Darknet Diaries - 126: REvil
Episode Date: October 18, 2022REvil is the name of a ransomware service as well as a group of criminals inflicting ransomware onto the world. Hear how this ransomware shook the world.A special thanks to our guest Will, a ...CTI researcher with Equinix.SponsorsSupport for this show comes from Zscalar. Zscalar zero trust exchange will scrutinize the traffic and permit or deny traffic based on a set of rules. This is so much more secure than letting data flow freely internally. And it really does mitigate ransomware outbreaks. The Zscaler Zero Trust Exchange gives YOU confidence in your security to feel empowered to focus on other parts of your business, like digital transformation, growth, and innovation. Check out the product at zscaler.com.Support for this show comes from Arctic Wolf. Arctic Wolf is the industry leader in security operations solutions, delivering 24x7 monitoring, assessment, and response through our patented Concierge Security model. They work with your existing tools and become an extension of your existing IT team. Visit arcticwolf.com/darknet to learn more.
Transcript
Discussion (0)
Yeah, scams going on out there today are getting wild.
There was this one I read about.
Ugh, let me tell you about it.
Okay, so there's this guy named Gustavo.
He's from Brazil, but he was in the U.S. just visiting.
He wanted to drive for a rideshare company like Uber,
but he was just visiting, so he didn't have a U.S. driver's license.
Now, as you can imagine, a requirement to drive for Uber in the U.S.
is that you need a driver's license in the U.S. Gustavo thought about it and decided to seen people post pics of their driver's license to social media.
So maybe he just took one of those and sent it to Uber to pass verification.
Anyway, however he forged the driver details, it worked.
He was approved to drive for a rideshare company,
and he had it set up so he'd get paid for the work he did.
It was great for him to earn money while staying in the U.S.
And the money was a whole nother scheme he was working on.
I don't really know how, but he had to move it around in such a way
that it didn't look like he earned it through ride shares or something.
I don't know, but he was laundering the money.
Well, his girlfriend was also interested in all this and she wanted in.
But again, she was from Brazil and not a U.S. citizen, so no driver's license either.
But not a problem for Gustavo.
He just repeated what he did for himself and set her up with a fake driver account too.
Then three more of his Brazilian friends wanted in,
and before they knew it, this was a five-person team.
Then someone on the team was like, hey, I found a spot online that
people are willing to buy Uber driver accounts. Because apparently there are quite a few people
who want to drive for Uber, but can't for some reason. Either they don't have a license or
insurance or something makes them ineligible. So they might be interested in buying someone else's account so they can make
some extra cash or even rent one out from someone. So these five Brazilians started posting rideshare
driver accounts up for sale on these forums. And they were actually selling, making money from just
selling driver accounts made from stolen identities. But then the pandemic hit and rideshare usage went
way down. But that wasn't a problem. This team just pandemic hit and rideshare usage went way down,
but that wasn't a problem.
This team just shifted focus
and worked on food delivery apps like Grubhub.
They started making all kinds of driver accounts for this now
using stolen identities again.
And sometimes there's this wait list
to get verified and stuff,
but eventually they would get verified
and then sell or rent out those accounts.
Gustavo and his four other friends
made over 100 phony driver accounts on these apps
and sold them on forums.
I don't know how much these things go for,
how much he made,
but somehow the authorities got wind of this
and investigated
and ended up arresting all five of them.
Stolen identities and money laundering
were their main charges they faced.
And I think all of them got two years in prison for this wild scam.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries. episode is sponsored by Delete Me. I know a bit too much about how scam callers work. They'll use
anything they can find about you online to try to get at your money. And our personal information
is all over the place online. Phone numbers, addresses, family members, where you work,
what kind of car you drive. It's endless and it's not a fair fight. But I realize I don't need to
be fighting this alone anymore. Now I use the help of Delete Me. Delete Me is a subscription
service that finds and
removes personal information from hundreds of data brokers' websites and continuously works to keep
it off. Data brokers hate them because Delete.me makes sure your personal profile is no longer
theirs to sell. I tried it and they immediately got busy scouring the internet for my name and
gave me reports on what they found. And then they got busy deleting things. It was great to have
someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com
slash Darknet Diaries and enter code Darknet at checkout. That's joindeleteme.com slash
Darknet Diaries. Use code Darknet. Support for this show comes from Black Hills Information
Security. This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration
testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive, and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com.
So why don't we start out with what's your name and what do you do?
My name is Will. I work for the Equinix Threat Analysis Center.
I'm a threat intelligence analyst.
I wanted to talk with Will because as a threat intelligence analyst,
he's been studying a certain kind of malware called R-Evil,
and I want to hear all about it.
So R-Evil first sort of appeared in, I think it was about April 2019.
And I got my first job in summer of 2019.
I just graduated university and I got my job in summer of 2019.
So I've been tracking them ever since I began my career, basically.
Okay, so you might be wondering, what is R-Evil?
Well, to answer that, let's back up a bit and look at what came just before it.
So R-Evil first came out of another variant
called GandCrab.
And GandCrab was basically the group
that pioneered what we call big game hunting.
So GandCrab is the name of some malware.
And specifically, it infects machines and encrypts
the whole hard drive and then says,
pay us some money and we'll give you the key
to unlock this machine.
Gancrab is ransomware.
And a particularly effective one, too.
And I think this Gancrab ransomware
was developed and deployed by a group
of criminals who kept it close to their chest.
It wasn't passed around for just
anyone to use. At least, not the whole thing. One piece of it did just the encryption for the machines,
and then there were servers that were set up for handling incoming payments and to chat with
victims and to generate decryption keys. And it kept updating over time, adding new features,
and it became its own brand. And like any brand, the name of it started to refer to the people behind it too.
Like when I say Google, do you think of the search engine or the company or the people at the company?
Google refers to all these things.
So Gancrab was both the name of the ransomware and the group who were running it.
And Will says it was this group that pioneered big game hunting.
So big game hunting is sort of a type of ransomware attack.
