Russian authorities noisily arrested 14 alleged members of the REvil ransomware gang in January after a U.S. government request. So why is the group’s malware and infrastructure suddenly blinking back on?
REvil was supposed to be down and out. But the infamous ransomware group — or at least someone using its tools — is claiming new victims despite a string of recent arrests in Russia and an international takedown of its networks last fall.
REvil, known for pioneering the “ransomware-as-a-service” (RaaS) model used in disruptive cyberattacks on Colonial Pipeline and technology company Kaseya last year, has now claimed on a reincarnation of the group’s “Happy Blog” leak site to have attacked two companies in India. Omar Santos, principal engineer of Cisco’s Product Security Incident Response Team, told README it’s hard to gauge whether the potential new victims, Oil India and signage manufacturer Visotec Group, have really been hit by the original REvil threat actors.
“So far, it is definitely not clear who is behind this apparent return of REvil,” Santos said. “This could be that someone is trying to use the REvil reputation or ‘brand’ without being connected to the original group.”
Russia’s invasion of Ukraine has also raised questions about REvil’s return at a time of heightened tensions with U.S. and its allies. Is REvil connected to Russian cyberwarfare, which dates back to at least 2013 in Ukraine with “Operation Armageddon”? Did Russia’s FSB intelligence agency actually arrest REvil members, or were the series of raids and property seizures in January faked? The cybercriminal group’s resurgence could spell trouble for U.S. companies who had hoped they’d seen the last of REvil when U.S. and international law enforcement authorities shuttered REvil’s command and control servers last October.
“REvil was dismantled, this is a fact. We don’t know if all members were arrested or not,” security researcher Soufiane Tahiri told README. “And the shade of the political crisis between Russia and the rest of the world kind of interferes with our interpretation.”
Earlier this month, Tahiri and security researcher pancak3 (who uses a pseudonym due to the sensitivity of their work) announced that a new REvil site on the Tor network was being promoted on Russia’s RuTOR forum.
“What is certain for now is a threat actor successfully locked Oil India and Visotec group. They used the same ransomware REvil used to drop,” Tahiri said. “In parallel, a new ‘Happy Blog’ emerged with what looked like previously claimed REvil victims.”
REvil’s evolution
In April 2019, Cisco Talos researchers discovered REvil ransomware, which was then known as Sodinokibi. It’s thought to have grown out of GandCrab, some of the most widely distributed RaaS ransomware in 2018. The RaaS model offered an effective way for cybercriminals to make a lot of money: By May 2019, the GandCrab group said that the roughly $2 billion worth of cryptocurrency they extorted from their targets was enough and they would shut down their operation, as ZDNet reported at the time.
The May 2019 finale of GandCrab and the April 2019 debut of REvil/Sodinokibi may not have been a coincidence. Secureworks researchers believe REvil came from the same group of threat actors as GandCrab. They reported in September 2019:
“Numerous characteristics indicate that the same developers were involved in producing GandCrab and REvil, suggesting a connection between members of the GOLD GARDEN and GOLD SOUTHFIELD threat groups. In a technical analysis of REvil version 1.01, CTU (Counter Threat Unit) researchers identified possible overlap between REvil and GandCrab. Even the earliest identified REvil sample (REvil Beta) included elements that appear to refer to GandCrab.”
REvil would not only maliciously encrypt victims’ data, but also breach it and threaten leaks: In May 2020, entertainment law firm Grubman Shire Meiselas & Sacks confirmed to Variety magazine that the ransomware group targeted their firm by stealing 756 gigabytes of sensitive files pertaining to their A-list Hollywood clients including Lady Gaga and Bruce Springsteen. That same month, REvil attempted to blackmail then-President Trump, though its threats to reveal “dirty laundry” fizzled out.
By 2021, some of REvil’s targets were among the biggest names in tech. The group tried to extort Taiwanese PC manufacturing giant Acer for a whopping $50 million worth of cryptocurrency. REvil taunted Acer by posting a somewhat redacted spreadsheet of their alleged data on their Happy Blog site.
Apple and Lenovo were both hit through Quanta, a mutual link in the vendors’ supply chains. Other major targets later in spring 2021 included meat processor JBS S.A. and power generator Invenergy.
On July 9, President Biden told reporters he had a phone call with Russian President Vladimir Putin about cybercriminals, days after REvil’s Kaseya supply chain hack and two months after the Russian-nexus DarkSide ransomware group caused a dayslong shutdown of the Colonial Pipeline along the U.S. East Coast.
“I made it very clear to him (Putin) that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden said, as the AP reported.
Russia has a long history of launching highly targeted attacks, either through its intelligence agencies or cybercriminal proxies. CrowdStrike cofounder Dmitri Alperovitch revealed in 2016 that the Russian government’s “Fancy Bear” cyberespionage group was responsible spear phishing the Democratic National Committee in the run-up to the U.S. presidential election. And who can forget 2017’s NotPetya cyberattack — later traced to Russia — which struck Ukrainian targets by exploiting the powerful EternalBlue Windows SMB vulnerability. From Ukraine and other parts of Eastern Europe, NotPetya went on to spread internationally, causing an estimated $10 billion in damages.
Back from the dead?
In October, Reuters reported that the FBI and the Secret Service successfully disrupted REvil and other ransomware operators by attacking their command and control servers.
“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” VMWare head of cybersecurity strategy Tom Kellermann told Reuters. “REvil was top of the list.”
The following month, Europol and Interpol said in a press release that their Operation GoldDust resulted in the arrests of five individuals suspected to be behind REvil and two more individuals suspected to be behind GandCrab.
Finally, in January 2022, Russia’s FSB intelligence agency claimed through Russian media that they had dismantled REvil’s operations and made several domestic arrests.
The crackdowns dealt a major blow to REvil’s criminal reputation.
“They’ve lost all credibility and trust in the underground,” pancak3 told README. “No right minded person would join them again with all the negative attention and reset arrests.”
But that hasn’t stopped REvil from staging a comeback: “Things changed and got confusing when the original Happy Blog began redirecting to the new blog,” showing someone — perhaps a REvil representative known as 0_neday — was still controlling REvil’s old server, pancak3 said. “The rumors I’m hearing now are that the original coder is trying to revitalize the brand with new members and it’s none of the original crew other than the coder. That being said, I cannot confirm these rumors.”
Tahiri said he is waiting for more information before assessing who may be trying to bring back REvil.
“The fact is that nobody is certain it’s the ‘real’ REvil, even other ransomware groups don’t agree about this point,” he said. “We are all waiting for the leak of a sample from a recent claimed attack to dig further.”
