All about REvil: 2021’s Weirdest Cybercrime Group

From threatening Lady Gaga, to making the operations of thousands of companies worldwide grind to a halt. From international news headlines, to vanishing without a trace. I thought I’d seen some interesting cybercrime groups over the course of my career. But REvil really takes the cake. They’re weird, they’re wacky, but the amount of damage they’ve done to the world cannot be underestimated. Let’s examine this perplexing cybercrime group. Hold on tight, because we’re going on a bumpy ride.

 

Ominous beginnings

The first signs of REvil’s existence emerged in April 2019. Previously, another cybercrime group named GandCrab pioneered the ransomware-as-a-service model when they appeared in 2018. 

It’s rather common these days for cybercriminals to offer their cyber attack services through Dark Web forums and markets such as White House Market. Aspiring attackers don’t even need to know how to turn an exploit kit into a malicious script. All they have to do is find malware or cyber attack services on the Dark Web and spend cryptocurrency on it. People used to look down upon “script kiddies,” cyber threat actors who use the malicious code that’s been written by others. But now script kiddies are the majority of cybercriminals, and the destruction they cause can be immense.

Ransomware-as-a-service was born from that environment. Spend your Monero or Bitcoin on the work of a cybercriminal for hire. They made the ransomware, and you can share the money generated from your ransoms with your service provider.

REvil started as GandCrab disappeared, and researchers have found a lot of similar code in both GandCrab’s ransomware and REvil’s ransomware. For those reasons, it’s believed that most or all of the members of REvil came from the GandCrab group. But just before GandCrab appeared to vanish, they bragged about having made about $2 billion USD in ransoms. That’s astonishing if it’s true.

 

A strange 2020

2020 was a strange year for everyone. We’ll always associate the year with the COVID19 pandemic. But 2020 was a strange year for REvil for different reasons.

2020 was Donald Trump’s last year as President of the United States. REvil had no idea whether or not Trump would be re-elected, but they sure wanted to take advantage of his money. In May, REvil claimed to have cracked the elliptic-curve cryptography that guarded some of Trump’s most sensitive data. For that data, REvil attempted to extort $42 million USD from him. It’s not publicly known whether or not there was any truth to REvil’s claims or how the US government dealt with the situation.

Later in May 2020, REvil went on to target Lady Gaga. They released 2.4 GB of her legal documents. It doesn’t appear that the pop star paid the group any money. She’d do anything for her “Little Monsters,” but not for the Big Monster cybercriminals. 

Plans to target Madonna apparently went bust. Hopefully from that point, REvil stopped looking for victims through the Hollywood Walk of Fame.

It’s quite clear though that REvil spent the rest of 2020 using cryptocurrency-spending third parties to distribute their ransomware and share the profits with them. They also likely sold sensitive data in those same Dark Web markets and forums, but not under their REvil brand name.

 

Going out with a bang

Now let’s look at what REvil did in 2021. They started their major attacks in March. The first target was the Harris Federation, a trust that’s linked to 48 primary and secondary schools in the UK. About 37,000 students (pupils in British English) lost access to their email and coursework. If the schools wanted to resume normal operation, they’d have to pay REvil and their affiliates a pretty ha-penny! But not an actual ha-penny, but millions of dollars in cryptocurrency. What happened next reflects how ransomware has evolved over the years. You see, maliciously encrypting data from their rightful owners often isn’t enough to extort a ransom these days, due to enterprises keeping better data backups. So they move on to breach their target’s sensitive data. REvil operate a Dark Web site called Happy Blog, and on there they appeared to be distributing sensitive financial documents belonging to the Harris Foundation.

In April, REvil threatened to breach research and development data belonging to one of the world’s largest tech brands, Apple. Quanta Computer was working with Apple and they had those documents. Quanta was REvil’s direct target. Although the $50 million USD ransom that REvil demanded would be pocket change to Apple, Apple chose to Think Different. They didn’t give in.

By May, REvil struck JBS S.A., a major meat processor in the United States. JBS S.A. were likely unable to produce ground beef as REvil was grounding their industrial computer systems. JBS S.A. paid the $11 million USD ransom in Bitcoin.

Now we’re into June. Invenergy is a major power generating company in the United States. REvil claimed to have over 4 terabytes worth of the company’s legal contracts and NDAs (non-disclosure agreements). Invenergy said their operations weren’t disrupted by REvil’s attack, and they refused to pay the ransom.

July is when REvil appeared to go out with a bang. REvil struck Kaseya’s software-as-a-service, that’s used by hundreds of MSPs (managed service providers) used by over 36,000 companies. About 1,000 businesses were infected through those channels with REvil’s ransomware. REvil demanded that Kaseya pay a $70 million USD ransom.

Afterwards, REvil breached sensitive data belonging to the US Military and NASA, the American space agency. They distributed the data through their Happy Blog. What a way to go out!

Because that appeared to be the end of REvil. By mid-July, REvil’s servers vanished without a trace. That includes not only their Happy Blog, but also REvil’s command and control servers which deploy their ransomware-as-a-service.

It’s possible that REvil’s members were apprehended by law enforcement. Either way, the cops were likely hot on their trail.

But I wouldn’t relax if I were you. REvil appeared to emerge from the ashes of GandCrab. So it’s safe to assume another cybercrime group will emerge from REvil’s ashes. And this time, they’ll likely be smarter and use even more advanced obfuscation tactics.

 

Learn more with Hack The Box

This isn’t the first time I’ve mentioned REvil on Hack The Box’s blog. Check out Why everyone’s talking about ransomware on the Dark Web and How can ransomware attack your business? to further explore this baffling cybercrime group.

You can also check out my interview with Pro Labs designer cube0x0. He created APTLabs, a really challenging lab that replicates how a cyber threat actor like REvil can infect thousands of corporate networks through MSPs.