Solutions
Go Back

Make Security Possible

Reduce Alert Noise and False Positives

Boost your team's productivity by cutting down alert noise and false positives.

Automate Security Operations

Boost efficiency, reduce burnout, and better manage risk through automation.

Dark Web Monitoring

Online protection tuned to the need of your business.

Maximize Existing Security Investments

Improve efficiencies from existing investments in security tools.

Beyond MDR

Move your security operations beyond the limitations of MDR.

Secure with Microsoft 365 E5

Boost the power of Microsoft 365 E5 security.

Secure Multi-Cloud Environments

Improve cloud security and overcome complexity across multi-cloud environments.

Secure Mergers and Acquisitions

Control cyber risk for business acquisitions and dispersed business units.

Force-Multiply Your Security Operations

Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Security Operations Platform
Go Back

The GreyMatter Platform

Detection Investigation Response

Modernize Detection, Investigation, Response with a Security Operations Platform.

Threat Hunting

Locate and eliminate lurking threats with ReliaQuest GreyMatter

Threat Intelligence

Find cyber threats that have evaded your defenses.

Model Index

Security metrics to manage and improve security operations.

Breach and Attack Simulation

GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.

Digital Risk Protection

Continuous monitoring of open, deep, and dark web sources to identify threats.

Phishing Analyzer

GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.

Unify and Optimize Your Security Operations

ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Explore the GreyMatter Platform
Resources
Go Back

Resources

Blog

Company Blog

Case Studies

Brands of the world trust ReliaQuest to achieve their security goals.

Data Sheets

Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.

eBooks

The latest security trends and perspectives to help inform your security operations.

Industry Guides and Reports

The latest security research and industry reports.

Podcasts

Catch to the latest cybersecurity perspectives, tutorials and industry discussions with various guest speakers.

Solution Briefs

A deep dive on how ReliaQuest GreyMatter addresses security challenges.

Threat Advisories

The latest threat research report from ReliaQuest Photons research team.

Upcoming & On-Demand Webinars

Upcoming and on-demand webinars addressing the latest challenges and solutions security analysts must know.

White Papers

The latest white papers focused on security operations strategy, technology & insight.

Videos

Current and future SOC trends presented by our security experts.

ReliaQuest Resource
Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

We bring our best attitude, energy and effort to everything we do, every day, to make security possible.

Executive Leadership

Security is a team sport.

Careers

Join our world-class team.

Press and Media Coverage

ReliaQuest newsroom covering the latest press release and media coverage.

Become a Channel Partner

When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.

Contact Us

How can we help you?

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Generic selectors

Exact matches only

Exact matches only

Search in title

Search in title

Search in content

Search in content

Search in excerpt

Post Type Selectors
Hidden

Hidden

Hidden

Hidden

Back to blog

REvil Ransomware: What’s Next?

admin 15 July 2021

Threat Intelligence

When ransomware hits the news cycle, and even the non-cyber security folk have questions, you know it’s gone big. This time it’s REvil again, and we can’t seem to escape it. The entire security community has been on fire over the last few days looking at what’s going on with REvil, along with any journalist or researcher who’s even remotely interested in security. We’ve been looking into it through our data and public reporting, but sadly, our current assessment is we don’t know either. It’s hard to say sometimes in the intelligence game, but we’re keeping an eye on it as things develop.

As of the writing of this blog, the jury’s still out on what happened to REvil, and lots of speculation remains. Some popular theories at the moment:

Law enforcement action shut down the operation,
Technical difficulties,
Strife among the group or affiliates,
Rebrand or retooling,
Or (my favorite), everyone’s on holiday for the summer

One thing’s for sure; they’ve had a pretty eventful year. As reported on the Ransomwhere site, the group is sitting at just over $12M in the bank, with several significant attacks under their belt. Looking back at Q1 2021, they were in the top 5 of prolific attackers this year, and we predict that Q2 will be much the same. Since REvil’s on everyone’s mind, let’s take a moment to discuss who they are and some of the events in their history.

