REvil suddenly disappeared from the dark web.
Beginning on July 13, the ransom pages, payment portals, and chat functions that were once extremely active under this global notorious ransomware organization only returned “cannot find a server with the specified hostname” when visiting.
The British Broadcasting Corporation (BBC) quoted a self-proclaimed REvil hacker member as saying on the 14th that the FBI had disabled some functions of the REvil webpage, so they simply shut down the webpage completely. He also said that the organization is also under pressure from the Kremlin, “Russia is tired of the United States and other countries crying to them.”
Prior to this, US President Biden asked Russian President Putin to take action against REvil, while Kremlin spokesman Peskov asked the US to show evidence of hacker activities in Russian territory.
Why does the United States keep an eye on REvil? This also requires a ransom of 70 million US dollars, the highest in history, from REvil.
Ransom “group purchase price”, REvil broke the blackmail record
Kaseya is an IT company from Sweden. It obtained the Kaseya VSA (Virtual System Management) patent and the connection algorithm patent certified by the U.S. Patent Office in 1999.
Kaseya VSA is a cloud-based MSP platform. MSP is a business that provides 24×7×365 system management services for enterprises by establishing its own Network Operating Center (NOC). MSP can realize remote management, real-time monitoring and statistics on the operation of enterprise systems.
Kaseya has more than 10,000 customers worldwide, of which more than 50% of the world’s top 100 IT management service providers and leading companies come from the banking, financial, retail, trading, educational institutions, government agencies, Medical institutions and transportation industry and other fields. As of the end of 2011, more than 13 million terminals and devices worldwide were managed through Kaseya’s software.
It is precisely because many large enterprises and technical service providers have chosen to use Kaseya VSA that Kaseya was selected as the target of this attack.
Because for ransomware groups, MSP is really a high-value “prey”. Through MSP, the channels of many companies can be infected through a single vulnerability , but the attack requires a hacker to have a deep understanding of the MSP and the software it uses. REvil knows this very well.
REvil has a technical branch dedicated to MSP, and has been conducting research on these companies and their commonly used software for a long time. Like other ransomware, REvil’s ransomware will lock the victim’s computer until the victim pays the ransom in the form they demand.
Example of the terminal interface of a ransomware enterprise
REvil carefully prepared for this attack.
Usually, large-scale ransomware puts the attack time on the weekends late at night, because the minimum number of people monitoring the network during that time period. However, this time, REvil did the opposite and chose to launch an attack from 10 am to 12 noon on Friday , because on weekdays, companies that purchase Kaseya services (mostly located in Europe and the Americas) are in working conditions and can The effect of blackmail attacks is maximized. At the same time, Friday is the most relaxed time for employees before the weekend. Work efficiency is not high, and to a large extent, they will not respond defensively to the attack in the first place.
REvil’s orchestrated attack went smoothly.
Starting at noon on Friday, July 2, Kaseya received customer reports one after another, which showed that the endpoint of Kaseya VSA’s local product management was abnormal. Based on the report, the Kaseya executive team found that ransomware was being executed on the endpoint. They sent notifications to local customers, asking users to shut down their VSA servers and at the same time shut down Kaseya’s VSA SaaS infrastructure.
Unfortunately, their response was still a step slower.
REvil attack path
Through investigation, Kaseya’s security team discovered that the ransomware used a vulnerability in Kaseya VSA and announced that it would release a patch as soon as possible.
After the Kaseya VSA server fell, the ransomware was immediately deployed to other companies using Kaseya remote desktop management software. As Kaseya’s customers include large IT service providers, these companies will provide outsourcing IT services to hundreds of companies. It is estimated that as many as thousands of companies will be affected, covering at least 17 countries including the United Kingdom, Canada, and South Africa .
According to information released by REvil on the dark web blog on July 4, it claimed to have locked more than 1 million systems or terminals and demanded a ransom of US$70 million for the “group purchase price” to be paid in the form of BTC. According to the form of the web page, after receiving the ransom, REvil will release a decryptor that can decrypt all locked systems/terminals within 1 hour.
REvil’s blog page on the dark web
According to data from Huntress, one of the security companies involved in the incident’s response, this cyber attack is the largest attack ever launched by REvil. More than 3,100 Kaseya VSA servers were exposed on the public network, including 9 in Hong Kong, China. Servers, more than 50 MSPs and more than 1,000 downstream enterprises are affected. And it may have caused as many as 40,000 computers worldwide to be infected.
Distribution of victims, the darker the color, the greater the number, the greater the impact
Virginia Tech, the Swedish Coop grocery chain, the Swedish state-owned railway operator SJ, the Italian Miroglio group, and the American retail Extenda Retail are all affected. The British fashion brand French Connection, the Brazilian medical diagnostic company Grupo Fleury, and the Spanish telecom operator MasMovil Ibercom are all being blackmailed.
When things reach this point, it is no longer a matter between one or two companies and hacker organizations.
