CyberWire Daily - The story of REvil: From origin to beyond. [Research Saturday]
Episode Date: March 12, 2022Guest Jon DiMaggio, Chief Security Strategist at Analyst1, joins Dave Bittner to discuss his team's research "A History of REvil" that chronicles the rise and fall of REvil. The REvil gang is an organ...ized criminal enterprise based primarily out of Russia that runs a Ransomware as a Service (RaaS) operation. The core members of the gang reside and operate out of Russia. REvil leverages hackers for hire, known as affiliates, to conduct the breach, steal victim data, delete backups, and infect victim systems with ransomware for a share of the profits. Affiliates primarily stem across eastern Europe, though a small percentage operate outside that region. In return, the core gang maintains and provides the ransomware payload, hosts the victim data leak/auction site, facilitates victim communication and payment services, and distributes the decryption key. In simpler terms, the core gang are the service provider and persona behind the operation, while the affiliates are the hired muscle facilitating attacks. Jon walks us through the team's findings and details REvil's story. The research can be found here: A History of REvil Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down threats and vulnerabilities, solving some of
the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
You know, there's been a ton of activity talks and reports over the past couple of years on this group.
What I realized is this was an amazing story and no one's really told it from start to finish.
That's John DiMaggio. He's chief security strategist at AnalystOne.
The research we're discussing today is titled A History of Our Evil.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We really don't have a lot of good examples of ransomware groups where you could do sort of a
use case that would show the cradle to grave lifecycle of an attacker. And I felt like this
was going to be perfect for it,
which is sort of what led me down the road to write this content.
Well, I have to say, it is a real page turner, even for those of us who've been following along
to have it all sort of laid out here. It is quite compelling. Let's go through it together here,
and let's begin where you do, which is our evil's origin story.
Where did they begin?
Yes.
So the beginning of Revol was really interesting because originally, you know, we got this wrong.
But the group actually started out with another ransomware gang called Gancrab.
And Gancrab was also a very well-known group that went away right as our evil began.
And during that process, when they transitioned over, there was sort of a window. And the two
groups, one would communicate and talk on forums together. There was a lot of sort of marketing
between one another, and it was very clear there was a relationship between the two.
marketing between one another, and it was very clear there was a relationship between the two.
And as Gancrab exited the scene and posted their retirement message, immediately R-Evil began to recruit their affiliates and begin their own attack with their own payload. What was really
interesting about that is during that first attack, that was the first notable attack that
we ever saw using R-evil the hackers
that were on network actually doing the attack dropped both a r-evil payload which is noted
known as soden okay eb uh it's a mouthful and uh they were also dropping the gand crab payload
which is also same name as the group is just called gand crab um but that showing that they
had access to both in
addition to this relationship we were seeing on the forums, there was also some strong technical
relationships between the two. The most notable is there was a string in it where a developer string
in the PDV string that actually said GC6 and GC, obviously you can figure out the initials, Gancrab. Well, the last version of code for Gancrab's payload
had the same string, but it was GC5.
So that and some of the ways that it documented
their campaign IDs and their affiliates
and things of that nature, just a number,
I won't get too far in the weeds,
but there was quite a few technical similarities
that I was like, okay, this came from the same developer.
There's some shared code.
A lot of this is very common between the two. So we as researchers and analysts in the community
as a whole sort of accepted that Gancrab didn't really retire. They just evolved and rebranded.
We found out that was not the case. So it started with an interview where someone asked them, hey,
what's your name? Researchers are
calling you Sodenokeibi. And they just didn't like that name and said, hey, we're going to get back
to you. And when that happened, that's where they came back and they said, okay, we want to be known
as R-Evil. And later in an interview, because these guys did interviews, which I thought was
really interesting and made them accessible, They talked about that origin story.
I'm sorry, the origin, the background of that name.
And it actually came from a video game, Resident Evil.
So this was short for Ransom Evil.
And so just that sort of background was interesting.
During that same interview with the REvil operator,
they also went and talked about how they began and said,
no, you know, guys got it wrong.
We actually were
an affiliate. And when Gancrab went away, I don't know if they purchased or acquired, but they
approached the Gancrab operator and that's how they acquired the payload that was then developed
into Sodin OK EB. I think they got the source code and developed, bought the source code and
developed it themselves, but we don't know. it could have been developed for them but there were multiple iterations throughout the years of
sodanoka eb meaning they obviously had their own developers that were working on this the two were
very close together like i said but one was an affiliate did the hacking and they sort of switched
roles became a provider themselves and moved forward uh in their their attacks as we know it
over the past you know two two and a half years.
