REvil Ransomware Cyber Threat Intelligence: A Busy Beginning to 2020 and Showing No Signs of Slowing Down

The ransomware threat is always evolving, despite declines in activity from 2018 to 2019, threat actors have been adapting their methods and targets in response to the shifting landscape and 2020 has seen significant increases in incident volume. 

Threat actors behind ransomware attacks are finding new ways to monetize their efforts. One such tactic is the creation of Ransomware-as-a-Service (RaaS) offerings for resale to less sophisticated threat actors. 

Another trend is monetization through auctioning off victim’s data on deep and dark web forums and marketplaces. This ‘steal, encrypt and leak’ tactic is becoming a popular way to extort high-value payments from victims threatened that their sensitive data would otherwise be exposed.

Comprehensive Threat Detection: Tracking REvil

A new threat has emerged on the ransomware market recently: REvil Ransomware Team, also known as Sodinokibi.  REvil was first identified in April 2019 and has since progressed to execute a number of high-profile targeted ransomware cyber attacks throughout 2020. REvil is believed to be a successor to the highly profitable GandCrab RaaS, an operation netting US$2 billion between January 2018 and May 2019. 

Through active tracking across both deep and dark web forums, Cyberint’s Research Team has been monitoring the activities and behaviors of the group. 

Sodinokibi primarily targets managed services providers and small businesses globally, hitting MSPs in Asia, Europe, and the UK. Their toolkit is multi-faceted and includes REvil Ransomware, Privilege Escalation, PowerShell, Sodinokibi RansomWare, MinerGate, XMRig, and RIG Exploit Kit.

Since attacks target MSPs and service providers, every single leak represents a massive number of customers exposed to risk from third parties. Gaming companies, law firms, and financial service providers are all likely targets for REvil attacks, as they all involve contracts, intellectual property, and sensitive data. Thirteen or more groups are noted to be doing similar activities, with some focusing on the oil industry. 

“Big Game” Ransomware Attacks

Recently, we have observed a shift from a Ransomware-as-a-Service (RaaS) offering to the increasingly brazen ‘steal, encrypt and leak’ campaigns. Following the lead of Maze, the first ransomware group reportedly utilizing this tactic, we detected significant increases in so-called “big game” ransomware attacks throughout the first half of 2020. 

The idea is simple: instead of targeting individuals, threat actors are shifting to target high-profile corporate networks. Attempts are then made to extort considerable ransoms not just to restore the encrypted data but to prevent it from being publicly leaked or resold on the Dark Web.

REvil Ransomware Scorecard: A Growing List of Targets

Cyberint is focused on intelligence-driven detection and response, and therefore we continuously monitor and track threats, including REvil. Our research team is actively tracking the REvil malware family provided as RaaS (Ransomware-as-a-Service) across various underground marketplaces. 

2019 REvil attacks

In 2019, REvil successfully breached the backend systems of a dental software provider, deploying ransomware on end-customers’ systems and impacting hundreds of dental surgeries, predominantly in the United States.

This incident marked the third time the threat actor group has compromised a managed service provider (MSP) and used its infrastructure to deploy the REvil (Sodinokibi) ransomware. With the previous attack hijacking MSP’s infrastructure to successfully deploy ransomware on the IT network of 22 Texas counties.

2020 REvil attacks

Jan 2020 – Travelex

On New Year’s Eve, hackers launched their attack on the foreign exchange giant, Travelex. Allegedly, threat actors claimed to have gained access to the company’s computer network six months before the ransom demand, downloading 5GB of sensitive customer data that they then threatened to sell off in case of non-payment.

Feb 2020 – ‘Happy Blog’

The threat actor group has begun auctioning off sensitive data stolen from companies hit by REvill ransomware attacks. The creation of REvil’s site where data is leaked and auctioned was dubbed “Happy Blog,” and was announced on two Dark Web Russian [language] threat actor forums. The blog makes it easier for the press, and others to gain an insight into their activities.

The blog remains active and features frequent posts on new REvil victims, “naming and shaming” them to apply pressure to pay up or auction off their data. Two to three REvil victims are exposed each week, but this number is unlikely to reflect the accurate scale of the attacks. Companies from a plethora of industries are affected: consulting, financials, industrial, legal, retail, and technology. 

May 2020 – Celebrity Law Firm, Grubman Shire Meiselas & Sacks

Due to the confidentiality, sensitivity, and inherent value of their client data, law firms are increasingly falling victim to targeted ransomware gangs engaged in ‘steal, encrypt and leak,’ or in REvil’s case, ‘steal, encrypt and auction’ campaigns. 

Grubman Shire Meiselas & Sacks (GSMS), is a law firm with a client list ranging from Rod Stewart and Robert De Niro to Elton John and Madonna. It garnered significant press coverage following multiple posts on REvil’s leak site and the release of stolen data related to Lady Gaga around 12 May 2020.

REvil published an initial demand for US$21 million in ransom. GSMS did not pay up, leading to REvil doubling the ransom, as detailed in a ‘press release’ posted on their leak site. 

They also claimed to have ‘dirty laundry’ on US President Donald Trump, despite the fact that Trump was never a client of GSMS. In an interesting development, REvil subsequently published a press release on 19 May 2020, suggesting that the data, “accumulated over the entire time of [their] activity,” had been purchased by “interested people.”

June 2020 – Auctioning stolen data on owned dark site

June 2020 saw the release of a new ‘auction’ feature on REvil’s dark website allowing anonymous participants to bid directly on stolen data. Rather than attempting to sell stolen data via third-party underground forums or marketplaces, REvil decided to handle auctions on their own website. 

Accompanying the announcement were the details of the first batch of data stolen from a Canadian agricultural organization that includes accounting information, along with files and databases.

Notably, REvil assures would-be purchasers that only one copy of the data will be sold and that they will delete their own copy upon completion of the transaction. Some might question the honesty and integrity of a threat actor gang that extorts countless victims, but it’s likely that the group will adhere to their own ‘rules’ in order to maintain their reputation and secure future transactions.

REvil in the post-coronavirus world

Threat Actors are searching for new ways to profit from their cyber crimes. Many corporate targets can no longer afford to pay ransoms in the wake of the economic devastation brought about by the COVID-19 pandemic.

The recent developments such as the Happy Blog and REvil auction website can be seen as an indication of things to come. The stolen data auctions signal a change in tactics that is likely to grow in popularity. We believe that monetizing ransomware attacks through the sale of stolen data is likely to become a common occurrence going forward.

REvil still going strong

The slew of attacks is not likely to stop anytime soon. As we can tell from the above examples, threat actors connected with REvil are targeting MSPs in order to get their hands on sensitive information on end-customers. They’re motivated first and foremost by the potential for profit.

Regardless of their monetization practices, the threat of organized threat actor groups targeting organizations of all sizes with REvil ransomware attacks remains high. Organizations need to make sure they keep customer data secure and apply appropriate security measures. 

Threat detection and cyber threat hunting across both the deep and dark web remains a crucial way to gather intelligence on threats and threat actors. By gaining insights into threat actor tactics, techniques, and procedures (TTP), organizations can learn to protect themselves.

Intelligence-driven detection and response is an important component of a comprehensive security program. See how Cyberint Threat Hunting can protect your organization by combining threat intelligence with human expertise to identify weaknesses in your security posture. 

Get the latest intelligence on REvil threat in our comprehensive report Steal, Encrypt & Auction