On July 4, US President Biden ordered the launch of a full federal investigation. On the 9th, Biden had a conversation with Putin. After the call, Biden told the media: “I made it clear to him that the United States hopes that Russia can take immediate action against ransomware organizations in other countries, even if this organization is not sponsored by the state. The United States can provide sufficient attackers for this. Information.” Biden later added: ” If Putin does not do this, the United States will shut down the organization’s servers .”
According to a report by ITAR-Tass, Peskov said on the same day that the Kremlin did not know why REvil disappeared from the dark web. He emphasized that Russia considers any cybercrime to be unacceptable. ” Russia and the United States should cooperate in combating this crime. Unfortunately, I do not have detailed information about the group. But Russia and the United States have begun bilateral consultations on combating cybercrime. “
“Model workers” in the industry love “competing crimes against the wind”
The $70 million ransom may sound like an astronomical figure, but this is not the first time REvil has spoken a lot.
REvil is also called Sodinokibi. Since the ransomware code originated from the “Sodinokibi” virus of GandCrab, the once largest RaaS (ransomware as a service) operator, REvil has been regarded as the “successor” of GandCrab.
“Famous teachers “out” high apprentices.” The starting point is high enough, and REvil is bolder.
Because Grubman Shire Meiselas & Sacks, a law firm serving the global film and entertainment superstars, stole nearly 1TB of information, making REvil “famous in the First World War.” Since then, the name of REvil has been closely associated with well-known superstars such as Lady Gaga, Elton John, Robert De Niro and Madonna.
In May 2020, REvil claimed to have deciphered the elliptic curve cryptography used by the company of US President Donald Trump to protect its data and demanded a ransom of $42 million for the data they stolen.
After being named, as a “Super Star” in the hacker industry, REvil’s crime frequency can be rated as a “model worker” in the industry. In 2021 alone, its frequency of crimes at least once a month dominates the headlines all the year round .
- In March, REvil affiliated organizations claimed on the Internet that they had installed ransomware and stolen large amounts of data from the multinational hardware and electronics company Acer, and demanded a ransom of US$50 million for this;
- In March, REvil attacked the Harris Alliance and published multiple financial documents of the Alliance on its blog;
- In April, REvil stole the plans of Quanta Computer’s upcoming Apple products and threatened to publicly release these plans unless they received a ransom of US$50 million;
- In May, JBS, the world’s largest meat supplier, was attacked by REvil ransomware. The company had to temporarily close all US beef factories and interrupted the operations of poultry and pork factories. In the end, JBS paid REvil a ransom of $11 million in Bitcoin;
- In June, the global renewable energy giant Invenergy confirmed that its operating system was attacked by ransomware, and REvil claimed responsibility.
The governments of various countries also hate REvil and have ordered severe crackdowns on many occasions, especially in the United States.
After being attacked by REvil in May, all JBS Foods processing plants in the United States were shut down. As the world’s largest beef and poultry producer, and the world’s second largest pork producer, JBSFoods is responsible for the bulk supply of meat supplies for businesses in the United States, Australia, Canada, and the United Kingdom. The shutdown of processing plants in the United States will directly lead to at least a short-term supply shortage of meat products in the United States.
If the short-term fluctuations in the economy and people’s livelihood are not enough to shake the nerves of the White House, then homeland security is the number one issue.
Sol Oriens, a subcontractor of the U.S. Department of Energy (DOE) and the National Nuclear Security Administration (NNSA) to develop a nuclear weapon system, suffered a ransomware attack in June. After comparison, experts said that “the attack came from REvil ransomware.”
The security researcher said that the intrusion of Sol Oriens may be due to a weak password blasting attack on the RDP service by REvil.
Attacks on meat processing companies will affect the supply of meat in the city; and for attacks on defense contractors, who knows how many top-secret documents were taken by the attackers? It’s no wonder that the United States wants to “chase and fight” REvil.
However, REvil has no fear, otherwise, it would not wait for Kaseya to attack Kaseya in the past two days in July.
However, everyone already knows the ending. Now REvil’s dark web sites and applications are in a closed state.
The blackmailer “runs away”,
Where do the blackmailed companies go?
Hacker groups tend to blackmail Bitcoin as a ransom. The most well-known of these is the case in which REvil asked Kaseya to pay $70 million in Bitcoin.
In fact, Bitcoin is not the only option for hacker organizations . REvil once demanded Monero as a ransom.
Once the REvil malware enters the computer system, it will encrypt all the files stored by the victim in the terminal, and then leave a text file containing the ransom note. This text will guide the victim to the website (victim portal) on Tor (the anonymous Internet that is usually used to host the dark web) and wait for the next step.
The victim portal will display the ransom requirement, for example, this is Monero worth $50,000. If the ransom is not paid within a certain time frame, the ransom will be doubled to 100,000 USD.
The victim portal even provides instructions on where to buy Monero and where to send it to these traditional companies that have been blackmailed:
The portal also allows victims to talk directly with REvil through the “Chat Support” tab. Here, the victim (blue) can initiate a dialogue with REvil (green) to negotiate a ransom.