One of the things that you point out in the research here is that for an organization like Are Able to Succeed, they have to be successful gathering affiliates. And that was part of the
effort that they had in their startup phase here. Can you take us through how they went about doing
that and where they were successful
there? Yeah, well, I'll give you where they're successful and I'll tell you where they weren't
because it's actually a bit interesting there and there's some good things to learn. So when they
first, again, when they first came out, they just hit the same forums that Gancrab used to
recruit their affiliates. And they went and went and they looked and they, they were looking for a limited amount of affiliates. And from some of the affiliates
that I was able to, um, uh, actually talk to, uh, about, um, their activity with it,
there was actually a number of them that, that would got into the actual interview process.
And most of us thought when there's teams of affiliates, these are guys that already
know each other, teams of three or four guys.
Well, in this case with R-Evil, that wasn't the case.
They were interviewing candidates one by one.
They wanted to make sure that they weren't actually spies or snitches or things like
that.
So they would ask them about Russian folklore, things that at least the REVIL operators believed you could not find via the internet or Google or things like that, things that only a true Russian native would actually know.
So they tried to eliminate by asking folklore-based questions.
It's almost like a trivia, kind of funny.
And they would use a secure chat thing called thing called talks and they'd sort of be in
this session. And they would, once they got past that initial, the folklore vetting, they would
ask them technical questions, engage them. And then they would pick when they were done, they
would pick the individuals they thought would make a good team. And then they close out recruitment.
Okay. So let's say that, you know, they had their pool, they created their teams. Those individuals were told, Hey, you're going to have to split this
money. The proceeds will give you 70% of our proceeds. And each of these individual will get,
get this split up equally. That's how it started by the end. They didn't control who did what,
or how much money was cut. But in the end, they really tried to control that.
what or how much money was cut. But in the end, they really tried to control that. And they had success at the beginning, but they also were not getting the big fish that they wanted. And there
were some very, very public failures that they had. And about a year later, they went sort of
on a second recruitment phase. This recruitment phase was much more detailed. So in the earlier
one, they were just looking for people basically that could answer these
questions, make it through the interview that they felt would be good.
And the second one, the differences you can see are notable because they list all these
specific requirements that they want before anybody even applies for it.
And in it, there were really interesting things that I had never even seen before.
Stuff like using a voice modulator, being able to speak English because they don't want anybody who's not a true
Russian, uh, being able to speak English. You know, we've never,
or I've never seen where they're actually talking to victims.
It's usually done over a chat portal. And I've, uh,
I've been lucky enough to have, you know,
victims call me before and let me help them, um,
in some of their IR investigations where I've gotten to actually
observe sort of the chat negotiation. And again, it's always been over a portal or over email.
It's never been over the phone. So obviously there was probably some cases where they did
talk to them or the desire to talk over the phone since they had that. And clearly speaking English,
they realized was something that is important. So they sort of changed that direction that they
went. And by the time this sort of second recruitment phase came along, the U.S. had
been a much, much larger target for them at this point. It almost, that was when we started to get
personal where they started to get angry. And, you know, the first it was with President Trump,
then it was with President Biden and the back and forth and, you know, gloves off and things got
nasty on both sides.
But yeah, the last piece I want to say about that affiliate recruitment is on the first phase,
they deposited $100,000 to $130,000 across the forums. You can almost buy, this isn't the right
wording for it, but street credibility by you get different levels in these forums. And by putting larger deposits, you show you're a more serious player and there's
money to be made. But just to give you an idea how much they grew in that year, in that second
recruiting effort, they deposited a million dollars. So big step up, really showing, hey,
we're going to make money. And they wanted to get the attention of the key players for affiliates,
you know, sort of the best, you know, hackers, if you will, to come work for them. And that was sort of seeing them grow and seeing those
recruiting ads and those requirements change and showing, okay, we're really serious. You could
just watch it progress. So those are the two main core campaigns that I saw to recruit. I'm sure
there were more, but those were the forums that I was
able to find them on and some of the chats that I was able to see them with. But I'm sure there
were more that I didn't see, but I thought I got a pretty good snapshot of how it works with just
that. Can you take us through how they handled infrastructure and assembling the tools that
were going to be the core of their operations?
Yeah. So there's a couple of pieces to this. So they have what they call their happy blog,
which is a name and shame slash data auction site. So they use it to post victims' information to
shame them, and they use it to leak their data. At the same time, they also use it to auction
off that data. Basically, it's an auction where the victim has first rights to buy, and obviously they want them to buy because they're going to pay the most money for it.
