By: Yelisey Boguslavskiy
Key Takeaways:
REvil believes that ransomware as a trend will entirely move towards data extraction and not simply data denial.
REvil claims to be absolutely apolitical and entirely monetary motivated. The Grubman Shire Meiselas & Sacks case was also entirely-profit, even though it happened to have a political component.
UNKN announced that they are preparing one major attack against a major gaming developing company which will soon be announced. They have also confirmed their responsibility for the BancoEstado attack this September.
UNKN confirmed that brute-forced RDP remains the best attack vector, especially with the BlueGate RDP vulnerability that they predict will make a massive change in the number of potential RDP attacks, as well as the SunCrypt DDoS attacks.
Background
On October 23, 2020, a Russian-speaking tech blog YouTube channel “Russian OSINT” published an interview with one of the representatives of the REvil ransomware syndicate - “UNKN”/”Unknown”. A twenty-minute interview covers important subjects such as victims, tactics, and strategies employed by REvil. While some of the information shared by UNKN has already been available, some particular emphasize made by the REvil representative gives a better understanding of their vision and approach.
Below is AdvIntel’s summary of the interview in 10 essential points.
"Russian OSINT" Chanel, Revil Interview Preview
1. REvil
UNKN says that the name REvil means Ransomware(R) Evil. The name was chosen in association with the Resident Evil franchise. They claim to make a revenue of $100,000,000 USD a year with the goal of achieving at least $1 Billion, ideally $2 Billion USD. The group members never travel.
2. The Future of Ransomware
Possibly, the most important revelation brought by UNKN is their confidence that ransomware as a trend will entirely move towards data extraction and not simply denial. According to REvil, the threat of publishing sensitive information and the risks faced by companies in the case of data leakage yields so much more revenue than the decryption is becoming simply an auxiliary tool. In the future, UNKN believes, the ransomware market leaders, such as themselves and Maze will entirely focus on data exfiltration for ransom.
In a separate comment, UNKN also noted that ransomware groups have no initiatives to develop lockers for IOS/Android platforms as well as other mobile platforms which are ideal for banker exploitation but not ransomware. “There is nothing to encrypt/leak” (on phones) to make victims pay the ransom. “What is there to encrypt? (on phones) Photos of you eating matza?” - they concluded.
3. Victimology
According to UNKN, 33% of their victims were willing to pay the ransom in order to prevent the publishing of their files. They believe that the risks which the victims will encounter in the case of a data leak are tremendously higher than the toll asked by the syndicate for silence. The representative referenced Travelex on multiple occasions, as the group considers this company a case study in which the decline to pay leads to fatal financial losses.
When asked about their most successful attacks, REvil named the three victims which they considered the highest achievement.
Travelex (January 2020)
Grubman Shire Meiselas & Sacks (May 2020)
23 Texas Municipalities (August 2019)
Moreover, with Grubman and Travelex attacks, REvil claimed to have been able to breach in by exploiting a very basic Citrix vulnerability which “could have been prevented by a simple patch”. For Grubman Shire Meiselas & Sacks REvil claims that the leaked files were eventually purchased from them by an unknown third-party. According to the syndicate, the files contained information on Trump-affiliated companies and their schemes of tax evasions.
REvil added that they promise to always decrypt the files after the ransom is paid, as otherwise, they will lose their reputation and adverts. UNKN confirmed that there were at least 12 occasions when the victim applied software to decrypt the files permanently making them undescribable. The syndicate did not demand money in these cases.
4. Taking Responsibility for BancoEstado
REvil attested that they are solely responsible for the BancoEstado ransomware attack which occurred in September 2020. BancoEstado is one of the largest Chilean banks; the September attack caused the company to temporarily shut down most of its branches and caused significant business disruption.
5. New Attacks
UNKN announced that they are preparing one major attack against a major gaming developing company which will soon be announced. When asked about the most profitable attack victims they named MSP and IT providers, insurance, legal, and manufacturing, companies, and especially, agriculture as their best future targets
6. Relationship with Competitors
REvil is always open to dialog with competitors especially Maze, the representative claims that the two syndicates conduct constant negotiations.
7. Team Structure
According to the interview, REvil’s developers’ team - is likely less than ten individuals, at the same time, UNKN claims that the number of pen-testers is over ten. Moreover, the group has its own “shock troops” - individuals from the core team who perform the entire life cycle of a ransomware operation + data exfiltration on special occasions. Most of the operations however are conducted by the affiliates or adverts who disseminate the payload and navigate the victim’s networks. REvil supports their adverts by being responsible for conducting victim negotiations, applying pressure and intimidating the victim, and providing the payload.
8. No Politics Involved
REvil claims to be absolutely apolitical and entirely monetary motivated. The Grubman Shire Meiselas & Sacks case was also entirely-profit, even though it happened to have a political component. “We do not care who will become the next (US) president” - says UNKN. REvil believes that this is the reason why they were never contacted by any local intelligence offices operating in the country in which the syndicate is based.
9. Competitive Advantages
When asked about competitive advantage which attracts talented affiliates UNKN names several aspects - a selective and targeted approach to attacks, a better business model,s and a very serious approach for recruitment as well as manifested intent to invest in newcomers. REvil believes that the ransom scene is now “full of pros” - saturated with people of high skill, and thus, they chose to nurture new talents. According to them, the growth can be extremely rapid. UNKN referenced a case of one group that raised their ransom payment from $20,000 USD $30,000 USD per victim - to $7 USD million per victim in half a year.
10. Attack Vector
UNKN confirmed that brute-forced RDP remains the best attack vector, especially with the BlueGate RDP vulnerability that they predict will make a massive change in the number of potential RDP attacks, as well as the SunCrypt DDoS attacks.
Conclusion:
As AdvIntel predicted in July 2020, REvil did significantly increase its public presence and became very communicative with the non-underground and underground communities alike. This trend will likely continue as it concords with the group’s psychological and criminal identity profiles. We may expect more information being shared by UNKN in the future, enabling us to better understand this syndicate and its future attacks.
As for mitigation recommendation, considering the emphasis the REvil puts on RDP bruteforcing, complicating the remote desktop protocol (RDP) access, by employing a robust password policy and multifactor authentication as well as hardware authentication, can become an effective prevention foundation. REvil often exploits simple vulnerabilities as they admitted in the case of Travelex. Regular patching and updates can reduce posed risks.
Advanced Intelligence is an elite threat prevention firm. We provide our customers with access to the proprietary industry-leading “Andariel” Platform to achieve unmatched visibility into botnet breaches, underground and dark web economy and mitigate any existing or emerging threats.
Yelisey Boguslavskiy is the Head of AdvIntel's Security & Development Team