How to convince the victim of a hacker organization? REvil is simply not too professional.
They will provide a trial function. The victim can provide several encrypted files, and REvil will return the files after decryption to confirm that the victim has not found the wrong person and prove that they are indeed capable of providing a decryptor.
It is hard to imagine that REvil actually “accepts the knife” (discount) . The victim first obtained a 20% discount, and then went through a series of visits, and finally agreed to pay a ransom of 25,000 US dollars, which was a full 50% discount on the original price .
Moreover, REvil does not force victims to use Monero to pay, because they found that Monero’s popularity is too poor, and they know that Monero’s victims and the trading platforms that support Monero’s circulation are too few. Therefore, if the victim asks to pay in Bitcoin, REvil will agree. And from the case of Kaseya, REvil will directly ask for Bitcoin as a ransom in the later period.
Once the ransom is paid, the victim portal is updated to provide access to the decryptor. (Of course, there is no 100% guarantee that such a tool will be provided)
For the victims, the process of contacting REvil has been completed, and they can use the decryptor tool to regain access to their files. This is a complete REvil ransom demand process.
So in the Kaseya incident, did any company pay the ransom? The answer is: yes. Among the statistics that have been collected so far, some victims have paid REvil a total of 45,000 U.S. dollars in ransom.
Mike Hamilton, the information security officer of Critical Insight, a ransomware repair company, said that one of the company’s customers, who did not want to be named, was one of the few Kaseya victims who paid a ransom to the REvil ransomware organization.
Now that REvil has suddenly shut down and disappeared into the vast network, where will the victims who paid the ransom and the unpaid ransom go?
Mike Hamilton revealed that the user found the insurance company to pay the ransom and also got the decryptor, and found that the decryptor was not effective for all encrypted files . At this time, it was discovered that all REvil’s websites were offline.
“They’re going to end up losing a lot of data and they’re going to end up spending a lot of money to completely rebuild their network from scratch.”
Ransomware expert Allan Liska believes that this is caused by the chaotic management of REvil’s decryptor.
My guess is [REvil] has shit decryptor key management so they may not know which key to give out to each individual victim.
Regardless of whether a ransom has been paid, the victimized companies and individuals are faced with a pile of encrypted files and hackers who have disappeared.
Of course, organizations and companies related to ransomware repair are actively helping the victimized companies that do not back up their data in a timely manner, but not all companies can afford it. After all, in commercial games, time is money.
REvil “closes the wheat”, but people’s speculation has not stopped.
Some people think that REvil has been permanently shut down this time and there is no chance to come back. Some people believe that this is the result of international cooperation between the United States and Russia in the joint fight against cybercrime. Some people think that REvil is just a vacation for all employees. Their high-intensity crimes have already made a lot of money. There is no reason not to enjoy the wonderful life of beach red wine when the wind is tight.
Although REvil is not currently in the arena, there are still many ransomware organizations and hacker organizations. As long as the Internet still exists, the confrontation between offense and defense on network security will always exist. And countries are also stepping up joint and collaborative work in the field of cyber security.
The personal information and contact information of 1.41 million doctors in the country were stolen and sold openly. Later, the Colonial system, the largest fuel pipeline operator, was invaded and forced to close the entire pipeline system. Now the meat supplier JBS and office network have been added. The service provider Kaseya was extorted, and cybersecurity incidents occurred frequently in the United States. The Biden administration also began to study the status and role of tokens in hacking incidents.
In June, the US National Security Advisor Anne Neuberger stated in a letter to business leaders that the US government is working with international partners to develop a consistent policy to determine when to pay the ransom and how to track the ransom when it is ransomed by hackers .
And on Tuesday, US Senator Gary Peters, chairman of the US Senate Committee on Homeland Security and Government Affairs, announced that the committee is investigating the role of tokens in recent ransomware attacks. The investigation will focus on token regulations that ensure that Americans benefit from this new asset class (token) without facing the risk of ransomware.
The White House stated that they will treat ransomware attacks as terrorism after noticing the massive cyber attacks that have occurred recently . And a series of these actions have shown that the US government’s attitude towards cybercrime has undergone a major change. After all, in the face of frequent hacker attacks, it is already difficult to use traditional diplomacy and law enforcement methods to deal with the relevant cyber threats faced by government and enterprises.
The harm of hacker organizations and cybercrime is never confined to one country or one place. This new form of crime with huge impact is challenging the economic and social life of the global recovery after the epidemic has passed. The cross-border retrieval of electronic evidence, the extraterritorial jurisdiction of transnational cyber crimes, and the prevention of cyber crimes will all be the direction that countries will work together in the future.
REvil is one of the most prolific and frightening of all ransomware groups. If the Kaseya incident is really the last crime committed by this organization, it will definitely bring some new reflections and thoughts to the growing trend of ransomware threats this year.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/restore-the-most-mysterious-hacker-organization-revil/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.