So imagine you have like the Savannah and you've got all the companies on the landscape.
And instead of going for just small companies and going for the small game, just trying
to get like, you know, five or $10,000. They want to go for the biggest company they can and unlock all their systems
and try and steal millions from them,
try and extort them back for their files that are locked
for as much money as they can.
Mm-hmm. I get it.
So if I got hit with ransomware,
or you got hit with ransomware on our home computer,
and that hard drive was encrypted and locked,
whoever did it might only charge us a few hundred dollars to unlock it because it's just like one
person. And this could scale up if you infect like thousands of people's home computers at once.
And that does add up for criminals. But it sounds like this Gant Crab group wasn't trying to hit
regular people like you or me. They were focused on infecting big companies, or companies that had
a lot of money at least, because those companies might just pay a million bucks to get their
machine unlocked. But there's a bit of a problem with this whole plan. Security, infosec teams
everywhere know about ransomware, and they put methods in place to stop their company from getting
hit with it. So even though Gancrab was great at encrypting machines,
it still needed that initial access into the network.
So how does a criminal get access into a big company's network?
Well, they buy their way in.
So there's kind of a whole ecosystem that Ransomware works with
called initial access brokers. And there's entire underground markets
that you can buy access into certain companies.
Yeah, I actually know about this.
I've seen underground forums
where people are selling access into companies.
In fact, I interviewed a guy who did sell a login
to his ex-employer's network.
That's episode 108 called Mark.
He was a disgruntled ex-employee, network. That's episode 108 called Mark. He was a disgruntled
ex-employee, but there are also people who are out there just playing around, trying to find a way
into a company. Maybe they're just curious or like the challenge, but they poke and prod until they
find a way in. But they have no idea what to do once they get in. So that's where they see others
are selling access into networks on forums and decide to just sell their access.
It's a weird and strange market.
So this is how the Gancrab group would infect companies.
They'd buy access into a company,
then put ransomware on all those systems
and ask for a huge payment to unlock all those systems.
But how much do you demand?
And what companies should you hit?
Well, to figure that out, Gancrab did some OSINT.
I mean, there's things like, there's a website called ZoomInfo, I think.
Like, I've seen them on the underground forums, literally mentioning, linking to the websites.
Here's how much they have in yearly profit and turnover.
Oh man, what a mess, huh?
Like, publicly traded companies have to disclose their
profits to shareholders so they can see what's going on. But of course, criminals are taking a
look at that too. And they're like, oh, this company had a stellar year. That's a nice juicy target.
Anyway, so this is what Gant Crab focused on. Companies with lots of money that they could get
into. They'd get in,
encrypt the systems, and demand ransom to unlock everything. And guess what? Companies were paying
this ransom hand over fist. Yeah, if you can believe these criminals, they claim they earned
$2 billion, roughly $2.5 million a week. I, for one, don't believe that number at all. I mean,
they posted these numbers themselves.
I think they just posted big numbers to look like they were doing great. I'm guessing it's more like
$2 million that they made, not $2 billion. But that's still amazing profits, though. Now,
Gancrab wasn't just ransomware, but it evolved into ransomware as a service. If you wanted,
you could pay to use this ransomware to infect a company,
but you'd have to first get access into that company in order to deploy Gancrab into it and infect it. But then the Gancrab team would handle it all from there, working with victims to collect
money and supply a decryption key. Then you'd get paid if the victim paid up. And some of these
people who used Gancrab as a service got arrested in different places in the world because, as you can imagine, extorting people and companies is illegal.
But as Gancrab grew, they needed to recruit more people to their team.
On the forums that they recruited, where they got customers from, they all speak Russian.
These are all Russian-speaking threat actors.
And I mean, there's a number of countries that speak Russian,
but there's only so many countries that allow cybercriminals
to operate with almost impunity,
except a very small marginal amount, and that's Russia.
Yeah.
Okay.
So, yeah, there's not much you can do to stop
cyber criminals operating out of Russia.
The U.S. has no jurisdiction
or way to work with Russia to arrest these people.
And Russia doesn't seem to care too much
if it's not attacking Russian
companies. So it seemed
like Gancrab was living large.
It had all the people, malware,
victims, and customers all set
up, and the cash flow was pouring in, and no trouble from the police. But then it all suddenly
stopped. Gancrab posted on a forum saying they're retiring. And you know what? I get it. It makes
sense. They earned $2 billion. I'd retire too. But they didn't retire.
They spent time retooling, innovating,
and improving their ransomware as a service business.
They created a new ransomware malware.
This time, they called it R-Evil.
And victims started seeing what this could do firsthand.
So R-Evil first appeared in April 2019. And it sort of began with, you know, the first zero to two months, you know, it did the things that most ransomware does, which deletes backups,
changes the wallpaper. They actually do a language check. So before ransomware is executed, it will check the language that your computer is set to.
And if it's set to a list of countries that are members of what you call the Commonwealth of Independent States, the CIS.
So if it's a member of the CIS, then the ransomware will not execute and it will just exit.
So whoever is behind R-Evil doesn't want to target countries that basically ex-Soviet Union.
So R-Evil came on the scene, which again is the name of both the ransomware
and the group operating it.
I call them R-Evil because I'm pretty sure that's what they call themselves.
It's based on Resident Evil.
They call themselves R-Ransomware Evil,
short for R-Evil.
I mean, GangCraft, there was about five versions of it.
So it was sort of like an experiment
until they came out with R-Evil,
which was basically the crown prince of ransomware.
It was so perfectly developed for what it was designed to do.
It just sort of, their entire work,
this was like their magnum opus of ransomware.
But here's the thing.
The group behind R-Evil saw how much money Gancrab made as a
service, that they realized that's what they should focus on. Offering ransomware as a service was
more profitable than putting ransomware on systems themselves. The idea here is that other criminals
in the world would get access into the networks, and then they could use R-Evil to infect that
network with ransomware. And then R-Evil does the rest, collecting payments, decrypting systems,
helping victims get themselves sorted.
