REvil Ransomware
Author
Nicolai OberthürHacking and Lean Management
A new hacking group is currently making a name for itself internationally: REvil, or Sodinokibi. The group first emerged in spring 2019, and they appear to be a successor to the group behind the GandCrab ransomware. GandCrab was one of the most effective ransomware campaigns of 2018 to mid-2019. Ransomware is a form of malware installed on a victim's computer that encrypts files, making them inaccessible. The attackers then demand a ransom to remove the encryption. Anonymous cryptocurrencies such as Bitcoin are usually used for payment.
The developers of GandCrab officially announced their retirement at the beginning of 2019. Even before this happened, the so-called REvil or Sodinokibi ransomware emerged, whose code has very strong similarities to GandCrab and whose developers are pursuing the same business model: Ransomware as a Service.
Here, the hacking work is divided up and part of it is outsourced to external affiliates, just like in a modern company. These affiliates are responsible for gaining access to other people's systems and installing the malware there, which is provided by the REvil core group. The core group is therefore only responsible for developing the software and processing the ransom payments. The break-in into the foreign systems is left to the affiliates. They receive generous commissions of 60 to 70 % of the ransom collected. This division of labour offers advantages for both sides: the developers expose themselves to a lower risk of being caught, and the affiliates can fall back on existing software, so they have to bring less technical skills with them. Thus, the malware can be used by a broader mass of criminals. The developers can even partly operate in a legal grey area if they are in a country where the development of malware is not criminalised, and no citizens of this country are affected. This could be one reason why both GandCrab and REvil do not infect systems whose language settings suggest that they are in CIS countries.
So, the way the REvil software is distributed differs depending on the affiliate. Brute force attacks, buying up access data or spear phishing are used. One method, in particular, has attracted attention in recent weeks: the supply chain attack on Kaseya and its clientele.
The Kaseya Attack
For many companies (especially small or medium-sized enterprises), the maintenance of their own IT systems is taken over by external service providers. These so-called Managed Service Providers (MSP) take care that everything works correctly and that the software used is up to date. One tool used for this is Kaseya VSA from the US software company Kaseya Limited. On 2 July this year, attackers were able to gain access to the VSA servers via an unsecured endpoint of the web interface and an SQL injection there. An apparent update was then compiled there that contained the REvil ransomware. The Kaseya clients on the customer systems received this update. The distribution of the malware thus looked like a completely normal process from the outside. In this way, about 60 MSPs were infected, which in turn passed the infection on to their clients, so that in the end, about 1500 companies were affected by the attack. A prominent example was the Swedish supermarket chain Coop, whose cash register system failed so that at times only five of the 800 branches could be open. The attackers demanded about $45,000 in cryptocurrency ransom to decrypt individual systems. Alternatively, they offered to unlock all systems for a record $70 million.
The vulnerability in question was even known to Kaseya. In April, Dutch security researchers became aware of it, who in turn immediately brought it to Kaseya's attention. According to the researchers, Kaseya subsequently behaved in an exemplary manner, hired new staff and developed a patch in close cooperation with the researchers. Shortly before the patch was completed, however, the hackers struck first.
This case is particularly explosive because the victims themselves had not necessarily made a mistake. The infection was able to enter systems that were protected through a trustworthy channel. In this respect, it can be assumed that such supply chain attacks will continue to increase in the future, as a large number of targets can be hit with relatively little effort. The amount of ransom demanded in this and other cases this year also shows that hackers have found a lucrative market here. While WannaCry four years ago "only" demanded the equivalent of $300 per encrypted computer, here it was already 150 times that amount. In two other cases this year, criminals were able to extort $4.4 million from the operators of the Colonial Pipeline in the US, and meat producer JBS was even willing to pay $11 million in ransom. In order not to further fuel the ransomware business model, security experts repeatedly recommend never to follow the ransom demands. Instead, regular backups should be made in advance, which can be restored in such a case.
In the end, this was the quicker method for Colonial Pipeline because the decryption software provided by the blackmailers was much slower than the uploading of the backups. And in the case of WannaCry, it had subsequently become apparent that the hackers did not even have the ability to clearly assign ransom payments to infected computers, so that payment would have had no effect. Further protective measures against supply chain attacks have yet to be developed in the future and will undoubtedly represent a new topic in the debate on cybersecurity.