Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
When ransomware hits the news cycle, and even the non-cyber security folk have questions, you know it’s gone big. This time it’s REvil again, and we can’t seem to escape it. The entire security community has been on fire over the last few days looking at what’s going on with REvil, along with any journalist or researcher who’s even remotely interested in security. We’ve been looking into it through our data and public reporting, but sadly, our current assessment is we don’t know either. It’s hard to say sometimes in the intelligence game, but we’re keeping an eye on it as things develop.
As of the writing of this blog, the jury’s still out on what happened to REvil, and lots of speculation remains. Some popular theories at the moment:
One thing’s for sure; they’ve had a pretty eventful year. As reported on the Ransomwhere site, the group is sitting at just over $12M in the bank, with several significant attacks under their belt. Looking back at Q1 2021, they were in the top 5 of prolific attackers this year, and we predict that Q2 will be much the same. Since REvil’s on everyone’s mind, let’s take a moment to discuss who they are and some of the events in their history.
REvil (aka Sodinokibi or Sodin, we’ll be using this interchangeably) is a ransomware variant first detected in April 2019. Initial attacks focused on users in Asia, but REvil’s attacks have expanded to target entities globally, with increasingly more significant extortion demands—the most recent being $70M for Kaseya. Since then, the variant has been actively used in ransomware attacks targeting organizations worldwide across various sectors, including healthcare, legal services, technology, government, retail, and financial services.
In addition to encrypting victims’ files in typical ransomware attacks, operators of this variant adopted the increasingly popular method of threatening to release data stolen from their victims on their leak website “Happy Blog.” The practice of publishing data fell in line with similar trends from contemporary actors such as Maze, DoppelPaymer, NetWalker, and Ragnar.
For some context, there’s a widely floated theory that REvil was related to GandCrab ransomware. This idea was based on some circumstantial evidence; however, the connection remains officially unconfirmed. The operators of the GandCrab ransomware announced the variant would be retired on 31 May 2019. Coincidentally, reported activity involving REvil and Sodinokibi became more frequent following the announcement. Technical analysis on Sodinokibi and previous GandCrab ransomware suggested the two variants were similar: Both variants used identical methods to build URLs and decode strings at runtime, among others. Sodinokibi hasn’t been attributed to a nation-state or geography. Still, conclusions on a likely Russian-language nexus may be drawn based on specific malware components, namely through checking location and language settings on the keyboard and system.
Sodinokibi operates on a ransomware-as-a-service (RaaS) model and rents out to affiliates or interested parties which carry out attacks and spread the ransomware. Since its discovery in 2019, Sodinokibi has used a variety of methods to compromise victims. Besides using phishing or malvertising to spread ransomware, operators of the variant exploited software vulnerabilities, including the vulnerability found in Oracle WebLogic Server (CVE-2019-2725) and a zero-day vulnerability in Windows (CVE-2018-8453), as well as the recent Exchange vulnerability. Sodinokibi operators have also breached managed service providers (MSPs) to deploy the ransomware on the MSPs’ customers, as we saw most recently in July 2021 with the Kaseya VSA incident.
Here’s a timeline on some notable events for REvil’s recent history:
As Stefano wrote about during the initial stages of the Kaseya incident, a recently-reported zero-day was used to attack and gain a foothold within the Kaseya network, affecting approximately 1,500 customers. According to Kaseya, this involved at least three CVEs that were reportedly fixed as of 12 July 2021: CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120. These vulnerabilities addressed issues with credential disclosure, bypassing two-factor authentication, and cross-site scripting.
What’s notable here is that the rapid weaponization of these vulnerabilities occurred on the heels of another responsible disclosure for the same problem. This news indicated increased professionalization on the criminal side. Historically, the development of exploits around zero-days was generally seen as exclusive for nation-state actors, which REvil likely owes to high technical skill and a decent budget.
In the hours before press time on the Kaseya incident’s aftermath blog, several exciting developments occurred with REvil, namely all of their sites, including “Happy Blog,” were down. In addition, their representative “Unknown” had been banned from the popular forum XSS.
In recent days, underground chatter about the outage has been limited, likely due to some Russian-language forums’ hostile attitudes towards discussing ransomware. Some threat actors speculated that even if law enforcement agencies have successfully targeted REvil, this will not spell the end of the group’s activities. Still, others predicted that the group would reappear under another name or split into smaller groups to attract less attention, which is a thought shared by some researchers in the Twitterverse. Losing access to XSS might have served a few purposes: reducing attention on the forum itself or preemptively banning members to prevent outside forum access in case of a law enforcement operation.
However, you spin it, the inaccessibility of the REvil ransomware group’s websites is unusual because the group’s infrastructure has historically been more stable than other ransomware groups. There are possibilities the site’s down from temporary technical issues or upgrades, but it could also signify a law enforcement disruption of the group’s operations. Given the recent absences of REvil representatives, it does pose interesting questions.
A June 2021 story from Russia’s Life News didn’t get much circulation in the West, likely owing to historically pro-Kremlin stories. But, what made it interesting was that the article attested to the Russian FSB’s willingness to work with the US in the fight against hackers. The story included direct quotes from FSB Director Aleksandr Bortnikov and was published in the wake of the G7 summit. If there is a genuine willingness to work with the US, this adds a little color to the potential for joint law enforcement operations.
Based on public reporting up to now, however, historically, US-Russian joint operations have had mixed results. Given the current climate of distrust between the two countries, lack of substantial media reporting elsewhere, and the notoriously tight-lipped US FBI not commenting on current investigations, it’s tough to say. If true, this would likely be a huge win in political capital for both countries, especially for a prolific operator like REvil, who’s proven to be an expensive thorn in everyone’s side. The feeling here at Digital Shadows (now ReliaQuest) was if this were indeed a law enforcement takedown, we would’ve heard or seen something by now, much like with previous raids and arrests involving other ransomware operators.
One last thought, REvil doesn’tbut REvil didn’t seem to shy away from notoriety, so the sudden quiet is odd. In early June 2021, a representative of REvil told an interviewer on Telegram in the wake of the JBS cyberattack that critical infrastructure and US targets were not going to be off-limits despite the more rigid stance and political moves the country was making. Not to mention, REvil seemed unconcerned about the ransomware bans on popular forums.
This interview also came about just weeks after the fallout from DarkSide’s attack on the US company Colonial Pipeline and its infrastructure. In essence, despite bans, REvil was no longer interested in operating on forums, as they had plenty of business from affiliates by word of mouth; and they were okay with operating without restrictions on the types of targets because there was money to be made regardless. Public admissions like this would seem to place a group in somebody’s crosshairs, but, again, who would be the organization to take them down?
In the end, the possibilities at the time of writing seem to indicate a cooling-off period, which may be coupled with a rebrand. This reportedly happened before with GandCrab and may happen again with their next moves. Also, despite inactivity or bans from specific forums, there are plenty of others to choose from, along with social media possibilities. Also, it’s realistically possible that this may have just been that last big score they needed before they retired.
If you’re looking to protect against the rapidly increasing ransomware threats, Digital Shadows (now ReliaQuest)’ SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) offers the latest threat intelligence on rising threat actors such as REvil at a tactical, operational, and strategic level. Get rapid updates and industry-leading analysis and reporting from our team at Photon, including MITRE associations and mitigations, with a free demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. You can additionally get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures.
For further information—our previous blog article Tracking Ransomware Within SearchLight shows you how SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) tracks emerging variants, enables you to export and block associated malicious indicators in various formats, instantly analyze popular targets, and map to your security controls with ease.
REvil’s Threat Intelligence profile in Searchlight