By Jamie Tarabay
They patronize hacking forums to recruit affiliates, advertise profit-sharing schemes and provide interviews on their techniques.
REvil, the Russian-linked hacker group the FBI said is responsible for the cyberattack on JBS SA, the largest meat producer in the world, has emerged as one of the most prolific -- and public -- ransomware groups in recent years.
The hackers, also known as Sodinokibi, have been at the forefront of the ransomware-as-a-service model of cyberattacks since the group first came to prominence as a security threat in 2019. In this model, hacker groups provide malware for others to use in an attack in exchange for a cut of the ransom payments. In order to recruit talent, REvil deposited $1 million in Bitcoin as a way to give potential affiliates peace of mind that they would get paid.
"Audaciousness is part of their persona," said Allan Liska, a senior threat analyst at the cybersecurity firm Recorded Future Inc.
Ransomware has become a thorny problem for the Biden administration, particularly after an attack last month on Colonial Pipeline Co. squeezed fuel supplies along the East Coast. Other recent attacks have targeted the police department in Washington, D.C., a hospital network in California and now a major meat supplier.
Ransomware is a type of hack in which a victim's computer files are encrypted, rendering them unusable until a ransom is paid. Some ransomware groups steal files too, providing another avenue for extortion. REvil maintains a page on the dark webpage, called the "Happy Blog," where it leaks or auctions sensitive documents from victims as an extra incentive to pressure them to pay.
Since 2017, ransomware has come to dominate other financially motivated cyberattacks in volume and profitability, said Kelli Vanderlee, senior manager of analysis at Mandiant Threat Intelligence, part of FireEye Inc. While the attacks aren't limited to a particular type of victim, available data suggests it disproportionately affects the manufacturing sector, Vanderlee said. "There are likely several contributing factors, including the perception that manufacturers may be more likely to pay to prevent monetary losses from production downtime," she said.
REvil emerged from the former GandCrab group, a ransomware-as-a-service outfit that announced they were closing up shop in 2019, according to CrowdStrike Holdings Inc., which confirmed that REvil was behind the JBS attack. "We are getting a well-deserved retirement," GandCrab wrote, according to the cybersecurity blog KrebsonSecurity. "We are living proof that you can do evil and get off scot-free."
It's not clear if the operators of GandCrab simply rebranded themselves with a new name, or if REvil's operators bought -- or stole -- GandCrab's code. Either way, by the time GandCrab signed off, REvil was already underway as a more exclusive ransomware program that was also known as "Sodin" or "Sodinokibi."
In May 2019, a representative of the group, going by the nickname "Unknown," sought out a small number of partners on hacking forums for a new ransomware-as-a-service program. "Five affiliates more can join the program and then we'll go under the radar," according to KrebsonSecurity. "Each affiliate is guaranteed USD 10,000. Your cut is 60% at the beginning and 70% after the first three payments are made. Five affiliates are guaranteed [USD] 50,000 in total. We have been working for several years, specifically five years in this field. We are interested in professionals."
"They advertise sharing profits and provide infrastructure and ransomware, ransom negotiations and the distribution of funds," said Jon DiMaggio, chief security strategist at Virginia-based Analyst1. "They handle all the Bitcoin transactions and things of that nature."
Like many of the more established ransomware groups, REvil researches potential targets to ensure they have the means to pay, including determining if victims carry insurance against cyberattacks, he said. A REvil associate said in an interview that targeting firms with cyber-insurance was "one of the tastiest morsels."
Recorded Future said it's aware of at least 237 REvil victims since 2019.
REvil took credit for hacking the hardware supplier Quanta Computer Inc. earlier this year, and in the process published secret blueprints for new Apple Inc. devices. In 2020, REvil executed a ransomware attack against a law firm they claimed once represented some of Donald Trump's television enterprises. In 2019, the group also attacked a group of Louisiana election clerks a week before Election Day.
REvil is so immersed in the ransomware domain that its members weigh in regularly on discussions about malware on hacker forums, according to DiMaggio. They also maintain direct relationships with other ransomware groups including DarkSide, the hackers accused of being behind the May attack on Colonial Pipeline, he said.
When DarkSide's site went down after the Colonial attack, REvil alerted the hacking community about it, said DiMaggio, who has long studied Russian cybercriminal gangs. "They're extremely involved. They're the kid in class who always has to raise his hand. They're very vocal in the community."
DiMaggio and other analysts have said that Revil hackers communicate largely in Russian and steer clear of targets that use Cyrillic script -- the system for languages of Eastern Europe and Slavic states. In the interview, REvil's Unknown said the group avoided those countries because of geopolitics, laws and patriotism.
The arrangement also gives Russian President Vladimir Putin "plausible deniability" against accusations by the White House and others that Russia is involved in the attacks.
"The whole ransomware model fits into the tactics we've seen from Russia over the years," DiMaggio said.
The appeal for hackers is potentially big profits with minimal risks. "As a child I scrounged through the trash heaps and smoked cigarette butts," a person claiming to be REvil's "Unknown" said in a March interview with Recorded Future. "I wore the same clothes for six months. In my young, in a communal apartment, I didn't eat for two or even three days. Now I am a millionaire."
Bloomberg