And then they'd split the ransom with whoever deployed it on that company.
So criminals all over were using R-Evil to infect systems with ransomware.
And they called their customers affiliates.
It would all start with the affiliate wanting to launch an attack.
They can either do it
by going to R-Evil
first and becoming
an affiliate and have a plan to use
their malware
or
the affiliate can launch an attack
and then go
and basically buy access to
one of these RAS
platforms and then deploy it.
So it's at different stages of when R-Evil would be introduced.
It would start with the OSINT.
It would start with picking a target.
It would start with going to the underground forums,
looking for a way in.
Because you can buy RDP credentials,
you can buy cookies, you can buy just email account credentials,
and then start from there.
Or you can do that sort of initial exploitation yourself.
One of the most common ways that REvil used to arrive inside the network
was for exploiting a vulnerability in a public-facing server.
So once the vulnerability
had been exploited, they would deploy like a
web shell or launch some PowerShell codes
on the server, establish that initial foothold,
and then do some reconnaissance
inside the network,
and then spread around
as best they can,
as well as escalate privileges.
And then once they are
spread around enough
and they've escalated
their privileges
to the main administrator level,
then they will introduce
the ransomware.
And one of the most, the most common ways they deploy it
is via scheduling a task on all the computers
in the network via using the domain administrator credentials.
So then everything is rebooted
and you could have thousands of machines at any one time.
I believe, I think it was a telecom company in South America
had 15,000 workstations locked up overnight.
And each one had a blue background saying,
you have been attacked by our evil.
Open the note for instructions on how to pay the ransom.
Early on when our evil was first coming up,
Will got to see the impact of them firsthand.
He was traveling out of London
and had to go through the Heathrow airport to fly somewhere.
In Heathrow, you have these currency exchanges
run by a company called TravelX.
And when I went into the currency exchange,
I saw everything was extremely hectic.
People were shouting. It was an extremely long queue. And I was like, what the hell's going on?
And then I realized, I was like, oh, I remember reading your report not too long ago that TravelX
had been hit by our evil ransomware. And I basically took a picture on my phone
because I could see all the employees
were using pens and paper
and clipboards and things
because none of the computers worked.
Everything was down for weeks.
This was about three weeks
after the attack had happened.
And TravelX reportedly paid
a 2.3 million ransom, I believe.
Whoa, what a payday.
I mean, you can put ransomware on a lot of systems,
but if nobody ever pays to get their stuff unlocked,
then it's all for nothing.
But when someone pays $2.3 million to have their computers unlocked,
then that's the fuel that makes our evil ransomware
crew keep going. Some people think this whole ransomware thing can just all go away if we all
agree to never pay the ransom ever again. But the truth is, companies are still paying in a big way,
which incentivizes ransomware crews to keep at it. And there's no guarantee these companies won't get reinfected the next day
and have to pay it all again.
Clearly, the best idea, if you get infected,
is to have good backups that you can restore rapidly.
But our evil knew this,
so they purposely looked for how systems got backed up,
and then they went and wiped those backup servers first.
This is probably why it was so effective.
If the company had their
backups wiped out and no path of rebuilding, it's a lot cheaper to pay a few million dollars to get
things back up and running. I mean, three weeks of being down could cost a company over two million
dollars in losses anyway. Surely it's a tough spot for any company to be in. After a while,
researchers started to notice a guy named Unknown who kept making posts on the forum company to be in. After a while, researchers started to notice a guy named
Unknown, who kept making posts on the forum claiming to be part of our evil.
So he used to post to two Russian-speaking underground forums. One of them is called
Exploit, and another one is called XSS. So, you know, kind of typical names for hacker forums,
but these two forums have been going for like about 15 years
and they're basically the two most popular hacking forums
for Russian, like hardened Russian cyber criminals.
He was, you know, basically saying,
boasting how our evil was the best ransomware.
It was competing with several other strains at the time,
including Maze and RagnarLocker, I think, as well.
And he basically became the front man
of the whole operation.
Everyone, it was like his alias
was basically synonymous with our evil.
And he actually went on to do interviews
with several people online.
And they'd interview him and say,
how did you decide to get into the business of ransomware
or how much money have you made doing ransomware?
Those sort of questions.
And yeah, it just makes it sound like it's a huge, it's basically a big organization
of cyber criminals.
I would probably say there's anywhere between 10 and 20 individuals actually connected to the running of the R-Evil core business,
the core ransomware as a service business.
Another thing this unknown guy was saying
was how R-Evil was doing more to extort people
than just demanding ransom.
They would then step it up a notch by leaking, stealing data
and then leaking it to a Tor website.
And because it's on Tor, you can't get it taken down.
It's like a wall of shame.
That's what they call it.
It's there forever.
And then a few months later, they'd add another level of extortion.
So that's what they used to call double extortion
with encrypting your files and then leaking your data.
They had a third level.
They would now begin to DDoS you or your partners.
And they would DDoS your websites
until you actually began negotiations with them.
Whoa, wait, what?
They're DDoSing you too?
This is where they flood your website or service
with so much traffic that your website
is just completely unusable.
I mean, it's a low blow to hit you while you're down.
If you still haven't entered the chat with them,
because in the ransom notes,
they have a link to the chat.
If you haven't answered the chat with them
to negotiate paying the ransom or anything like that,
they basically believe,
oh, you're able to recover.
Like, if you're a big company, like an international company,
then you will basically have backups.
You'll be able to restore files.
You'll be able to basically carry on after a few weeks of recovery
and rebuild the network or whatever.
So our people don't like that
when companies can recover on their own.
So they will DDoS your website.
And if you have,
say if you're like a retail company,
you have customers coming to your website,
every hour is money.
So if they're DDoSing you, taking it down,
it's still costing you more and more money.
Okay. Up until this point, I've been referring to R-Evil as a ransomware group. But at this point,
this is mean. This is more like street gang behavior, going around hurting people and
robbing them without any remorse. So I'm going to now start referring to them as the R-Evil
cyber gang,
because these guys are ruthless.
