Threat Intelligence / REvil Ransomware: What’s Next?

REvil Ransomware: What’s Next?

REvil Ransomware: What’s Next?
Photon Research Team
Read More From Photon Research Team
July 15, 2021 | 10 Min Read

When ransomware hits the news cycle, and even the non-cyber security folk have questions, you know it’s gone big. This time it’s REvil again, and we can’t seem to escape it. The entire security community has been on fire over the last few days looking at what’s going on with REvil, along with any journalist or researcher who’s even remotely interested in security. We’ve been looking into it through our data and public reporting, but sadly, our current assessment is we don’t know either. It’s hard to say sometimes in the intelligence game, but we’re keeping an eye on it as things develop.

As of the writing of this blog, the jury’s still out on what happened to REvil, and lots of speculation remains. Some popular theories at the moment:

  • Law enforcement action shut down the operation,
  • Technical difficulties,
  • Strife among the group or affiliates,
  • Rebrand or retooling,
  • Or (my favorite), everyone’s on holiday for the summer

One thing’s for sure; they’ve had a pretty eventful year. As reported on the Ransomwhere site, the group is sitting at just over $12M in the bank, with several significant attacks under their belt. Looking back at Q1 2021, they were in the top 5 of prolific attackers this year, and we predict that Q2 will be much the same. Since REvil’s on everyone’s mind, let’s take a moment to discuss who they are and some of the events in their history.

Who is REvil?

REvil (aka Sodinokibi or Sodin, we’ll be using this interchangeably) is a ransomware variant first detected in April 2019. Initial attacks focused on users in Asia, but REvil’s attacks have expanded to target entities globally, with increasingly more significant extortion demands—the most recent being $70M for Kaseya. Since then, the variant has been actively used in ransomware attacks targeting organizations worldwide across various sectors, including healthcare, legal services, technology, government, retail, and financial services. 

Targeting information from the Sodinokibi profile in SearchLight

In addition to encrypting victims’ files in typical ransomware attacks, operators of this variant adopted the increasingly popular method of threatening to release data stolen from their victims on their leak website “Happy Blog.” The practice of publishing data fell in line with similar trends from contemporary actors such as Maze, DoppelPaymer, NetWalker, and Ragnar.

For some context, there’s a widely floated theory that REvil was related to GandCrab ransomware. This idea was based on some circumstantial evidence; however, the connection remains officially unconfirmed. The operators of the GandCrab ransomware announced the variant would be retired on 31 May 2019. Coincidentally, reported activity involving REvil and Sodinokibi became more frequent following the announcement. Technical analysis on Sodinokibi and previous GandCrab ransomware suggested the two variants were similar: Both variants used identical methods to build URLs and decode strings at runtime, among others. Sodinokibi hasn’t been attributed to a nation-state or geography. Still, conclusions on a likely Russian-language nexus may be drawn based on specific malware components, namely through checking location and language settings on the keyboard and system.

Sodinokibi operates on a ransomware-as-a-service (RaaS) model and rents out to affiliates or interested parties which carry out attacks and spread the ransomware. Since its discovery in 2019, Sodinokibi has used a variety of methods to compromise victims. Besides using phishing or malvertising to spread ransomware, operators of the variant exploited software vulnerabilities, including the vulnerability found in Oracle WebLogic Server (CVE-2019-2725) and a zero-day vulnerability in Windows (CVE-2018-8453), as well as the recent Exchange vulnerability. Sodinokibi operators have also breached managed service providers (MSPs) to deploy the ransomware on the MSPs’ customers, as we saw most recently in July 2021 with the Kaseya VSA incident. 

Here’s a timeline on some notable events for REvil’s recent history:

  • May 2019: GandCrab goes dark
  • July 2019: US FBI releases master decryption keys for GandCrab
  • Aug 2019: Vendor breached to spread ransomware to 22 Texas cities
  • Jan 2020: Sodinokibi incorporated elements of data breaches into its ransomware attacks by releasing victim data on forum threads, later replaced by the “Happy Blog” website, which they use to publish data stolen from victims if the ransom was not paid.
  • March 2020: Representatives announce plans to use Monero over Bitcoin, calls on forums for investment in unspecified operations 
  • April 2020: Widespread exploitation of COVID-19 pandemic to spread ransomware
  • May 2020: Purported breach and sale of Trump-related information, as well as multiple celebrities over the following months, likely resulting from breach of the GSMS law firm
  • Jun 2020: Researchers discovered the variant scanning for point-of-sale (PoS) software and leveraging Cobalt Strike to deliver the ransomware. REvil adds an auction page to “Happy Blog.”
  • Mar 2021: Harris Federation breach, which leads to shutdown of the network for weeks, breach of hardware and electronics manufacturer Acer
  • Apr 2021: Offered Apple schematics and other company data for sale after breaching hardware vendor Quanta
  • May 2021: Attack on JBS, which forced a shutdown of US beef plant operations and disrupted operations at poultry and pork plants
  • Jun 2021: Attack on Invenergy 
  • Jul 2021: Sites associated with REvil go dark, representative banned from XSS forum; attacks on US DoD contractor HX5 and Kaseya MSP

What happened in the Kaseya Incident?

