In a extensive-ranging interview, a REvil leader said the gang is earning $100 million per year, and supplied insights into the existence of a cybercriminal.
The REvil ransomware gang promises it will rake in $100 million by year’s stop. Which is in accordance to a REvil group leader in a rare Q&A with the YouTube Channel for tech blog site “Russian OSINT.” In the course of the live job interview, the REvil hacker warned of a “big attack coming…linked to a really big online video recreation developer.”
The boasting and threats arrive on the heels of REvil’s main rivals, the Maze gang, asserting that it was closing up store (see under).
The job interview (Russian translation supplied to Threatpost by Flashpoint) was large-ranging and touches on the group’s operations, the dollars it can make, details on its higher-profile attacks and the simple fact that the customers are actively getting hunted by governments about the world.
Operations
The Q&A to start with presented specifics into the group’s functions. For occasion, the interviewee signaled an approaching change in method.
Although REvil presently works by using the double-extortion tactic (where by companies’ documents are not just encrypted but also stolen, with a threatened leak introducing tension to spend the ransom), the chief instructed that the foreseeable future lie in using that technique additional.
“Everything eventually comes down to a change towards leaking information and not locking them,” he reported. “I personally seriously liked SunCrypt’s thought. DoS [denial of service] the web site of the organization and their infrastructure, merged with locking the documents and threatening to publish them…[it] places a good deal of strain on them…[We’re] pondering about utilizing a similar model.”
He also verified that REvil employs the ransomware-as-a-provider model, wherever “affiliates” that carry out the assaults acquire 70 to 80 p.c of the “revenue” from the ransoms. The affiliate marketers by themselves are strictly vetted (a great deal like the NetWalker gang), and are dependable for original network an infection, wiping out any backups and downloading information. REvil customers in the meantime take care of ransom negotiations, software program improvement and updates, receipt of the payment and the shipping of the decryptor.
When it will come to partners, “we have our individual closed relatives, the range is really demanding and we do not even hassle speaking to [amateurs],” he stated. “Support only can help when it comes to negotiations. They have to master all the specialized pieces of the occupation by them selves.”
That claimed, the team also carries out its very own attacks, he said, with a device devoted to hacking organizations – even though the ransomware-as-a-company (RaaS) design is additional beneficial.
He also said that Android or iOS ransomware is not in the playing cards for the group, since of the low price of the facts saved on phones. “You have to be nuts to get associated in this,” he mentioned. “I’m 100 p.c against it.”
High-Profile Attacks
All of that organization layout has allowed REvil to claim some fairly major headlines. For instance, when asked what the largest coups were being for REvil, he cited, with delight, Travelex, Grubman Shire Meiselas & Sacks, and the 23 Texas municipalities that the gang attacked previous summer season.
The interviewee also took credit history for two rumors connected with REvil. One particular, that it captured data on President Donald Trump and that REvil was driving Chile’s Banco Estado shutting all of its branches.
In the situation of Trump, the documents had been reportedly lifted as aspect of the Grubman hack. “We just wished “good luck” to the NSA, FBI, and the U.S. Solution Company with the decryption of the files,” he stated. “We didn’t need income from Trump [directly]…The revenue for the [stolen] knowledge was paid out. I cannot inform you who acquired it, although. The data experienced to do with tax-avoidance plan affiliated with Trump.”
As for Banco Estado, the initial vector was email to bank employees, he said: “Yes, it definitely happened – we did it,” he alleged. “Often, firms do not disclose the resource of the attack since they are frightened of reputational injury [affecting] their inventory place.”
He added that around one-3rd of all organizations quietly negotiate to shell out the ransom, and that IT companies, insurance coverage organizations, regulation places of work, production and the agro-industrial sector are the most-lucrative targets.
As for preliminary obtain, the interviewee said that harvesting and working with administrative credentials with malware, brute-forcing Remote Desktop Protocol connections and exploiting bugs are the most effective avenues for attack.
“Grubman and Travelex…both ended up hacked via aged variations of Pulsar and Citrix,” he mentioned. “It is essentially rather silly — we received access to the [network] in minutes, and all because of to 1 vulnerability that can be patched speedily.”
Attacks are likely to ramp up – and in truth the aforementioned video-sport organization attack is in the is effective but beneath wraps, the REvil operator claimed. But geopolitical realities will increase to the momentum, in accordance to Ilia Kolochenko, founder and CEO of web security corporation ImmuniWeb.