If they don't, though, they will auction it off to the highest bidder in the criminal world.
So that piece of their infrastructure they host on the dark web, within that they also have a chat portal.
their infrastructure they host on the dark web. Within that, they also have a chat portal. That chat portal is accessed when a ransom payload goes off on a victim. They have a specific key
that's in their ransom note that they have to paste in, and that key takes them to their own
unique chat session on the chat portal that they have. Now, there is both a dark web version of it,
and there is one that you can access me was
one that you could access via the traditional internet. So in other words, they wanted originally
wanted everything in the dark web, but I think they realized they needed to make things easier
for people to pay. So they made a version of it that would be on the the traditional internet,
same with their decryptor site, if you will. And a lot of these were tied together. But,
but the they would have a second version, again,
that you could access via the regular internet.
And then things would get taken down
and they would stand them back up
and they'd just be another version of it.
But those were the three components,
sort of was the data auction,
the chat portal, and the decryption.
That was the main pieces to their puzzle
of what they used for their infrastructure
as it varied over time.
And I suppose for a group of this scale, getting access to bulletproof hosting, if you will, is fairly routine.
It is fairly routine.
Those things where they're going to go with whatever is going to be the most secure product that's going to be the hardest to take down and is going to give them the ability for their infrastructure to withstand takedowns. Obviously, I don't think they expected an entire government to use all of its resources to get behind the takedown.
lockdowns, law enforcement sending a subpoena, you know, whatever it is, there are certain vendors and technologies that make it more difficult for that to take place. And that's
obviously where bad guys gravitate to. One of the things you point out in your research here is that
the R-Evil gang were unusually communicative with media, you know, making themselves available for conversations, for inquiry.
Was there an unusual, a unique amount of swagger that these folks had,
or were they more businesslike?
No, there was absolute swagger.
I mean, this was ego across the board.
So their favorite reporters to talk to was a bleeping computer.
Not just them.
That's like for whatever reason, that's where ransomware guys go to talk.
And so I used them as a great resource because there was so much information there that we had because that guy felt comfortable talking with them.
The bad guy felt comfortable talking with them.
But in their messages, there was messages that they posted there, and there was also messages that they would post through their own site and on forums and things of that nature.
But point being is the one consistent theme that we had is they would love the challenge authority, and they just felt like they were untouchable.
I mean, let's think about this. They had that affiliation with Darkseid, and when Darkseid got taken down and could no longer be their own voice and talk, these guys with all that heat on them, it was our evil that got up there and decided to speak on their behalf. they had put sort of a stop on attacking critical US infrastructure when things first happened.
And then within days of that, when the Biden administration sort of said, hey, we're now
taking ransomware as a national threat. We're going to put together a lot of resources to come
after you. Our evil got out there and was like, OK, gloves are off. We're taking those restrictions
out. We're going to specifically come and target you now, which was just insane to make yourself even
more of a target. And I think that was really what was the beginning of the end for them.
But it was an ego driven thing. It was a, hey, I need to be in the spotlight. Hey,
I'm going to fight authority and you can't tell us this and we're going to come after you for that. And it was just
if they had been humble, quieter, and just more selective on their targets, they'd probably still
be making hundreds of millions of dollars today in the safety of Russia. But instead, because of
that voice, that spotlight, and sort of celebrity mentality that they got, it just made them such a
target. It led to their downfall.
One of the key reasons anyway. Yeah. You know, you mentioned Darkseid and it seems to me like
a real turning point in this story arc is when Darkseid hits Colonial Pipeline.
Yeah, that's definitely a key story. You know, I refer to it in my research paper, I refer to it
as sort of their sidekick
that screwed everything up, because that's really what it is. It was their sidekick. It wasn't our
evil that went and hacked into a pipeline shutting down gas. It was Darkseid. And Darkseid had a
similar story as our evil. They began as an affiliate to our evil, and they spun off into
their own group. And our evil, in some way, their own group and our evil in some way helped
them with their payload because there were so many similarities between the two and then they
were the voice of them when things went down and they weren't the only group there was another
group prometheus that just didn't have the same level of attention that on their website put you
know that they were an affiliate or a spin-off group from our evil so they were almost like
they were franchising and having these other groups go out and they were sort of making their own empire.