Here, let me play something for you. This is a voicemail that a ransomware gang member left on an employee's phone,
a victim's phone.
It's not from the R-Evil cyber gang.
It's a different one called Suncrypt.
But I think it's worth playing here just to give you an idea
how cold-blooded these guys can be.
This message is to authorized IT specialists playing here just to give you an idea how cold-blooded these guys can be. servers as well as downloaded to our servers those are employees personal information partners data
financial and accounting data of your company and much more you need to start negotiations with us
about decrypting your it servers and bringing your company's data back negotiate with us and you will get the crypto together with all your data back within one day.
And no one in the world will know about this leak.
But in case of your refusal to cooperate, we will run a great damage to your business.
You will lose 10 times more in courts due to violation of the laws on GDPR and your partner's data leak.
We'll inform your employees, partners, government about this leak.
Your data will be published on public blogs and told to competitors.
We will inform media about the successful cyber attack to your company.
And backdoor access to your company data will be sold to other hacker groups.
And this will be the last day of your business.
We don't want to do that for sure.
And we will not do that if we will negotiate successfully.
So we are waiting for you in that chat. Think
about your future and your families. Thank you. Bye. Think about your future and your families?
That's so ominous. I mean, what would you do with a thread like that? Now, sometimes the
R-Evil cyber gang would just go infect targets themselves.
And if they did,
they'd get to keep 100%
of the ransom they make from that.
But in most cases,
they worked with their customers
or affiliates
to infect the targets for them.
So it is known that
they basically split the ransom
with the affiliate.
They'd say,
if you hit a company
and you're able to get them to basically agree
to pay a $10 million ransom,
we'll keep $60 million, you'll get $40 million.
It's like a 60-40 or a 70-30 split.
Because at the end of the day,
the RAS, the ransomware as a service,
would provide not only the malware,
but also the decryption functionality,
which is one of the best,
most complex decryption systems
of any of the ransomware families
at the moment, even.
And then they add all the infrastructure
for darknet chats,
darknet leak sites, money laundering.
They provide a lot of the back end.
So it's a worthwhile split for both parties.
And so it was on the affiliate to figure out a way into the networks
to deploy R-Evil as a service.
So I believe the affiliates are choosing the targets.
They're basically getting into these companies.
They basically do the legwork, as I'd like to describe it.
It's a whole ecosystem.
You have someone who gets an initial foothold in the network.
They're called the initial access broker.
They will sell that, however small it is or big it is,
they'll sell that to someone else, the REvil affiliate.
The REvil affiliate will spread around the network
and escalate privileges and steal data.
And then they will deploy REvil.
It's just nasty, like all of it.
For REvil to make it a turnkey solution
so it's easy for anyone to commit crimes with?
And then people are just buying their way into these companies,
sometimes through disgruntled ex-employees.
And then our evil comes in and destroys backups
and encrypts everything and then DDoSes you
and then taunts the victim until they pay?
It's awful.
But we're just getting started.
You got to hear what they do next and what happens at the end of all this.
We're going to take a short break here, but stay with us.
This episode is sponsored by Vanta.
Trust isn't just earned, it's demanded.
Whether you're a startup founder navigating your first audit
or a seasoned security professional scaling your GRC program, proving your commitment to security has never been more critical or more complex.
And that's where Vanta comes in.
Businesses use Vanta to establish trust by automating compliance needs across over 35 frameworks like SOC 2 and ISO 27001, centralized security workflows, complete questionnaires up to five times faster, and proactively manage vendor risk. Vanta helps you start or scale your security program by connecting
you with auditors and experts to conduct your audit and set up your security program quickly.
Plus, with automation and AI throughout the platform, Vanta gives you time back so you can
focus on building your company. Join over 9,000 global companies like Atlassian, Quora, and Factory who use Vanta to manage risk and prove security in real time. For a limited time, listeners get $1,000 off Vanta at vanta.com. That's spelled V-A-N-T-A, vanta.com. For $1,000 off.
Our evil continued to infect companies and make millions of dollars from these ransoms.
I believe there are lots of companies that we'll never know about that got hit with this.
But there are some companies we do know that got hit with this because it made the news.
One of them was in 2019, and the victim was the Texas government.
Yeah, so the Texas government one was interesting because it sort of started a trend that our people would like to, it ended up being deployed at what you call a managed service provider,
which is an IT company that handles the IT of other organizations.
So the Texas government, they actually paid a single company
to just manage the IT of all their institutions.
Not each institution doesn't have to have an IT department then.
It's just one company that does it all for them.
So one of the REvil affiliates
managed to get into the Texas government and deploy, I think it was 22 different governments
ended up being, like entities ended up being attacked in this one instance.
And this one made the CBS News.
In privacy watch now, government computers in 22 Texas towns are being held
hostage by ransomware. The state's Department of Information Resources said that the coordinated
attack happened on August 16th, and many of the local governments still have not been able to get
back online. See, when so many government facilities have a computer outage all at the same time,
it makes the news because it's a noisy problem.
It's not something you can easily cover up quietly or make it go away quickly.
And of course, our evil was saying, hey, all these problems can go away if you pay us $2.3 million.
But the Texas government did not enter the chat and did not pay a single cent.
They recovered all on their own somehow. In May 2020, a company called GSM
Law was the victim to this cyber game. Here's CNBC News. An entertainment law firm run by Alan
Grubman confirming its computer systems were hacked. The hackers say they have sensitive
information about several big star clients, and those hackers want $42 million in ransom.
Whoa, $42 million?
That's the largest ransom payment ever demanded at the time.
They must have stumbled upon something spicy in that network.
So some of GSM Law's clients include Madonna, Elton John, Lady Gaga,
and probably most famously Donald Trump.
It's a big New York law firm.
So Donald Trump, he's lived in New York his whole life.
So Adar Evo managed to get into GSM Law
and allegedly steal hundreds of gigabytes of data from them.
756 gigabytes, they claimed.
And they threatened to basically disclose
Donald Trump's, you know, solicitor's information,
like from his lawsuit.
