Aptly named after the horror video game series Resident Evil, REvil (Ransom and Evil), is a Ransomware as a Service (RaaS) operation that is infamous for the various cybercrimes it has carried out over the last three years. First seen in April 2019, REvil rose from the demise of GandCrab, another notorious RaaS enterprise. Many believe REvil is closely associated with the latter because both share a significant chunk of the codebase.

As disturbing as the connotation behind its name, REvil evokes a sense of dread in most organizations due to its history of leaving them robbed of sensitive data, or suffering financially. REvil often threatens to expose sensitive information it has acquired during a breach on Happy Blog, its leak site.

REvil targets IT, government, legal, and other sectors through infection vectors like phishing emails, MalSpam, vulnerability exploitation, supply chain, and DLL side-loading attacks.

In January 2022, the Russian government announced a take-down of the REvil ransomware group in a possible diplomatic response to the ongoing Ukraine conflict. According to Reuters, the United States had requested and welcomed the arrests, since one of the individuals was recognized as responsible for the Colonial Pipeline-DarkSide attack in May 2021.

On January 11, 2022, the Federal Security Service of the Russian Federation (FSB) searched 25 physical locations in a police operation and detained 14 people. It seized several stolen assets including computer equipment, luxury cars, and 600,000 USD, 500,000 euros, and 426 million rubles.

This is not REvil's first encounter with law enforcement. A couple of months before, in November 2021, Europol arrested seven of its affiliates. The Record, a cybersecurity news publication, says the suspects launched over 7,000 attacks since 2019, and collectively requested more than 200 million euros in ransom demands.

The busts seem a welcome move with the rampant increase in ransomware attacks and costs in recent times. According to Cybersecurity Ventures, ransomware costs are projected to reach $265 billion in 2031, with an average amount of $1.85 million spent in recovering from an attack in 2021.

REvil's two-party business model

According to MITRE ATT&CK threat modeling framework, REvil, also known as Sodinokobi, ransomware attacks were first identified in April 2019, mostly observed in Asia, and then Europe before making their way to the US and the Middle East. The ransomware gang is suspected to be behind several high-profile cyberattacks since then, including those on Brazilian meat processing company JBS S.A. and Swedish grocery chain Cooper. The Colonial Pipeline attack, which was carried out by DarkSide, was also linked to REvil since DarkSide attackers were believed to be REvil affiliates.

With time, these attacks have become a commercial enterprise for those lurking in the dark web. REvil developers claim they made over $100 million in annual profit in an interview of their public representative "Unknown", or UKNWN, by Russian YouTube tech blog, Russian OSINT. In this interview, UNKNWN revealed that the attackers weren't really interested in politics; all they wanted was the money.

So how does the RaaS enterprise business model work?

When REvil first became active, their go-to extortion method was to encrypt victim data and ask for a ransom in return for the decryption key. But soon, they also began to steal data for further extortion. When victims refused to pay the ransom, they would auction it to the highest bidder in underground forums or Happy Blog. REvil is believed to be the first ransomware gang to have introduced this double extortion method, which was soon adopted by other attackers.

Interestingly, it is not the malcode developers at REvil who carry out the attack. REvil recruits affiliate groups that consist of "experienced professionals" or skilled hackers who could easily identify vulnerabilities, execute the attack, and collect the ransom from victims. REvil simply creates the malicious code that encrypts and steals data. The recruitment of affiliates happens in underground forums and according to the e-book, History of REvil by Analyst1, there is an extensive interview process before a hire.

REvil hires negotiators and network providers in the same manner. While the negotiators are hired with the specific requirement of communicating in English to various companies in media, recovery and insurance, the candidates for the network provider role were required to have experience exploiting technologies that were recently compromised during attacks on Citrix, Solarwinds, and BlueGate.

The Fast Mode, an IT news web site, said that a third-party "ransomware consultant", or "service provider" whose role is to assist the affiliate throughout the attack is also increasingly seen in threat groups such as REvil.

Do the REvil busts mean less ransomware attacks this year?

There is a lot of skepticism revolving around the January REvil arrests, due to this being the most public take-down operation of cybercriminal gangs by the FSB. Many believe this to be a political move due to the ongoing Ukraine crisis, since cybersecurity analysts have accused Russia of providing asylum to cybercriminals in the past. This suspicion seems to stem from the fact that gangs like REvil use malcode to ensure potential victims don't use Cyrillic (Russian) keyboards, i.e., they do not belong to the Commonwealth of Independent States, before launching the attack.

Experts also believe that it might be a planned take-down and allege that REvil was a "sitting duck", making the busts a "decoy" to reduce tensions between the US and Russia. This may be because of the Biden-Putin cybersecurity talks that happened a few months ago and the rumored FBI-FSB secret talks in November 2021 when the US Department of State announced a $10 million reward for the name or location of any key REvil leaders, and up to $5 million on information about their affiliates.

Security Week wrote that after examining the chatter in Russian underground forums, hackers seem concerned about their safety, and were seen discussing recommendations like "using Tor for anonymity, encryption for safety, and not keeping stolen goods on a single computer for protection".

Forum members also seem to conclude that it was REvil's penchant for publicity that made them a target, and one of them remarked, "Being a superstar in our business is a very bad idea."

While the busts may have spooked the noisy criminals, they might not really faze the quieter ones, who are larger in number and may continue to plan attacks.

According to threat intelligence company, ReversingLabs, the busts did not really put a dent on REvil operations, and the gang continues to remain active.

During the Europol arrests, which went on for seven months, ReversingLabs observed an average of 326 weekly REvil implants, and after the REvil busts, a weekly average of 169 to 180 implants. An implant refers to devices REvil hacked into or modified to gain unauthorized access to confidential data. While there is an impact on operations, the gang, and its affiliates continue to function despite the busts.

As we explored earlier, RaaS operations are two- or three-party businesses. Simply eliminating the affiliates may not impact the core, and eliminating parts of the core will not really stop affiliates from carrying on with the attacks, or simply rebuilding the core. To completely stop the attacks and shut down the entire RaaS unit, a more detailed and structured approach is required.

As for ransomware attacks, it seems unlikely that they will stop anytime soon. The end of REvil, like the end of GandCrab or DarkSide, is more likely to signal the beginning of a new RaaS operation like BlackMatter, where the newer members simply build upon the existing malicious code.

Protecting your organization from ransomware

Ransomware attacks are inevitable. The best way to ensure ransomware protection for your organization is to invest in an effective cybersecurity solution like ManageEngine Log360. Through comprehensive log monitoring for threat and anomaly detection, Log360 tracks the various system actions taken during a ransomware attack.

Once a threat is detected, Log360 sends you custom alerts on your phone and via email, and its automatic remediation feature helps you build and execute custom scripts to respond to each alert. Using the forensics and incident management module of Log360, you can investigate previous attacks to build a ransomware detection strategy and prevent them from happening again.

To get started with Log360, you can download a free, 30-day trial of the SIEM solution, or schedule a free personalized demo with our product experts.

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.