But back to what you said about Darkseid. Yeah. So Darkseid, yeah, they screwed everything up
for them. They did this, they got all this attention. They obviously didn't realize what
they were doing at the time, because there's no way anybody would do this intentionally if they
knew how it was going to, all the attention it was going to get and how it was going to turn out because it literally crippled them. And they lost all the money that they gained
when the US government came out after them and emptied their Bitcoin wallet. So at the end of
the day, it just wasn't worth it, caused a lot of attention, caused a lot of trouble, and led to also
with the banning of discussing ransomware on a lot of the forums that these guys lived on,
and more importantly, the forums they recruited on. And when you make it harder to recruit,
that directly affects business. So all of it sort of stemmed from Darkseid screwing up is where
everything started to change and go the opposite direction for our evil.
Well, let's go through the ultimate undoing then. I mean, as we say,
it seems like Darkseid was sort of the catalyst, but it was downhill from there.
this. I think it was Advanced Intel that first reported it. But in May, there was an affiliate who... There's a process of when a hacker on these forums gets sort of screwed out of money or buys
a service and they don't get it or whatever it is, where you can request arbitration, where,
as I told you, you could put down these Bitcoin deposits on the forum. Arbitrator will come in
and look at the case.
You'll have to send in logs or evidence to support your side, and then they make a decision. If they decide you were wronged, they'll give you money from that pool of the deposit.
Well, and if there isn't money and you don't do it, they get kicked off the forum and their reputation is hurt, and that's something that most of these criminals really care about.
off the forum and their reputations is hurt, and that's something that most of these criminals really care about. Well, what happened with that is one of the affiliates posted this in May,
and it didn't get a lot of attention, and they did post all the evidence publicly,
which they don't always do. A lot of other ransomware criminals in this community were
upset that they did post it publicly, but it gave us as researchers a lot of cool information.
I really thought they were going to get awarded the money. They didn't.
The arbitrator sided with our evil, but what was interesting is our evil made a large deposit to that forum a week after the arbitrator weighed in their favor.
Whether or not that was buying them out or not, I don't know, but I thought it was interesting timing.
them out or not, I don't know, but I thought it was interesting timing. But the reason this May event was important is because in September, so several months later in September, that's where
I was saying the company, Advanced Intel, those guys do great work. And they actually found a
backdoor in the attacker's malware. So it was a backdoor designed to double cross the affiliate who's working for the
provider. So our evil's affiliates were the ones infected with this backdoor, not the victim.
So that's where the double cross comes in that makes it so interesting. Bad guys use a user
panel to manage their attack, and they have sort of their own software that's part of the
real infrastructure and payload. And within this, they installed the back door so that they could have sort of a double chat they could watch in
view the affiliate negotiating and talking with the victim and what they would do is if it looked
like the affiliate was going to pay they sort of interrupted that that session making it look like
the victim just backed out and decided not to pay. And then they
stepped in and the, the, the victim just sees the chat portal. They don't, they don't know that it's
somebody else behind it now. So now they're talking to them. Now they're going to pay and
they give them the instruction to pay. And now instead of paying the affiliate 70% of let's say
a $10 million ransom, they keep the whole thing for themselves and just say, yeah, sorry, I guess
these guys didn't pay better luck next time. Um. And this kept happening over and over again. And once this came out and they put the technical analysis out there, bad guys started doing their own analysis and finding more things and posting all of this at the binary analysis level on these forums and demanding that Reval
explain what they did. And people were calling the names and it's just, I mean, their reputation was
just done. People were pulling out leptomite. Nobody wanted to work with them. And the most
interesting part though, Reval stayed. They could have been quiet. They could have disappeared. They
stayed and they adamantly argued that they did not do this, that it isn't what happened.
And I always thought that was interesting because if they really didn't put this back door in, then who did?
And, you know, the only other person I could think of, it would have to have been like a major government or intelligence agency.
That's some conspiracy series stuff. The whole community believes our evil did it. But I'm just saying if they didn't and it was a government, that would
be ingenious because you know you're not going to arrest them because they're protected in Russia.
What's the next best way to get rid of them? Kill their credibility. So I think that's a really cool
secondary story if we ever found out that they really didn't put the back door in. But I thought
it was so interesting that they stuck, they hung in there adamantly to the very end,
claimed that they did not do this.
And there was no denying in the code that it was there.
So, yeah, community does believe, though, that it was that they did do it to screw these guys.
Yeah, no honor among thieves, right?
Right, exactly.
Yeah, it's hard to feel bad for you, you know?
Honor among thieves, right?
Right. Exactly. Yeah. It's hard to feel bad for you, you know?