Everyone knows Donald Trump has like thousands of lawsuits on the go.
So, you know, our evil was basically able to go through them all.
That's interesting.
Our evil is presumed to be operating out of Russia.
I wonder if they had to stop for a moment and think about what to do with Trump's legal documents.
It became a whole thing.
And everyone was, you know, everyone was saying, oh, this is,
you know, this is like cyber terrorism or whatever. This is, how can Russia allow this to happen? This
is, you know, meddling with the presidency or whatever, because he was still president at the
time. And yeah, basically, our people said, they had to come out and make a statement like,
we are apolitical, we're just financially motivated criminals.
We don't want to cause any problems.
They actually seemed to, I mean, it's kind of a weird thing to say,
but they actually seemed to like Donald Trump, I think,
because they thought of themselves as these ultra-rich,
super-smart, super-criminal masterminds.
And they sort of admired Donald Trump
because he was really rich as well.
Research into this is a little murky.
Our Evil had released a little bit of what they installed
to prove they had something from one of GSM Law's clients.
And then they said,
the next person we're going to dump records on will be Trump.
One news agency looked into this and said,
Trump isn't even a client of GSM Law.
So we think Trump probably wasn't a client
and just mentioned in some lawsuit.
But you might wonder, what happened next with GSM Law?
Did they pay the ransom or what?
Well, we don't know.
Nothing happened.
We never saw R-Evil release any data on Trump
or dump a bunch of legal documents.
So that makes me think that either they never had the data,
which they did lie sometimes,
or GSM Law negotiated the ransom.
I'm not exactly sure what happened with that.
Now, ransomware at this point was looking like a very lucrative way for criminals to make money.
I mean, if you think about it, suppose you hack into a company and you were a criminal and you
wanted to profit off this access. What are your options? Okay, well, you could sell your access
that you have, but I can't imagine this making very much money, maybe a thousand bucks. You could try to install some crypto miners on there, but that's such a
slow process to make money from. You could try to look around for some database to steal and then
maybe sell that database to someone, but that's a tough market to be involved with. You could do a
business email compromise attack and try to figure out what's going on in the finance department and
see if you can get them to send you some money. Or you could look around to see if there's anything valuable
in the company to steal, like money, right?
In fact, there was another group at the time called FIN7,
which focused on hacking into banks and stealing credit cards.
Well, you would think that that's a very good way
to make money illicitly, and it is.
But FIN7 was seeing how much easier it is
to just put ransomware on a computer
and just leave it at that. Because there's a lot of work to dealing with thousands of credit cards
or trying to launder money and make it clean. But it's so much easier to just wait for a single
ransomware payment in Bitcoin and then move on. And since FIN7 was already pretty good at breaking into networks,
this really turned them onto a whole new revenue stream.
Yeah, so DarkSide was FIN7's first ransomware project.
They had tried out REvil for a few times.
Their infrastructure had been connected to REvil attacks
via pivoting on IP addresses
and things from known attacks.
And Fin7 basically realized,
okay,
every time we
launch an attack using our evil,
we have to give them a cut.
Isn't it just easier if we develop our own
ransomware and then launch
our own attacks, and then we don't have to give a cut
to anyone. We can keep it all for ourselves.
And then, so after a time, they realized, okay, it's actually, you make even more money
if you begin ransomware as a service, because then you just rent out the ransomware to multiple
groups and begin making money your own way.
Wow. So at that point, FIN7 had totally quit robbing banks
and turned into a ransomware-as-a-service business
because of how profitable they saw our evil was.
Ransomware is the most valuable way to make money
when you're inside any network anywhere in the world.
FIN7 was one of the most profitable criminal groups out there.
So it's just crazy to hear how they switched from robbing banks to ransomware.
But at this point, they became competitors.
And I'm not going to go into any more details about Fin7 or DarkSide in this episode.
But rest assured, that's a really interesting story all by itself.
And I'll have to cover that in an episode someday.
Now, when R-E evil gets a ransomware payment,
they typically receive it in Bitcoin.
And then they're actually pretty good at laundering that money
by typically converting it into Monero,
which is much more secure and I think untraceable.
And then they'd be able to cash it out
without it leading back to whoever is behind our evil.
But I have to imagine how insane of a chat it must be
when a company does want to pay a million dollar ransom in Bitcoin.
These ransomware negotiation chat rooms must be the wildest thing ever.
I've heard from ransomware negotiators and incident response people
that these ransomware teams have much better customer service
than most companies do. They'll guide you step by step,
the whole way on how to pay a ransom,
how to get the cryptocurrency,
how to store it, how to send it to them,
all the checks, all the balances.
I mean, can you imagine being the IT admin
and all your computers are encrypted
and your management has given you the go ahead to
pay the ransom. So you get on tour and enter the ransomware negotiation chat room. And you might
say like, okay, look, we're willing to pay, but we don't have any Bitcoin. Can we just wire you the
money? And our evil ransomware negotiators are like, uh, LOL, no, that's traceable. You need to
send us Bitcoin, go to an exchange and buy some.
And here's the problem.
You can't just show up to Coinbase or Gemini or Binance or whatever and be like, yeah,
I'd like to buy $2 million in Bitcoin, please.
No, they have daily limits set up.
You can only buy a few thousand dollars worth at a time.
So you call up customer support at an exchange and you tell them, listen, I want to buy $2
million worth of Bitcoin. And the exchange might be like, listen, I want to buy $2 million worth of
Bitcoin. And the exchange might be like, whoa, that's a lot of money. What's that for? And you're
like, oh, it's to pay a ransom. That's a red flag for the exchange. I think by law, exchanges can't
sell you Bitcoin if they know you're going to use it to pay a ransom with. So it becomes a huge
ordeal just to secure that much Bitcoin. You have to remember
that when millions of dollars are involved here, like if a company says, okay, yeah, we plan to
spend, you know, we plan to pay, you know, $5 billion in a ransom, they will hire experts to
help them with it. So there are ransomware negotiation firms now that their whole job
is to help companies get through when they've been hit by a ransomware attack. So these
negotiators know all the ways to pay a ransom, basically. They even know, they keep track
of all the wallets, they keep track of all the contact details of each ransomware group.