“The pandemic gradually exacerbates the condition, as budgets are currently being reduced, cybersecurity people are all fatigued, though staff doing the job from household are noticeably far more vulnerable and susceptible to a vast spectrum of phishing assaults,” he explained, by using email. “Frequently, it is plenty of to breach a person one consumer machine to get into a company network by way of VPN. So, cybercriminals are now savoring a windfall of surging income by very easily finding up low-hanging fruits in impunity. Worse, some cybersecurity experts may possibly faster or afterwards ponder all execs and drawbacks, and specified the unprecedented possibilities and small challenges, will easily shift from their each day employment to generous cyber-gangs.”
Cash, Money, Cash
All of this activity is in provider of training course to one point: Personal enrichment.
The REvil leader mentioned that lifestyle as a cybercriminal started for him with movie online games.
“Once on a time, when I was a kid, I installed CHLENIX [cheat config for Counter Strike] and seriously favored it,” he spelled out. That legacy life on. The ransomware’s title is brief for “Ransom Evil,” with the nomenclature motivated by the movie recreation “Resident Evil,” according to the job interview (only security scientists phone it Sodinokibi, he explained).
CHLENIX guide to much more nefarious points, and now he’s leading a team that promises to be raking in $100 million for every yr. That’s significantly less than what REvil’s precursor, GandCrab, was earning. That team introduced a shutdown in June 2019, soon after boasting to make $2 billion in a calendar year and a half.
REvil was soon developed to consider its place, and when the interviewee didn’t ensure the GandCrab relationship specially, he admitted that an before challenge was shut down to make way for a “better products.”
When questioned when it would be time to step absent sort “the lifetime,” he answered. “Personally, I should have stopped a long time back. I have more than enough cash for hundreds of a long time, but there is hardly ever as well much money…[I hope to have] $1 billion, then $2 billion, and then if I’m in a superior mood, $5 billion.”
“The [$100 million] number is just a tip of the cybercrime earnings iceberg,” said Kolochenko. “Concomitant proliferation of cryptocurrencies makes these crimes technically uninvestigable, when regulation enforcement companies and joint endeavor forces are presently overburdened with nation-point out assaults, and transnational targeted attacks aimed to steal mental house from the largest Western providers.”
The Downside: Being Hunted
Typical knowledge states that cyberattackers prosper in dark shadows and anonymity – but reviews by the gang leader recommend that REvil associates may not be as faceless as they would like.
When asked if team users could vacation for occasion, the respond to was an uncategorical “nope.” The Russian-speaking interviewee included that, opposite to Kolochenko’s assert that getting a ransomware operator is “low risk,” no 1 associated in ransomware would ever vacation to Western international locations or the United States for panic of becoming killed.
“We generate major problems and there is no justice for us, so killing us would be the only feasible alternative,” he said.
He reported the team believes they are getting hunted by the U.S. Solution Company, Europol and infosec corporations on a each day foundation, with CIA agents actively hoping to infiltrate the group’s operations by posing as an affiliate applicant.
“But generally, their protect falls aside,” he observed. And as for hack-backs, “they have no notion what sort of OS we use on our servers or what form of web servers we use… They are just hoping to get fortunate. Our product…is configured to protect in opposition to them.”
Maze Closes Down
Through the job interview, the REvil chief also touched on its arch rival criminal group Maze, which is reportedly shuttering its operations.
According to a person pinpointing themselves as a Maze operator advised Bleeping Laptop this week that the group halted its encryption routines again in September, in purchase to aim on receiving current victims to pay up.
Quickly right after, Maze affiliates commenced porting around to the Egregor ransomware gang, the outlet described.
Maze was a pioneer in the double-extortion tactic, first rising past November. Because then, it has manufactured waves with huge strikes such as the a person against Cognizant. And this summer time it shaped a cybercrime “cartel” – signing up for forces with different ransomware strains (which include Egregor) sharing code, thoughts and resources.
“Criminals don’t just have an epiphany and give up being criminals overnight,” said Lamar Bailey, senior director of security analysis at Tripwire, via email. “They shut down an operation when the return on their investment decision drops down below the costs of working the ‘program’ or when they are about to get caught. This is no unique.”
He additional, “They are switching to a little something new, it’s possible Egregor, which miraculously arrived out at the identical time Maze started shutting down. This is just like that one particular home furniture shop in town that is heading out of enterprise just about every several months only to reopen with a new name but with the very same people and product.”
Hackers Set Bullseye on Health care: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your place for this Free of charge webinar on healthcare cybersecurity priorities and listen to from main security voices on how data security, ransomware and patching have to have to be a priority for each individual sector, and why. Sign up for us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, confined-engagement webinar.
Some parts of this article are sourced from:
threatpost.com