Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence
We’ve recently seen reports that the REvil ransomware gang is back online after the January 2022 arrests of several its members by Russian authorities claiming to dismantle the group and the November 2021 arrests of two members by U.S. authorities.
While it remains to be seen if this re-emergence of REvil includes its most aggressive members with the same technical skills or is merely a copycat group lifting off the old name and parts of the infrastructure, we have seen a steady stream of new REvil binaries in the wild.
Currently our main hypothesis is that one or several individuals have gained control over the old REvil Happy Blog and some binary source code. It is important to note that REvil was already a re-branding of GandCrab to gain influence and attention, therefore it is remarkable that the name REvil, given its infamy, is being used again/still. This gives us reason to believe the original key members of REvil group are most likely not involved.
However, reemergence or not, it has our interest.
The Trellix Advanced Research Center’s threat intelligence group has long-studied REvil, its predecessor GandCrab and other actors like them. In this blog we will often reference research we have done in the past on both GandCrab and REvil. For those interested in previous research we have performed check the following blogs:
REvil;
Episode 1: What the code tells us
Episode 2: The Allstars
Episode 3: Follow the Money
Episode 4: Cresendo
To defend against cybercriminals, we must understand how they think and how they work. To truly end operations of a cybercriminal enterprise, or a ransomware operation in this case, the individual person or group responsible for a cyberattack has to be discovered and prosecuted, but it can be notoriously difficult for law enforcement to determine who those affiliate members behind specific attacks are.
Leading up to the FBI’s seizure of funds stolen by REvil and the indictments and arrests of some of the group’s members, Trellix described a novel technique to enumerate key ransomware gang members. We described this extensively in our VB2019 publication on GandCrab and a past REvil blog. In this blog, we will take you all the way from the steps REvil took to build their cybercriminal enterprise through the missteps that eventually led to their downfall.
Building a Cybercriminal Enterprise
Our team’s research into Conti reiterated much of what we learned from our study of REvil. Cybercriminal groups are growing in their sophistication and operations, building everything from HR, to payroll, to culture and employee recognition programs, to call centers. They are fully functioning organizations, with marketing and user support. And as they scale and build trust in and dependencies on others, they often open doors for researchers and law enforcement to poke holes in their operations and techniques which can provide new ways to uncover who exactly their affiliate members are.
Figure 1: piece of internal marketing demonstrating brand and vision to attract talent by Revil’s predecessor GandCrab ransomware.
When we think of a cybercrime “empire,” here are the key ingredients we expect to observe in the wild:
1. Stable Product: For a group to be successful, it must have an easy to use and stable malware, and in the case of ransomware, an even more stable decryptor.
2. Technology & Marketing to Scale: Many ransomware groups and other cybercriminal gangs promote their activities, mission, and job postings on carefully curated dark web sites used to instill fear in victims/potential victims. The way an organization brands itself is also critical to attracting and retaining affiliate members. To scale a Ransomware-as-a-Service (RaaS) group we often observe groups deploying a centralized panel to communicate with victims and request binaries and decryptors, as opposed to negotiating via email with hundreds of victims at any given moment.
3. The Right People: Hiring the most talented affiliates is important, but as with many enterprises, many groups will still require members to complete trial periods to prove they are a fit.
4. Strategic Partnerships: To scale even more, cybercriminal groups leverage partnerships to execute areas of their business – everywhere from malware obfuscation services to call centers to Bitcoin laundering services. This allows the group to focus on their own specialty.
5. Pay Your Debts: Loyalty is perhaps the most important factor in keeping cybercriminal groups operational. Malware authors have made it easy for management to know what they’re owed by creating a tracking mechanism to determine commissions across the team responsible for an attack.
Signs of an organization on the edge of falling are often seen when they forget to stay humble and loyalty goes out the window or they make a sloppy mistake. The growth of the infrastructure and operations and human capital means growth of opportunities to mess up and increased likelihood for investigators like us to find novel ways to study them.
Figure 2: Announcement that a popular Malware Obfuscation Service is partnering with GandCrab Ransomware. Details that its users are receiving a nice discount to use this specific services.
REvil In Action
REvil first appeared in the wild in as Sodinokibi at the end of April 2019. Emerging from the GandCrab group, Sodinokibi aka REvil, the group quickly established operations, building a high-volume RaaS empire responsible for the theft of millions of dollars across countries and industries, and some of the most significant ransomware attacks in recent history. RaaS groups operate with a core group of people maintaining the code and another group, known as affiliates, spreading the ransomware. Additional support functions and partners are key to operations, and it is common for RaaS groups earn a commission on ransoms collected from victims. However, there were also groups like the Conti group that instead of paying a percentage had their affiliates on payroll.