In a wide-ranging interview, a REvil leader said the gang is earning $100 million per year, and provided insights into the life of a cybercriminal.
The REvil ransomware gang claims it will rake in $100 million by year’s end. That’s according to a REvil group leader in a rare Q&A with the YouTube Channel for tech blog “Russian OSINT.” During the live interview, the REvil hacker warned of a “big attack coming…linked to a very large video game developer.”
The boasting and threats come on the heels of REvil’s chief rivals, the Maze gang, announcing that it was closing up shop (see below).
The interview (Russian translation provided to Threatpost by Flashpoint) was wide-ranging and touches on the group’s operations, the money it makes, details on its high-profile attacks and the fact that the members are actively being hunted by governments around the world.
The Q&A first offered details into the group’s operations. For instance, the interviewee signaled an upcoming change in strategy.
While REvil already uses the double-extortion strategy (where companies’ files are not just encrypted but also stolen, with a threatened leak adding pressure to pay the ransom), the leader suggested that the future lie in taking that strategy further.
“Everything ultimately comes down to a shift toward leaking files and not locking them,” he said. “I personally really liked SunCrypt’s idea. DoS [denial of service] the site of the company and their infrastructure, combined with locking the files and threatening to publish them…[it] puts a lot of pressure on them…[We’re] thinking about employing a similar model.”
He also confirmed that REvil employs the ransomware-as-a-service model, where “affiliates” that carry out the attacks receive 70 to 80 percent of the “revenue” from the ransoms. The affiliates themselves are strictly vetted (much like the NetWalker gang), and are responsible for initial network infection, wiping out any backups and downloading files. REvil members meanwhile take care of ransom negotiations, software development and updates, receipt of the payment and the delivery of the decryptor.
When it comes to partners, “we have our own closed family, the selection is very rigorous and we don’t even bother talking to [amateurs],” he said. “Support only helps when it comes to negotiations. They have to master all the technical parts of the job by themselves.”
That said, the group also carries out its own attacks, he said, with a unit devoted to hacking companies – though the ransomware-as-a-service (RaaS) model is more lucrative.
He also said that Android or iOS ransomware is not in the cards for the group, because of the low value of the information stored on phones. “You have to be crazy to get involved in this,” he said. “I’m 100 percent against it.”
All of that business design has allowed REvil to claim some pretty big headlines. For instance, when asked what the biggest coups were for REvil, he cited, with pride, Travelex, Grubman Shire Meiselas & Sacks, and the 23 Texas municipalities that the gang attacked last summer.
The interviewee also took credit for two rumors associated with REvil. One, that it captured data on President Donald Trump and that REvil was behind Chile’s Banco Estado shutting all of its branches.
In the case of Trump, the files were reportedly lifted as part of the Grubman hack. “We just wished “good luck” to the NSA, FBI, and the U.S. Secret Service with the decryption of the files,” he said. “We didn’t demand money from Trump [directly]…The money for the [stolen] data was paid. I can’t tell you who bought it, though. The data had to do with tax-avoidance scheme affiliated with Trump.”
As for Banco Estado, the initial vector was email to bank employees, he said: “Yes, it really happened – we did it,” he alleged. “Often, companies do not disclose the source of the attack because they are afraid of reputational damage [affecting] their stock position.”
He added that around one-third of all companies quietly negotiate to pay the ransom, and that IT providers, insurance companies, law offices, manufacturing and the agro-industrial sector are the most-lucrative targets.
As for initial access, the interviewee said that harvesting and using administrative credentials with malware, brute-forcing Remote Desktop Protocol connections and exploiting bugs are the best avenues for attack.
“Grubman and Travelex…both were hacked through old versions of Pulsar and Citrix,” he said. “It is actually pretty stupid — we gained access to the [network] in minutes, and all due to one vulnerability that can be patched quickly.”
Attacks are likely to ramp up – and indeed the aforementioned video-game company attack is in the works but under wraps, the REvil operator claimed. But geopolitical realities will add to the momentum, according to Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.
