Euro Security Watch with Mathew J. Schwartz

3rd Party Risk Management , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security

Ransomware Soap Opera Continues With REvil’s Latest Outage

Who Hijacked Infrastructure of Ransomware Public Enemy No. 1 REvil, aka Sodinokibi?
Ransomware Soap Opera Continues With REvil’s Latest Outage
Heat map of known REvil/Sodinokibi ransomware attacks from July 2020 to July 2021 (Source: Cyble)

Is there any bigger cybercrime soap opera these days than the life and times of ransomware operators?

See Also: OnDemand | Password Management: Securing Hybrid Work for the Long Haul

Babuk went through a messy breakup: Its members are no longer on speaking terms, and its developer dumped the malware's source code, claiming to be terminally ill with lung cancer and seemingly trying to make amends. Another key member has taken to issuing manifestos and launching rival services. Separately, an affiliate of the Conti ransomware operation leaked its attack playbook, alleging he'd been underpaid. And DoppelPaymer, aka DopplePaymer, has renamed itself "Pay or Grief" - Grief for short - likely to try and trick victims into not realizing that U.S. government sanctions prohibit paying it any ransom.

In the running for lead prizes in the cybercrime Academy Awards, however, would surely be the REvil, aka Sodinokibi, ransomware-as-a-service operation, which seems like it's disappeared and reappeared more times than the secret, identical twin of the protagonist in your favorite melodrama.

REvil's latest disappearing act - only its second, though it already feels like more - occurred this week. As first spotted by Dmitry Smilnanets, a researcher at threat intelligence firm Recorded Future, a user of the XSS cybercrime forum with the handle "0_neday," who claims to be a REvil administrator, posted Sunday that its .onion sites - accessible only via the anonymizing Tor browser - had been hijacked.

"Since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a blog with the same keys as ours, my fears were confirmed. The third party has backups with onion service keys," 0_neday said in the post to XSS, as Bleeping Computer first reported.

"I checked the sites and found no signs of compromise," he added, noting that for the time being the group would remain "offline."

Hijacking the sites would have required a third party to somehow have obtained the private keys used to create those Tor hidden services - aka .onion sites - in the first place. Anyone in possession of a private key for an existing hidden service can create a new version of the Tor site that supersedes all previous versions. If the new site looked like the old one, users would be unaware that they were visiting a doppelganger.

Poor Reviews for Latest Reboot

So, who hijacked REvil's sites? The loquacious and relentlessly self-promotional operator associated with rival ransomware-as-a-service operation LockBit 2.0, who goes by LockBitSupp, has a theory. He's suggested REvil's entire reappearance in September, after going dark in July, has been a carefully orchestrated law enforcement maneuver. In recent weeks, LockBitSupp has continued to predict that attempts to reboot REvil - or for that matter to continue DarkSide's rebrand as BlackMatter - remained doomed to fail. But then as a rival service operator, he would say that, wouldn't he?

If a law enforcement agency somehow obtained the private keys for REvil's "Happy Blog" data leak site, where it lists victims, or its portal for negotiating and paying ransoms, then police could have substituted their own version. Perhaps they would have attempted to not just derail the operation, but also to infiltrate communications with REvil's affiliates or prospective affiliates to unmask them, or at least trick them into revealing the addresses for their cryptocurrency wallets.

Whether any of this happened remains unclear. Police also aren't the ransomware operation's only problem.

Indeed, REvil likely angered many of the most highly skilled affiliates with which it worked, after news emerged that it had created a backdoor in its crypto-locking malware, since its launch in April 2019, designed to give it a way to cheat affiliates out of their 70% share of every ransom paid by one of their victims.

The backdoor was spotted by reverse-engineering specialists on the Exploit cybercrime forum, who analyzed REvil's code, researchers at New York-based threat intelligence firm Advanced Intelligence, aka AdvIntel, told me last month.

