What happens to Revil, the Russian hackers behind the attacks on the US
di Michele Scarpa
Revil’s gang seems to have disappeared and the web infrastructure of these cybercriminals are offline. Michele Scarpa’s analysis
• They keep Revil’s cybercriminals talking about themselves.
As if the attack on the JBS and Kaseya were not enough to gain global notoriety for the cyber gang, their sudden disappearance has aroused doubts and perplexity among analysts. To get to the disappearance must be clear what happened with the last attack. One step at a time then.
After the latest coup of the ransomware Revil at Kaseya the criminal group has raised a fuss attracting the attention of many governments and respective security apparatuses.
The attack on the American company caused a stir because it took advantage of an unknown vulnerability, that is a “zero day” (so called because once discovered the vulnerability the software manufacturers have zero days to solve it), in Kaseya VSA, a management software for IT infrastructure. After the ransomware spread to all customers of the American company, it is more than a thousand companies victims, about 1500. It’s an attack on the supply chain that goes all the way to the end users, a real disaster.Si parla di un attacco paragonabile a WannaCray e NotPetya per propagazione e danni causati, ma al contempo presenta i caratteri dell’attacco a SolarWinds per il modus operandi.
Besides the damage produced was exorbitant the ransom required, about 70 million dollars, so high that some analysts doubt the seriousness of the ransom.
WHO IS REVIL?
The group, whose name is the union of the words “ransomware” and “evil”, also known as Sodinokibi, seems to have become one of the major players in the world of cybercrime.
The acronym seems to be relatively new in the criminal scene but some of the hackers who compose it instead do not. In fact, some researchers have found links between the creators of the malware Revil/ Sodinokibi and the authors of the previous ransomware Gandcrab.
The makers of the Gandcrab ransomware, probably of Russian origin, were leaders until a couple of years ago in the malware market, so much so that Kaspersky estimated that in 2019 40% of the ransomware market was held by Grandcrab.
Grandcrab, like now also Revil, is a ransomware as a service (Raas), that is a ransomware developed by some hackers that instead of using the malware directly to attack a particular system they rent it to other cybercriminals who use it for their illicit purposes.
The ransomware mechanism essentially consists of encrypting data from infected computers and then demanding payment of a ransom, usually in Bitcoin, in exchange for a decryption tool. In 2019, the hackers behind Grandcrab closed down, announcing the withdrawal of their product after having managed to earn, they say, about 2 billion dollars thanks to the ransoms paid.
After the closure of Grandcrab the ransomware Revil has established itself as one of the most important ransomware as a service. However, analysis of the hacking techniques and comparison of the type of victims of the two ransomware revealed that some of Grandcrab’s hackers may now be behind Revil. A further element that credits this hypothesis is the geographical area of origin of Revil which, as for Grandcrab is the former Soviet area.
In fact one feature of this ransomware is that it collects information about the machine (username, computer name, domain or working group and reads the free space and the volumes present) defusing if the keyboard layout or the language of the system corresponds to an ex-URSS country or Syria. That’s how we get a sense of the area that criminals want to protect.
THE TWIST OF THE SCENE
Since Tuesday, the Revil gang seems to have disappeared: websites, infrastructure and computers linked to these cybercriminals are offline. The reasons are unknown but the assumptions are basically three.
After the maxi ransom required at Kaseya the criminals may have closed their doors and decided to disappear, plausible tactic as already used by the criminals of the group behind the attack on Solarwinds. Or the other hypotheses relate to an external intervention, such as an intervention of force made by the United States or their allied governments (which is unlikely even if a more reactive US policy following cyber attacks is actually in practice) or under pressure from benevolent countries with these criminals, the attentions are therefore for Russia.
The hypothesis of Putin’s intervention in the disappearance of the cyber gang is plausible especially if you look at the time.
On Friday 9, there was a phone call between US President Biden and Russian President Putin, where the US President clearly stated that he expects the Russians to commit to stop hacker attacks from their territory by stating: “we expect them to act”. Tuesday’s closing was therefore linked by some analysts more to political pressure than to specific forms of retaliation by some agencies.
Difficult to determine at the moment the real reasons behind this partition, it is very likely, however, that this closure will not sanction the end neither of the criminal group (which could return behind new acronyms) nor marks a turning point in the fight against cybercrime, now one of the greatest dangers to our societies.