Yeah. Now, ultimately, the story kind of ends with law enforcement knocking on some people's doors.
How did that play out?
Well, so there are two parts to it.
In November, when the U.S. conducted or issued indictments,
the only doors they got knocked on were ones that were outside of Russia.
So we got some affiliates in the Ukraine. There was another affiliate in Russia that, you know,
his name and picture were given, but they couldn't touch him and Russian government wouldn't help.
But with the President Biden going to Vladimir Putin in Geneva when they met in July and saying,
hey, we need help with this or we're going to have to act,
basically. Maybe not quite the same wording, but it's basically what he asked for. What we found here is they finally came in and gave us a hand. I was shocked when I heard about it. But yeah,
the FSB night raids, they kicked in 25 doors, arrested 14 people in Russia. We still don't know the full fallout of it,
whether there's speculation they were developers, others speculate they're the core members.
But regardless, it's a much bigger hit than it was when they just arrested guys outside of Russia.
But more importantly, regardless of who the specific players were within the gang that
got arrested, it was that message that was just sent of, hey, Russia's no
longer protecting you. And that was huge. And for the first time ever, I saw the conversation change
where people were concerned and talking about, hey, this isn't worth it if I'm going to go to
jail. We're concerned if we're not protected by Russia anymore. Unfortunately, I don't think
that's going to stick because of the tension with the U.S. right now, with Russia, with invading the Ukraine.
And if things get worse and we do become full-on adversaries again, I'm sure there will be the open door again to have at it and keep targeting the U.S.
But regardless, it's the first time where we've seen sort of, even if it's a psychological impact, an impact on Russian-based ransomware attackers where they're second thinking what they're going
to do. I just, I had never seen that before and it really surprised me. So that's a win for us,
regardless of how long it lasts. That's a win for us. It's a step in the right direction.
Yeah. I would imagine even just shaking up their confidence, you know, the operator's
confidence over there that perhaps they're not as bulletproof as they thought they were.
over there that perhaps they're not as bulletproof as they thought they were. That's a good thing.
The narrative of this story is good enough for a Hollywood feature. And I have to say,
I laughed out loud. One of the things you point out in your write-up is the only thing missing is a good car chase. And I wonder when Hollywood eventually does make the story, will they figure out a way to put one in there?
Well, here's the good thing, Dave.
When they arrested these guys, there was over 20, quote-unquote, premium cars that were taken.
So we've got, you know, if we say based on a true story, we've got the cars, we've got the bad guys.
Let's just throw a good car chase in there and make it perfect.
Because this really was such an interesting story. It literally could be a movie. It really could be.
Yeah. What do you take away from this? I mean, having gone through the exercise of really
digging into the details here and laying it out from start to finish, how do you think this informs
where we go from here? Yeah. I think one of the things that we really need to do you think this informs where we go from here? law enforcement to get into these communities. Even if we're, let's say that we were able to
break into sort of the places where they recruit affiliates and things like that,
even if we're not successful in gaining access to the gang by doing that, just by making it harder
and more difficult to find affiliates and to know who to trust and to have them second guess or
question, we need to get closer to them. And from conversations that I've had, I don't think right now we have a
strong, a strong capability within a lot of those inner circles. And, you know, I could be wrong.
I'm just telling you from the conversations that I've had. And the thing is, if there's,
there's guys out there like me that are able to do it, certainly there's law enforcement and
government organizations that can do it.
And I'm sure that that's something they're working on.
But knowing where to go and getting in there and making it harder, sort of injecting deceit and injecting questionable content and making them really wonder if the people they're working with or the payloads that they're getting are things that they can trust is going to just be a sidestep.
whether the payloads that they're getting are things that they can trust, is going to just be a sidestep,
and it's going to have a psychological effect that's going to cause distrust, which will hopefully lead to less ransomware attacks and things of that nature.
On the other end, yeah, we need to keep doing things where we're infiltrating their wallets,
taking money back, dedicating intelligence community resources,
things that nobody else in the world has to figure out who the guys are
behind the keyboards, putting their pictures out there, making sure that if they travel out of the
country, they know they're going to get arrested, doing everything we can to sort of put the heat
on them and to get it known that we're not just going to sit back anymore. Unfortunately, there
is no easy solution. And this could be like the war on drugs. We may never win it, but there are
things that we can do that are going to slow it down and give us at least a better chance of protecting ourselves against it, if that makes sense.
Our thanks to John DiMaggio from AnalystOne for joining us.
The research is titled A History of Our Evil.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.