So they know.
Sometimes if these negotiators respond to multiple incidents,
they'll be able to recognize the person on the other end of the ransomware negotiation portal.
What? There's a whole industry out there
helping people negotiate and pay ransom?
This is madness.
I mean, think about it.
Imagine if you're in the chat with R-Evil and
you're like, oh, how do I do this? And they're like, okay, well, you could just call this company
and they'll help you walk through it. It's just so zany to think about this. I wonder,
do these ransomware negotiators offer any sort of referral program? So if R-Evil refers them
and they hop on the chat and like, oh, hey, Dimitri, how's it going? Thanks for referring me. I'll make sure to get you that referral bonus. Or like take it a step further. Imagine R-Evil refers you to a quote unquote expert service who's just another criminal and you give them $2 million to buy, and they just take off with the money.
Well, there are legitimate companies.
But as you say, this could easily be taken advantage of and has been by companies that do some really shady stuff.
Say, if a company gets hit by ransomware,
sometimes the response company stuff. Like, say, if a company gets hit by ransomware, sometimes they'll come in, the company will
come in, like the response company will come in and say, yeah, yeah, we can deal with it
all for you.
How much did the ransomware gang tell you it was going to cost?
Oh, $4 million.
Well, actually, it's going to cost $5 million.
And then they'll pay the ransom, de-gpt the files, clean the network, and then be
like, yep, here's your bill, $5 million. But you just use the decryption key.
If you turned on NBC News on June 1st, 2021, you would have saw this.
It's another attack on critical infrastructure, this time the food supply.
The world's biggest meat producer, JBS, forced to curtail operations after a ransomware attack.
At least six plants in the U.S. shut down. Operations also affected in Australia and Canada.
That was a huge international incident. Everyone said that was like the one step too far. JBS is the largest meat supplier
in the US. I think they produce over 20% of the meat for the US with locations in Canada and
Australia. And because it was so big, it was deemed critical infrastructure. If the food supply chain
is unable to deliver food, well, that can be a really big problem. The meatpacking firm JBS USA paid a ransom equivalent to $11 million after it fell victim
to a cyber attack. The company's U.S. CEO said on Wednesday they made the payment to protect
their customers. Last week's cyber attack led to the suspension of cattle slaughtering
at all of JBS's U.S. plants for a day. The company produces nearly a quarter of America's beef.
$11 million.
Paid up?
That's a lot of Bitcoin to send over to someone
that you hope will fulfill their end of the deal
and give you an encryption key.
What a nail-biter that's got to be when you click send
and you're just sitting there in chat waiting for the criminal to give you a key.
There was another company that was another, you know, in quotes, step too far.
They've done it now.
They hit a company called Sol Orients,
which was a nuclear weapons contractor for the US.
And they, you know, this is like,
okay, now you're affecting the nuclear triad
or something like that, you know.
How can this ransomware group get away with all of this?
But still, we haven't gotten to R-Evil's biggest hits yet.
Over this period of years, R-Evil was getting into hundreds of companies
and putting ransomware on them.
And the ones who didn't pay would get posted to their blog.
Their leak site had 282 leaked companies' data published to it.
So that's how many companies
didn't pay because they were
leaked onto the leak site.
And some of the stats
coming out of Europol
said that they had launched
thousands of attacks.
Probably one of the smartest things R-Evil ever did was
they went into a
what we call a
cyber insurance company
so because ransomware is such a
huge thing, companies
like when they get hit by ransomware
attack, it can cost them
not only X number of million dollars for the ransom,
but to actually clean up the network and restore it or rebuild it
could cost them hundreds of billions.
So they need insurance to be able to cover that cost
for ransomware specifically.
So what REvil did was they went into an insurance company
and they looked at all of the insurance company's clients
and they would hit each target one by one
because they know how much they were going to get paid out for
from the insurance cost.
And then they hit the insurer themselves as well,
for good measure.
Here's a clip from CBS News that tells us about the next victim.
FBI investigating what may become
one of the world's largest ransomware attacks
when companies get back to work
following the holiday weekend.
A Russia-based cyber criminal group called R-Evil
is demanding a $70 million ransom.
Hackers hit IT software company Kaseya Friday.
Wow, where do I begin?
The Kaseya, that was basically one of the biggest supply chain incidents since NotPetya.
Kaseya are the manufacturers of a software called Kaseya VSA is their software.
And companies, like I mentioned before,
managed service providers will buy Kaseya VSA and use it to do administration on their customers' networks.
So by going into the Kaseya software,
REvil basically had a foothold into all of the MSP's customers. So by exploiting
the Kaseya software to deploy R-Evil, they were able to hit like 1,500 networks in one go overnight.
Whoa, 1,500 different companies hit with the R-Evil ransomware in one day?
That's a massive amount of damage.
And this is what's called a supply chain attack
because R-Evil was able to get into all of Kaseya's customers,
which were sort of like tech support companies,
who had access into other companies,
and those companies were hit with R-Evil too.
This was a crazy event. Perhaps one of the biggest ransomware attacks ever.
In Michigan Saturday, President Biden said intelligence officials are investigating.
I'm directing the intelligence community. You're giving me a deep dive on what's happened.
Last month, he warned the Russian president to rein in cyber criminals or face a strong U.S. response.
If it is either with the knowledge of and or a consequence of Russia, then I told Putin we will respond.
So this happened in July 2021.
Biden was president by then, and it's hard to hear,
but he said in this impromptu interview in a grocery store in Michigan that if Russia is in any way involved, then he told Putin he's going to respond.
And it's wild to me when the president of the U.S.
is able to just jump into a discussion about ransomware off the cuff like that.
Like, I've felt like such
a geek all my life, head down in a computer, learning about the most geeky things you can
imagine. And to look up from the screen and see it talked about on the world stage like that,
it's just a trip. Oh, look, there's the president fielding a question about the R-Evil ransomware.