"It looks like the backdoor was around since the very beginning of the REvil RaaS operation, and it disappeared during REvil's restart. In other words, the old REvil - the one before quitting in July - had the backdoor, and the new one, restarting in September, doesn't have one," said Yelisey Boguslavskiy, head of research at AdvIntel.

Ransomware Public Enemy No. 1

REvil was once ransomware public enemy No. 1. Ransomware incident response firm Coveware, based on thousands of cases that it helped investigate from April through June, says REvil was the most prevalent strain of ransomware that it saw.

In May, the group gained extra notoriety after attacking meat processing giant JBS, which paid the group an $11 million ransom. Over the July Fourth holiday weekend, REvil launched an attack via Miami-based remote management software firm Kaseya's remote management software, which is used by a number of managed service providers. Up to 1,500 of those MSPs' clients ended up infected with REvil ransomware.

In the wake of other high-profile attacks, including DarkSide hitting a major U.S. pipeline in May, causing consumers to panic-buy fuel, the White House announced it was devoting more resources to disrupting ransomware groups and bringing greater pressure to bear - not least on Moscow - to do something about ransomware-wielding criminals operating from inside Russia's borders.

In July, both DarkSide and REvil went dark. The White House said: It wasn't us.

Then REvil reappeared in September as if nothing had happened. In a likely sign of the group's star having fallen, it's recently been offering affiliates 90% of every ransom a victim pays, according to the threat intelligence team at security firm Digital Shadows.

Shortly after its reappearance, law enforcement agencies shared REvil keys they'd obtained with security firm BitDefender, allowing it to release a free decryptor for almost all prior REvil infections. Some security experts suggested the move demonstrated that law enforcement agencies had somehow been behind REvil's July disruption.

But in a Sept. 10 post to the Exploit forum, a self-described REvil representative claimed that the decryptor fiasco had been due to a member of the ransomware team having accidentally shared a universal decryptor with a ransom-paying victim of the Kaseya attack, rather than police having hacked its infrastructure.

The Plot Thickens

Experts advise taking all such claims with a big dose of salt. As with so many things involving ransomware, these and other details get promulgated by criminals who use anonymous handles and have a propensity to lie. Or maybe informants, if not law enforcement agents themselves, are behind some of these communications.

If police did scuttle and then reboot REvil, supplanting its Tor sites with their own, identical-looking versions, it wouldn't be the first time such subterfuge has been seen.

On July Fourth, 2017, for example, an international law enforcement operation resulted in the seizure and takedown of AlphaBay, which at that time was ranked as being the world's biggest darknet marketplace, facilitating the global sale of everything from malware and fake IDs to firearms and illicit drugs. After AlphaBay went dark, numerous buyers and sellers quickly moved to the also-popular Hansa marketplace.

Unbeknownst to Hansa users, however, Dutch police had seized the site the prior month and monitored everything being done before shutting it down on July 20, 2017. Police say evidence gathered from the monitoring was shared with global law enforcement partners. Similar examples have also been seen with multiple crypto-phone services, including EncroChat in June 2020, Sky ECC - aka Sky Global - in March 2021, and the Anom honeypot operation revealed in June 2021.

Besides helping identify suspects and trace the flow of illegal drugs and other illicit goods, security experts say such disruptions sow fear, chaos and confusion in the cybercrime community. Who's really a ransomware operator, and who's just playing one as part of their police day job?

Cliffhanger Alert

Many security experts are now asking: Could the REvil disrupter have been a Western law enforcement or intelligence agency? Was the entire REvil reboot simply a police ploy to see who they might entrap? Or as information security veteran Dave Aitel mock-postulated, what if this is all an elaborate ruse by Russian intelligence to steal National Security Agency zero-day attacks?

The answers to these questions remain unclear. Meanwhile, with newcomers appearing nonstop, the already crowded ransomware landscape remains fit to burst with fresh story lines. Who's going to fall out next? Who's cheating behind everyone else's back? And who's not really the Russian-speaking cybercrime boss they're pretending to be?

Whatever the next installment, until criminals' appetite for these types of heists abates, expect the plot twists to remain fast, furious and likely unforgettable.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.