such payments could incentivize future attacks. It’s clear that for JBS, resuming critical business operations took precedence over listening to the recommended advice.

Kaseya, July 2021

The attack on US IT software provider Kaseya in July 2021 made headlines around the world due to the vast scale of its impact. The Kaseya incident targeted Kaseya VSA, which is a remote computer management tool used by organizations and managed IT providers. Kaseya VSA had critical security flaws that threat actors were able to exploit.

This attack resulted in the compromise and encryption of thousands of systems belonging to well over 1,500 different businesses. The distinguishing feature that clearly identified REvil’s role in the attack was the malicious Sodinokibi payload. Arguably the most memorable outcome of the Kaseya attack was the news that Swedish grocery chain Coop had to close 800 stores because point of sale (POS) systems stopped functioning.

The Future of REvil

On July 13, 2021, in what was still the fallout of the Kaseya attack, REvil’s dark web ransomware website and blog went offline. Rumors continue to circulate in the security community and beyond about exactly what happened to REvil. The general consensus is that authorities in either the United States or Russia tracked REvil and forced the gang to cease operations.

Mounting tension between the United States and Russia over cyber incidents originating in Russia makes it arguably more likely that the Russian government forced REvil offline in an effort to ease those tensions. Whatever the truth, it appears REvil’s members and customers drew too much attention to themselves by conducting large-scale attacks that drew widespread media publicity.

In bad news for both authorities and businesses around the world trying to prevent and defend against cyber attacks, REvil resurfaced in September 2021. The gang’s blog, other connected websites, and infrastructure were back online by September 8. It seems a matter of time before the next attack involving REvil comes to light.

Preventing Initial Network Intrusions

The initial intrusion into a network is the start of all ransomware attacks. Compromised credentials obtained through phishing attacks often provide an entry point into applications and systems. Here are some tips to prevent network intrusions and ensure groups like REvil can’t install ransomware strains on your network:

• Combat against the threat of phishing emails with an anti-phishing email security solution that blocks these deceptive emails from reaching users and convincing them to give up their passwords or download malicious files.
• Consider using non-standard ports for services such as RDP that threat actors regularly try to break into.
• Use multifactor authentication for business services and applications so that even if hackers manage to guess, obtain, or steal the right password, they can’t get into a targeted system without an additional piece of evidence.
• Regularly remind employees and users about the importance of good password hygiene, which means using longer passwords that combine upper and lower cases with symbols while avoiding reusing passwords across multiple apps and services.

To learn more about IRONSCALES award-winning anti-phishing solution, please sign up for a demo today.