Far out.
So what were the ransomware demands for Kaseya?
Well, it was actually one of the highest ransom demands ever in history.
They demanded $70 million in Bitcoin.
After the attack took place,
it popped up on the REvil blog,
which was called the happy blog, by the way.
The Kaseer attack popped up and it said,
this is what REvil wrote,
they said, on Friday, we launched an attack on MSP providers.
More than a million systems were infected.
If anyone wants to negotiate about a universal decryptor,
our price is $70 million in Bitcoin.
I gotta say, this is a situation that Kaseya probably didn't plan for.
I mean, suppose they have a don't pay the ransom policy.
Okay, that's fine.
It's a good policy to have.
But they aren't the only victims here. And it was their fault that caused hundreds of other companies to be infected with ransomware. Do you owe it to all of them as sort of an apology? Like, sorry for getting you ransomwared. Here's the decryption key. Hope you stay as a customer. And this was a preventable problem.
There was a vulnerability on Kaseya's servers that gave our evil the foothold to take over a server.
And at least one person reported this to Kaseya before the attack too.
And I think they were working on fixing it when all this happened.
So Kaseya must have looked at this $70 million ransom demand
and took a deep breath and had a long think about it.
Again, it's that old thing of we don't want to be the company
that's paid the biggest ransom in history.
And, you know, they, so to give credit to Kaseya,
they went straight to the FBI for help.
And the FBI are very, very well experienced with these types of ransomware attacks.
So they guided them and were basically with them by their side the whole time.
And at the end of the day, basically the decisions became the FBI's decisions at the end of the day for what Kaseya was supposed to do.
Kaseya didn't pay the ransom.
They called the FBI, who apparently sprang right into action.
The FBI actually explained what happens next.
Here's the director of the FBI, Christopher Wray,
in a press briefing explaining what happened.
When Kaseya realized that some of their customers' networks
were infected with ransomware, they immediately took action. They worked to make sure that both their own customers, managed service providers,
and those MSP's customers downstream quickly disabled Kaseya's software on their systems.
They also engaged with us early. The FBI then coordinated with a host of key partners,
including CISA and foreign law enforcement and Intelligence Services, so Kaseya and its customers
information about what the adversaries were doing,
what to look for, and how the companies could best address the danger.
Here, we were able to obtain a decryption key
that allowed us to generate a usable capability
to unlock Kaseya's customers' data.
We immediately strategized with our interagency partners
and reached a carefully considered decision
about how to help the most companies possible,
both by providing the key
and by maximizing our government's impact on our adversaries
who were continuing to mount new attacks.
When the FBI is engaged early,
we can provide victims more and better support.
We can get them intelligence
and technical information they need faster.
And we can work quickly back from the intrusion
to follow and seize the criminal's money
before it can jump through wallet after wallet
and exchange after exchange.
Hmm.
He makes it sound like they're willing to help anyone with ransomware.
I mean, listen to the Deputy Attorney General, Lisa Monaco, in the same press briefing.
To Americans watching today, to those who own small businesses,
to those who run Fortune 500 companies,
who manage hospitals and oversee school districts,
this case is the reason you want to work with law enforcement. Know that
if you pick up the phone and if you call the FBI, this team is waiting for you on the other end of
the line. I just wonder if that's a little misleading. I mean, people email me all the time
telling me about how they were extorted or scammed or hit with ransomware and just want some advice.
Is the proper advice that I should give them
is that they should call the FBI,
just skip the police altogether and go straight to the FBI?
You would think the FBI would have some kind of threshold
for how big something should be before we call them.
Like, maybe they only care about larger extortions
or attacks on national infrastructure,
not small-scale stuff like my local barber's website
getting their WordPress site taken over, right? Or the question is, how bad of a computer problem does
it need to be before you call the FBI? There's a big difference between your whole network being
ransomed versus one user account being compromised. Listen, I'm curious now, if you've ever called the
FBI over a computer problem you've had,
I want to hear from you.
Send me a note.
Tell me how it worked out.
Did they get back to you right away or wait six months or no reply at all?
I just imagine the FBI must be flooded with calls and problems
that there's no way they can get back to all the people who report computer problems to.
Anyway, sorry, a little rant there.
Okay, yeah, what FBI Director Wray said
was really interesting.
They obtained a decryption key?
What? How?
That's amazing.
Did they reverse engineer the malware?
Did they join the chat and pressure the R-Evil gang
to provide a key or else kind of thing?
Really curious how they obtained that.
You know, rumor has it the FBI were able to
compromise the REvil servers
during the Kasaya incident.
The FBI is allegedly,
because I don't know if this is proven or not,
but they were able to compromise the system,
the R-Evil systems following this.
And soon after they post about Kaseya,
the R-Evil servers all go offline.
What we do know is R-Evil went quiet
just after the Kaseya hack,
and it stayed quiet for months.
Then, out of the blue, the FBI gave a press briefing.
Here's the U.S. Attorney General Merrick Garland.
Today we are announcing that we are bringing to justice
an alleged perpetrator of a significant, wide-reaching ransomware attack.
On July 2nd, the multinational information software company Kaseya
and its customers were attacked by one of the most
prolific strains of ransomware, known as R-Evil. To date, R-Evil ransomware has been deployed on
approximately 175,000 computers worldwide, with at least $200 million paid in ransom.
Six weeks later, on August 11th, the Justice Department indicted Jaroslav Vosinski, also known by the online moniker Robotnik.
The indictment, which was previously under seal, charges him with conspiring to commit intentional damage to protected computers and to extort in relation to that damage, causing intentional damage to protected computers,
and conspiring to commit money laundering.
The indictment charges that Vesinsky and co-conspirators authored our evil software,
installed it on victims' computers, resulting in encryption of the victims' data, including in the July 2nd attack, demanded ransomware payments from those victims,
and then laundered those payments. Two months after the indictment, on October 8th,
Wazinski crossed the border from Ukraine into Poland. There, upon our request,
Polish authorities arrested him pursuant to provisional arrest warrant.
