Cybercrime , Cybercrime as-a-service , Endpoint Detection & Response (EDR)

Suspected REvil Ransomware Spinoff 'Ransom Cartel' Debuts

Single Group - As In, Not a Cartel - Appears to Possess REvil Components or Copies
Suspected REvil Ransomware Spinoff 'Ransom Cartel' Debuts
Ransom note left by REvil/Sodinokibi on a crypto-locked system (Source: Elliptic)

Has the notorious REvil, aka Sodinokibi, ransomware operation rebooted as "Ransom Cartel"? Security experts say the new group has technical and other crossovers with REvil. But whether the new group is a spinoff of REvil, bought the tools, or is simply copying how they work, remains unclear.

See Also: Revealing the Threat Landscape: 2024 Elastic Global Threat Report

The anti-malware researchers behind MalwareHunterTeam note that the new crime group debuted by the middle of December 2021, and that while none of the group's crypto-locking malware has yet been recovered, and it's not clear how many victims the group might have amassed, it has a number of crossovers with REvil.

These include the template used to generate ransom notes, the researchers say. But this would be easy to emulate.

More difficult to emulate, however, are certain technical similarities. Files encrypted by Ransom Cartel's crypto-locking malware, for example, when viewed with a hex editor, have footers that "look" like files encrypted by REvil, even down to the placement of the checksum used to check for errors in a file, MalwareHunterTeam says.

"We can tell for sure that either someone spent a lot of time to study REvil and create a ransomware that has much similarities (why do this?) or this is REvil ransomware in some form (compiled from source or a sample of it got patched and reused again)," the researchers say.

Whether any former members of REvil are part of Ransom Cartel remains unknown.

What Happened to REvil's Leaders?

The fate of REvil's leadership also remains an open question, with core members such as UNKN, aka "unknown," having disappeared from cybercrime forums they used to frequent.

REvil first appeared in April 2019 as a GandCrab ransomware spinoff, and the FBI says it went on to earn more than $200 million in ransom payment profits.

The U.S. government in the spring of 2021 began sharing intelligence on ransomware groups with the Russian government, and demanding Moscow do more to blunt attacks emanating from inside the country.

On Jan. 14, Russia's Federal Security Agency, the FSB, announced that it had arrested 14 suspected members of the group. At least eight suspects have now been charged with money control/laundering.

At the time of the arrests, the FSB said it had been acting on U.S. intelligence.

So far, however, it's not clear if any of REvil's high-level leadership, whoever they might be, were arrested. At least some of the suspects appear to be affiliates. The White House, for example, said one of the suspects is an affiliate who also worked with the DarkSide group, and that the affiliate was responsible for the attack on U.S.-based Colonial Pipeline last May.

But Vitali Kremez, CEO of threat intelligence firm Advanced Intelligence, says the actual coders behind REvil apparently weren't swept up in this month's arrests in Russia. "We have confirmation and knowledge of many REvil hackers still working with the other groups such as Conti," he says.

Rather, he says that the arrests appear to have snared mostly lower-level hackers or penetration testing experts - aka "pentesters" - who were "supporting/staffing affiliates' teams."

Partnering for Greater Profits

Affiliates often work with multiple ransomware groups, serving as business partners or contractors. For groups such as REvil that largely ran as a ransomware-as-a-service - aka RaaS - operation, affiliates will execute most, if not all, of the actual attacks, meaning they infect victims with a group's ransomware. If a victim pays, the promise to an affiliate is often that they'll receive 70% of the payment, with operators keeping the rest.

The RaaS business model helped ransomware groups achieve record profits. This was thanks in part to the most successful operations - meaning the ones with the most robust ransomware executables, decryption tools, data leak portals, negotiation teams and more - often recruited the most skilled affiliates, including network-penetration experts, thus leading to higher profits for both affiliates and operators.

As these profits surged, however, groups were increasingly infecting or disrupting larger concerns, including organizations whose outages created national security concerns.

In May 2021, for example, Ireland's national health service was infected with Conti ransomware, disrupting patient care for months. The same month, executives at Colonial Pipeline in the U.S. took their networks offline after being infected with DarkSide, leading to Americans panic-buying fuel. Attackers wielding REvil shortly thereafter hit the U.S. operations of the world's largest meat processor, JBS, and then software developer Kaseya, whose remote management tools are widely used by managed service providers. Attackers used those tools to distribute REvil onto endpoints managed by those MSPs, leading to more than 1 million endpoints being infected, and over 1,000 different, affected organizations each receiving their own ransom demand. A free decryptor later got released.

International Crackdown

The White House responded by calling for an international crackdown on ransomware-wielding attackers and anyone who enables them and began devoting more resources to tracking, disrupting and prosecuting cybercrime.

The Biden administration, working with allies, also tasked law enforcement and military resources to actively disrupt infrastructure used by groups such as REvil, officials later revealed.

Full details of those operations have yet to be made public. But beyond REvil, security experts last summer noted that someone was targeting the LockBit 2.0 ransomware group and cybercrime marketplace Marketo with distributed denial-of-service attacks.

Interpol, meanwhile, has said that after the May 2021 hit on Ireland's Health Service Executive by Conti, it facilitated the "identification and takeover of the attackers' command-and-control server" in the Ukraine.

Last October, the suspected REvil affiliate who hit Kaseya - Ukrainian national Yaroslav Vasinskyi, 22 - was arrested in Poland. He's now the subject of a U.S. extradition request.

Last November, an indictment was unsealed charging Russian national Yevgeniy Polyanin, 28, with perpetrating a 2019 REvil attack on IT service provider TSM Consulting Services, which led to 22 Texas municipalities being infected with REvil. While he remains at large, the Department of Justice said it had seized from him cryptocurrency worth $6.1 million.

Mooting a REvil Reboot

Being disrupted by law enforcement agencies would help explain how REvil went dark last July, only to reappear - without explanation - last September. But whoever rebooted REvil apparently failed to correctly configure the operation's Tor-based sites, which allowed someone else - possibly a law enforcement agency - to take control of REvil's sites. Shortly thereafter, REvil went and has stayed dark.

"REvil as a brand is likely gone for good as affiliates and other threat actors would probably not want to collaborate with an operation that was reportedly compromised by law enforcement," Brett Callow, a threat analyst at security firm Emsisoft, told Information Security Media Group last October.

Meanwhile, reverse-engineering specialists working for the Exploit cybercrime forum, where REvil used to recruit, last year published a teardown of REvil's code, and reported finding a backdoor in all samples of REvil up to July 2021 that would have allowed operators to cut an affiliate out of a deal, Advanced Intelligence reported last September.

All of that added up to REvil's reputation apparently having been well and truly burned, as further suggested now by Advanced Intelligence reporting that some core REvil members are working with other groups.

Even so, Emsisoft's Callow has said that "it's not at all unlikely that they'll make a comeback under a new name."

This has already happened with DarkSide, which rebranded as BlackMatter. Time will tell if Ransom Cartel, however, can be counted as a new incarnation of REvil.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.