What is the REvil Ransomware?

Financial damage caused by ransomware has increased dramatically in recent years. In 2021, ransomware costs are estimated to reach 20 billion USD, compared to 11.5 billion USD in 2019 and a “mere” 325 million USD in 2015.

A relatively new player in the ransomware industry, REvil threatens to considerably change the IT security landscape. Having affected international corporations and celebrities alike, REvil is the problem your security team should be thinking about next.

But what is the REvil ransomware, and why should you worry about it?

What is the REvil ransomware?

At a high level, REvil (also known as Sodin or Sodinokibi) is ransomware – a type of malware that encrypts your files and demands a ransom to unlock them.

Like most of today’s ransomware lurking in the boundless space of the internet, REvil is based on the Ransomware-as-a-Service (RaaS) model. The RaaS model involves two groups – ransomware developers and affiliates.

Developers come up with the tools necessary to carry out the illegal operation without directly exposing themselves, whereas the affiliates engage in actually distributing the malware to unsuspecting victims. Affiliates don’t have to be coding geniuses – instead they focus on their social engineering techniques to dupe unsuspecting targets into allowing the ransomware to install.

How does REvil infect IT Systems?

Affiliates employ a wide range of techniques to plant REvil into enterprise IT networks. Among the channels and methods through which REvil may get into an IT system are:

• Brute-force attacks.
• Exploitation of weaknesses in Remote Desktop Protocols (RDPs) or Virtual Private Networks (VPNs).
• Credit card or Point of Sale (POS) software vulnerabilities.
• Spam campaigns, phishing, or malicious advertising.

This is not a full list of possible entryways for REvil. If there is a vulnerability in your IT system, an attacker is likely to find and exploit it eventually.

Who is behind the REvil Ransomware?

Although the identities of the authors and affiliates of REvil are unknown, REvil appears to be tightly connected with another malware operation – GandCrab. GandCrab was active from January 2018 until May 2019. Within this timeframe, the authors claim to have squeezed 2 billion USD out of their victims.

Shortly after GandCrab’s shutdown, REvil emerged. The similarities between the operation and source code of REvil and GandCrab led computer security firms to believe that the authors of REvil have been involved with GandCrab. According to McAfee, there is a 40% code overlap between REvil and GandCrab.

What’s the Threat of REvil?

Needless to say, the ability of REvil to lock confidential files behind a paywall can cause major setbacks and financial difficulties for your organisation. However, REvil is far more dangerous today than it was upon its emergence.

Originally, the REvil group made a profit by making their victims pay a ransom to unlock their encrypted files. However, in 2020, REvil authors decided to employ a new extortion tactic – steal data from businesses and threaten to publish it unless a payment is made.

Another great danger lies in the apparent success of REvil. In September 2020, Bleeping Computer reported that REvil deposited 1 million USD in Bitcoin on a hacker forum to show the group’s money-making potential. This “marketing” event will likely attract even more affiliates to the malware.

Lastly, as more and more organisations switched to remote operations due to the COVID-19 pandemic, ransomware gained significant traction. During March and April 2020, ransomware grew by 20% compared to January and February of the same year. A rising tide raises all boats, and REvil benefited from the same mega-trend of Work from Home across the world.

Who has been affected by REvil?

So far, the most notorious case of REvil infection has been associated with the New York-based law firm Grubman Shire Meiselas & Sacks (GSMS). The company suffered a REvil att attack in May 2020.

After the attack, REvil announced possession of legal documents associated with GSMS clients. The significance of this attack lies in the fact that among GSMS clients are high-profile entertainers such as Lady Gaga, Madonna, Mariah Carey, Nicki Minaj, and even companies like Facebook.

Originally, REvil operators demanded that GSMS pay $21 million USD for the captured documents. However, REvil soon doubled the ransom to $42 million USD because GSMS offered to pay only $365,000 of the demanded $21 million.

As of late December 2020, GSMS had not yet paid the ransom, and it probably never will.

After the initial infection, REvil threatened to auction Madonna’s files

at a starting bid of 1 million USD but then reneged on the threat. REvil later attempted to auction singer Bruce Springsteen’s legal documents – this time, they failed to attract any bidders.

This story most likely is not over, but GSMS has so far exhibited exemplary behaviour by not paying the ransom.

You were infected with REvil – Now What?

The best way to deal with REvil is to prevent an infection. For that, your best bet would be a layered security system. In a layered security system, every security component is backed by another one, so if one of your defense lines fails, chances of infection still stay low.

Use enterprise anti-malware solutions as well – modern software is familiar with the behaviour of REvil and should be able to effectively combat it. Keep your security software up-to-date too – this way, you’ll have access to the latest malware databases.

You should also regularly back up your data. At a minimum, keep physically-separated daily copies of all your data that stretch back at least 2 weeks, plus make one online copy once a month. This way, if your IT network gets attacked and your data encrypted, you can just wipe the compromised systems and make use of your back-ups, losing a day or two in productivity.

Of course, if you would rather concentrate on your business and leave security to the professionals, a managed IT service provider like Computer One can take care of all your needs.

If REvil or other ransomware has made it into your IT network despite your best efforts, you ideally should:

• Isolate the ransomware to prevent its spread.
• Report to the authorities and get in touch with your IT security team or Managed Service Provider.
• Wipe affected computers and restore your data.
• Assess how your network has been infected and take measures to tighten IT security.
• Consider switching service providers. Get in touch with Computer One – maybe there’s more value that we can provide?

In no case should you pay the ransom. By paying the ransom, you would reward the attackers, and you would also potentially fund other criminal activity. Besides, there is ultimately no guarantee that access to your files will be restored.