We have now requested that he be extradited from Poland to the United States pursuant
to the extradition treaty between our countries.
In addition to securing the arrest of Wyszynski, the Justice Department has seized $6.1 million
tied to the ransom proceeds of another alleged R-Evil ransomware attacker,
Russian national Yeganeh Polyanin. As set forth in the public filings related to the seizure,
Polyanin, whom we also charged by indictment, is alleged to have conducted approximately 3,000
ransomware attacks. Polyanin's ransomware attacks
affected numerous companies and entities
across the United States,
including law enforcement agencies
and municipalities throughout the state of Texas.
Polyanin ultimately extorted
approximately $13 million from his victims.
Whoa, so they caught one guy
who they said was the author of the R-Evil malware
and seized funds from another guy. This ultimately disrupted R-Evil. They weren't active at all
after this. Now, along with these indictments, they released photos of these people. And here
is where Will could look into the eyes of the people behind this malware that he spent years following and investigating.
The indictment dropped and it had, you know, the names of these two REBOL affiliates. These
were the first two names we had for any of them. And I immediately, and shout out to my guy,
my team in Curators Intelligence, we joined the voice chat and Discord and we were all
just talking about it and basically
celebrating. And then
we quickly were like,
using these usernames and names and things,
we can find all their social media
profiles because we can
use OSINT to find them.
And we found his
VK account and we found
his other social media profiles.
We found he ran an Instagram account,
which used to sell DDoS attacks with number spoofing,
like phone call DDoS attacks and things.
And he even had a certificate for Microsoft.
And there was a picture of him at his college and him on holiday and things. He even had a certificate for Microsoft.
And there was a picture of him at his college and him on holiday and things.
And yeah, he just looked like a normal young guy
that was obviously good at IT.
And it was kind of surreal just to see him in the flesh.
Now, it seems like the bulk of the people involved with our evil
were somewhere in Russia,
and the U.S. authorities don't really have a way to arrest people in Russia
or even get Russian authorities to arrest them.
But something very particular happened next.
Yeah, so it was a very interesting timing.
In January, on the January 14th, I believe it was, the Russian FSB released a
press release that said they had arrested 14 members of our evil from Moscow and St.
Petersburg. The FSB said they seized more than 426 million rubles,
$600,000 and half a million euros,
along with cryptocurrency wallets and 20 expensive cars.
It made news globally that the gang had finally been arrested.
Our evil is over.
You know, his videos of the FSB busting down the door,
putting them on the ground and taking them away,
seemed justice has been served.
Here's an Al Jazeera news clip.
The scene was not uncommon.
Russian police and intelligence agents
harshly taking down more than a dozen men all played out on television.
But the reason was extraordinary. The Russian government tells the Biden administration the operation dismantled a group of hackers inside Russia on behalf of the United States. Security agents took down alleged hackers from the ransomware group R-Evil at over two
dozen addresses, seizing millions of rubles, vehicles, and technology. Among those arrested,
alleged ringleader Roman Moromsky, appearing in court in a cage, and Andrei Bisonov, both wanted
by the U.S. Huh. That's it, then. Case closed. Story over. It's all nicely wrapped up with a bow at
the end and all the criminals are caught. Well, I'm not sure. Here, let me show you what I mean.
The exact same day of these arrests, on January 14th, 2022, CBS News reported this.
And Ukrainian officials are assessing the damage done by a massive cyber attack on government servers.
The U.S. has condemned the attack and vows to help with the investigation.
The hack comes as Ukraine faces a potential invasion by Russia.
Some Ukrainian officials feared this type of cyber attack prior to Russian military action.
A cyber attack on the Ukrainian government.
Gosh, who would possibly do that?
But is this somehow related? I should admit that I've officially put on my conspiracy theory hat
here and I'm just guessing at stuff from here on out. But there are some weird questions that
arise from all this. Like, for instance, if Russia comes out with news that they've arrested the
R-Evil cyber gang and did it as a favor to the United States,
is that an attempt to control the news cycle of the day?
This way, less news is on the Ukraine cyber attack,
and more news is on how great Russia is for capturing these criminals.
And what's all this talk about doing favors for the U.S.?
Russia doesn't typically arrest criminals on behalf of the U.S.,
and we've seen how Russia lies to control the narrative. So is any of this real? Did they really arrest anyone?
I mean, there are so many more ransomware gangs walking freely in Russia today, like the Evil
Corp ransomware gang. They've been identified and indicted, yet Russia hasn't touched them.
Why just our evil? And they didn't extradite these criminals. No, they were just processed in
Russia, and we have no idea what punishment they got. I mean, shoot, for all we know, this arrest
might have just been a way for them to recruit those hackers to go work for the Russian government
and not actually bring these criminals to justice. It's extremely cloudy and suspicious
what any of these arrests mean. Well, whatever happened, it did mean the end of our evil as we knew it.
They were around for about two years,
and after the FBI indictment, they just fizzled out.
But with this group being gone,
it created space for new ransomware gangs
to step up and fill the gap.
There's the Evil Corp ransomware gang.
There's Conti. There's Lockbit.
These are all doing the same exact thing that our evil did.
And we don't know what the end of their stories are,
but they are certainly attracting a lot of attention from authorities.
So I can only imagine those stories will probably end in a wild and crazy way. A big thank you to Will for coming on the show
and telling us about what he's been so laser-focused on
for the last few years.
You can follow Will on Twitter.
His name there is BushidoToken.
Or follow the Equinix Threat Analysis Center
to see more information about malware they are tracking.
This show is made by me, the ticket jockey, Jack Recider.
Original music by the spaghetti coder, Garrett Tiedemann.
Editing helped this episode by the linguistic analyst, Damien.
Mixing done by Proximity Sound.
And our theme music is by the super snoozer, Breakmaster Cylinder.
What blood type is your computer?
Mine is definitely type O.
This is Darknet Diaries.