“The pandemic gradually exacerbates the situation, as budgets are being reduced, cybersecurity people are all exhausted, while employees working from home are considerably more vulnerable and susceptible to a wide spectrum of phishing attacks,” he said, via email. “Frequently, it is enough to breach one single user machine to get into a corporate network via VPN. Thus, cybercriminals are now enjoying a windfall of surging profits by effortlessly picking up low-hanging fruits in impunity. Worse, some cybersecurity professionals may sooner or later ponder all pros and cons, and given the unprecedented opportunities and low risks, will readily shift from their daily jobs to generous cyber-gangs.”
Money, Money, Money
All of this activity is in service of course to one thing: Personal enrichment.
The REvil leader noted that life as a cybercriminal started for him with video games.
“Once upon a time, when I was a kid, I installed CHLENIX [cheat config for Counter Strike] and really liked it,” he explained. That legacy lives on. The ransomware’s name is short for “Ransom Evil,” with the nomenclature inspired by the video game “Resident Evil,” according to the interview (only security researchers call it Sodinokibi, he said).
CHLENIX lead to more nefarious things, and now he’s leading a group that claims to be raking in $100 million per year. That’s less than what REvil’s precursor, GandCrab, was making. That group announced a shutdown in June 2019, after claiming to make $2 billion in a year and a half.
REvil was soon developed to take its place, and while the interviewee didn’t confirm the GandCrab connection specifically, he admitted that an earlier project was shut down to make way for a “better product.”
When asked when it would be time to step away form “the life,” he answered. “Personally, I should have stopped a long time ago. I have enough money for hundreds of years, but there is never too much money…[I hope to have] $1 billion, then $2 billion, and then if I’m in a good mood, $5 billion.”
“The [$100 million] number is merely a tip of the cybercrime revenue iceberg,” said Kolochenko. “Concomitant proliferation of cryptocurrencies makes such crimes technically uninvestigable, while law enforcement agencies and joint task forces are already overburdened with nation-state attacks, and transnational targeted attacks aimed to steal intellectual property from the largest Western companies.”
The Downside: Being Hunted
Conventional wisdom says that cyberattackers thrive in dark shadows and anonymity – but comments by the gang leader suggest that REvil members may not be as faceless as they would like.
When asked if group members could travel for instance, the answer was an uncategorical “nope.” The Russian-speaking interviewee added that, contrary to Kolochenko’s claim that being a ransomware operator is “low risk,” no one involved in ransomware would ever travel to Western countries or the United States for fear of being killed.
“We create serious problems and there is no justice for us, so killing us would be the only viable solution,” he said.
He said the group believes they are being hunted by the U.S. Secret Service, Europol and infosec companies on a daily basis, with CIA agents actively trying to infiltrate the group’s operations by posing as an affiliate applicant.
“But generally, their cover falls apart,” he noted. And as for hack-backs, “they have no idea what kind of OS we use on our servers or what kind of web servers we use… They are just hoping to get lucky. Our product…is configured to defend against them.”
Maze Closes Down
During the interview, the REvil leader also touched on its arch rival criminal group Maze, which is reportedly shuttering its operations.
According to someone identifying themselves as a Maze operator told Bleeping Computer this week that the group halted its encryption activities back in September, in order to focus on getting existing victims to pay up.
Soon after, Maze affiliates started porting over to the Egregor ransomware gang, the outlet reported.
Maze was a pioneer in the double-extortion tactic, first emerging last November. Since then, it has made waves with big strikes such as the one against Cognizant. And this summer it formed a cybercrime “cartel” – joining forces with various ransomware strains (including Egregor) sharing code, ideas and resources.
“Criminals don’t just have an epiphany and quit being criminals overnight,” said Lamar Bailey, senior director of security research at Tripwire, via email. “They shut down an operation when the return on their investment drops below the costs of running the ‘program’ or when they are about to get caught. This is no different.”
He added, “They are switching to something new, maybe Egregor, which miraculously came out at the same time Maze started shutting down. This is just like that one furniture store in town that is going out of business every few months only to reopen with a new name but with the same people and product.”
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.