As Stefano wrote about during the initial stages of the Kaseya incident, a recently-reported zero-day was used to attack and gain a foothold within the Kaseya network, affecting approximately 1,500 customers. According to Kaseya, this involved at least three CVEs that were reportedly fixed as of 12 July 2021: CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120. These vulnerabilities addressed issues with credential disclosure, bypassing two-factor authentication, and cross-site scripting. 

What’s notable here is that the rapid weaponization of these vulnerabilities occurred on the heels of another responsible disclosure for the same problem. This news indicated increased professionalization on the criminal side. Historically, the development of exploits around zero-days was generally seen as exclusive for nation-state actors, which REvil likely owes to high technical skill and a decent budget.

Digital Shadows has been monitoring the Kaseya incident in SearchLight.

What’s the update since then?

In the hours before press time on the Kaseya incident’s aftermath blog, several exciting developments occurred with REvil, namely all of their sites, including “Happy Blog,” were down. In addition, their representative “Unknown” had been banned from the popular forum XSS. 

The Twitterverse wakes up to REvil sites being unavailable.

REvil’s forum representative Unknown is banned from XSS.

In recent days, underground chatter about the outage has been limited, likely due to some Russian-language forums’ hostile attitudes towards discussing ransomware. Some threat actors speculated that even if law enforcement agencies have successfully targeted REvil, this will not spell the end of the group’s activities. Still, others predicted that the group would reappear under another name or split into smaller groups to attract less attention, which is a thought shared by some researchers in the Twitterverse. Losing access to XSS might have served a few purposes: reducing attention on the forum itself or preemptively banning members to prevent outside forum access in case of a law enforcement operation.

However, you spin it, the inaccessibility of the REvil ransomware group’s websites is unusual because the group’s infrastructure has historically been more stable than other ransomware groups. There are possibilities the site’s down from temporary technical issues or upgrades, but it could also signify a law enforcement disruption of the group’s operations. Given the recent absences of REvil representatives, it does pose interesting questions.

A June 2021 story from Russia’s Life News didn’t get much circulation in the West, likely owing to historically pro-Kremlin stories. But, what made it interesting was that the article attested to the Russian FSB’s willingness to work with the US in the fight against hackers. The story included direct quotes from FSB Director Aleksandr Bortnikov and was published in the wake of the G7 summit. If there is a genuine willingness to work with the US, this adds a little color to the potential for joint law enforcement operations.

FSB Director Bortnikov was quoted as being ready to work jointly with the US

Based on public reporting up to now, however, historically, US-Russian joint operations have had mixed results. Given the current climate of distrust between the two countries, lack of substantial media reporting elsewhere, and the notoriously tight-lipped US FBI not commenting on current investigations, it’s tough to say. If true, this would likely be a huge win in political capital for both countries, especially for a prolific operator like REvil, who’s proven to be an expensive thorn in everyone’s side. The feeling here at Digital Shadows was if this were indeed a law enforcement takedown, we would’ve heard or seen something by now, much like with previous raids and arrests involving other ransomware operators.

One last thought, REvil doesn’tbut REvil didn’t seem to shy away from notoriety, so the sudden quiet is odd. In early June 2021, a representative of REvil told an interviewer on Telegram in the wake of the JBS cyberattack that critical infrastructure and US targets were not going to be off-limits despite the more rigid stance and political moves the country was making. Not to mention, REvil seemed unconcerned about the ransomware bans on popular forums.

An interview with a REvil representative after the JBS attack.

This interview also came about just weeks after the fallout from DarkSide’s attack on the US company Colonial Pipeline and its infrastructure. In essence, despite bans, REvil was no longer interested in operating on forums, as they had plenty of business from affiliates by word of mouth; and they were okay with operating without restrictions on the types of targets because there was money to be made regardless. Public admissions like this would seem to place a group in somebody’s crosshairs, but, again, who would be the organization to take them down?

In the end, the possibilities at the time of writing seem to indicate a cooling-off period, which may be coupled with a rebrand. This reportedly happened before with GandCrab and may happen again with their next moves. Also, despite inactivity or bans from specific forums, there are plenty of others to choose from, along with social media possibilities. Also, it’s realistically possible that this may have just been that last big score they needed before they retired. 

Protecting your organization against ransomware actors

If you’re looking to protect against the rapidly increasing ransomware threats, Digital Shadows’ SearchLight offers the latest threat intelligence on rising threat actors such as REvil at a tactical, operational, and strategic level. Get rapid updates and industry-leading analysis and reporting from our team at Photon, including MITRE associations and mitigations, with a free 7-day trial of SearchLight here. You can additionally get a customized demo of SearchLight to gain visibility of your organization’s threats and potential exposures.

For further information—our previous blog article Tracking Ransomware Within SearchLight shows you how SearchLight tracks emerging variants, enables you to export and block associated malicious indicators in various formats, instantly analyze popular targets, and map to your security controls with ease.

REvil’s Threat Intelligence profile in Searchlight