REvil is a notorious ransomware gang responsible for multiple high-profile cyber attacks targeting companies of all sizes. This article explores REvil’s origins, the types of malware payloads used by REvil, and some of the most infamous attacks featuring the gang’s malware variants.
REvil (Ransomware Evil) is a private group that runs a ransomware-as-a-service operation. The service model of ransomware works as follows:
REvil’s members speak Russian and are likely to be Russian citizens. In 2019, security researcher Brian Krebs speculated that REvil was a probable rebranding by a group formerly known as GandCrab. Subsequent investigations have found that both REvil and GandCrab ransomware operations were run by the Russian-based group PINCHY SPIDER.
The execution of ransomware strains on multiple machines is the final phase of a complex chain of events that starts with infiltrating a network. The payload used to carry out ransomware attacks involving REvil is known as Sodinokibi (Ransom.Sodinokibi). This payload encrypts multiple local files on the affected system and displays a ransomware note demanding payment to remove the encryption.
Sodinokibi malware has inbuilt features that help it evade detection, such as deleting the virus definition database used by Windows Defender. The malware uses a complex combination of symmetric and asymmetric encryption to lock down files. Ransom demands appear on the desktop background of infected systems with instructions to make payment using Monero cryptocurrency. Monero has additional privacy features, such as hidden addresses, that other cryptocurrencies lack, which makes payments much harder to trace.
Security researchers and investigators believe that hundreds of companies have been victims of REvil ransomware strains. Here are four of the most high-profile incidents that exemplify the scale of REvil’s operations.
Travelex, January 2020
Foreign currency exchange and travel insurance company Travelex became one of the earliest high-profile casualties of REvil ransomware. The attack exploited security vulnerabilities in Pulse Secure, which is a corporate VPN application that facilitates remote connections to the network. Travelex paid a ransom of at least $2.3 million in the aftermath of the attack, and the financial impacts of dealing with the attack resulted in the company going into administration with the loss of 1,300 UK jobs.
From a security perspective, the mistakes made by Travelex were particularly shocking given that patches were available for the exploited vulnerabilities well over four months before the attack. Up to seven Pulse Secure VPN servers remained unpatched, which allowed threat actors to gain access without a username or password. From this initial access point, moving laterally through the network, the intruders installed REvil’s Sodinokibi ransomware strain.
Grubman Shire Meiselas & Sacks, May 2020
Another high-profile incident bearing the name of REvil was a May 2020 ransomware attack on law firm Grubman Shire Meiselas & Sacks. The law firm focuses on the media and entertainment sector, and the clients on its books include names such as Rod Stewart, Madonna, and Lady Gaga. In the attack, REvil managed to exfiltrate 756 gigabytes of private documents and correspondence from GSMS’ network.
REvil claimed responsibility for this attack on the dark web and demanded a payment of up to $21 million. REvil also attempted to auction stolen information about Bruce Springsteen on the dark web to the highest bidder, however, no bidders came forward. GSMS ultimately chose not to pay the ransom.
JBS, June 2021
JBS, the world’s largest meat supplier, became the victim of REvil’s ransomware operations in June 2021. The attack on JBS resulted in operational disruptions at slaughterhouses in the United States and Australia. Data exfiltration, in which threat actors first steal data from systems before installing ransomware, was a prominent aspect of this incident.
The JBS attack was particularly profitable for REvil. The victim paid a substantial $11 million worth of Bitcoin to decrypt systems and resume operations. The consensus among national bodies is that victims should avoid paying ransoms because such payments could incentivize future attacks. It’s clear that for JBS, resuming critical business operations took precedence over listening to the recommended advice.
Kaseya, July 2021
The attack on US IT software provider Kaseya in July 2021 made headlines around the world due to the vast scale of its impact. The Kaseya incident targeted Kaseya VSA, which is a remote computer management tool used by organizations and managed IT providers. Kaseya VSA had critical security flaws that threat actors were able to exploit.
This attack resulted in the compromise and encryption of thousands of systems belonging to well over 1,500 different businesses. The distinguishing feature that clearly identified REvil’s role in the attack was the malicious Sodinokibi payload. Arguably the most memorable outcome of the Kaseya attack was the news that Swedish grocery chain Coop had to close 800 stores because point of sale (POS) systems stopped functioning.
On July 13, 2021, in what was still the fallout of the Kaseya attack, REvil’s dark web ransomware website and blog went offline. Rumors continue to circulate in the security community and beyond about exactly what happened to REvil. The general consensus is that authorities in either the United States or Russia tracked REvil and forced the gang to cease operations.
Mounting tension between the United States and Russia over cyber incidents originating in Russia makes it arguably more likely that the Russian government forced REvil offline in an effort to ease those tensions. Whatever the truth, it appears REvil’s members and customers drew too much attention to themselves by conducting large-scale attacks that drew widespread media publicity.
In bad news for both authorities and businesses around the world trying to prevent and defend against cyber attacks, REvil resurfaced in September 2021. The gang’s blog, other connected websites, and infrastructure were back online by September 8. It seems a matter of time before the next attack involving REvil comes to light.
The initial intrusion into a network is the start of all ransomware attacks. Compromised credentials obtained through phishing attacks often provide an entry point into applications and systems. Here are some tips to prevent network intrusions and ensure groups like REvil can’t install ransomware strains on your network:
To learn more about IRONSCALES award-winning anti-phishing solution, please sign up for a demo today.