Who is REvil?

REvil (aka Sodinokibi or Sodin, we’ll be using this interchangeably) is a ransomware variant first detected in April 2019. Initial attacks focused on users in Asia, but REvil’s attacks have expanded to target entities globally, with increasingly more significant extortion demands—the most recent being $70M for Kaseya. Since then, the variant has been actively used in ransomware attacks targeting organizations worldwide across various sectors, including healthcare, legal services, technology, government, retail, and financial services.

*Targeting information from the Sodinokibi profile in SearchLight*

In addition to encrypting victims’ files in typical ransomware attacks, operators of this variant adopted the increasingly popular method of threatening to release data stolen from their victims on their leak website “Happy Blog.” The practice of publishing data fell in line with similar trends from contemporary actors such as Maze, DoppelPaymer, NetWalker, and Ragnar.

For some context, there’s a widely floated theory that REvil was related to GandCrab ransomware. This idea was based on some circumstantial evidence; however, the connection remains officially unconfirmed. The operators of the GandCrab ransomware announced the variant would be retired on 31 May 2019. Coincidentally, reported activity involving REvil and Sodinokibi became more frequent following the announcement. Technical analysis on Sodinokibi and previous GandCrab ransomware suggested the two variants were similar: Both variants used identical methods to build URLs and decode strings at runtime, among others. Sodinokibi hasn’t been attributed to a nation-state or geography. Still, conclusions on a likely Russian-language nexus may be drawn based on specific malware components, namely through checking location and language settings on the keyboard and system.

Sodinokibi operates on a ransomware-as-a-service (RaaS) model and rents out to affiliates or interested parties which carry out attacks and spread the ransomware. Since its discovery in 2019, Sodinokibi has used a variety of methods to compromise victims. Besides using phishing or malvertising to spread ransomware, operators of the variant exploited software vulnerabilities, including the vulnerability found in Oracle WebLogic Server (CVE-2019-2725) and a zero-day vulnerability in Windows (CVE-2018-8453), as well as the recent Exchange vulnerability. Sodinokibi operators have also breached managed service providers (MSPs) to deploy the ransomware on the MSPs’ customers, as we saw most recently in July 2021 with the Kaseya VSA incident.

Here’s a timeline on some notable events for REvil’s recent history:

May 2019: GandCrab goes dark
July 2019: US FBI releases master decryption keys for GandCrab
Aug 2019: Vendor breached to spread ransomware to 22 Texas cities
Jan 2020: Sodinokibi incorporated elements of data breaches into its ransomware attacks by releasing victim data on forum threads, later replaced by the “Happy Blog” website, which they use to publish data stolen from victims if the ransom was not paid.
March 2020: Representatives announce plans to use Monero over Bitcoin, calls on forums for investment in unspecified operations
April 2020: Widespread exploitation of COVID-19 pandemic to spread ransomware
May 2020: Purported breach and sale of Trump-related information, as well as multiple celebrities over the following months, likely resulting from breach of the GSMS law firm
Jun 2020: Researchers discovered the variant scanning for point-of-sale (PoS) software and leveraging Cobalt Strike to deliver the ransomware. REvil adds an auction page to “Happy Blog.”
Mar 2021: Harris Federation breach, which leads to shutdown of the network for weeks, breach of hardware and electronics manufacturer Acer
Apr 2021: Offered Apple schematics and other company data for sale after breaching hardware vendor Quanta
May 2021: Attack on JBS, which forced a shutdown of US beef plant operations and disrupted operations at poultry and pork plants
Jun 2021: Attack on Invenergy
Jul 2021: Sites associated with REvil go dark, representative banned from XSS forum; attacks on US DoD contractor HX5 and Kaseya MSP

What happened in the Kaseya Incident?

As Stefano wrote about during the initial stages of the Kaseya incident, a recently-reported zero-day was used to attack and gain a foothold within the Kaseya network, affecting approximately 1,500 customers. According to Kaseya, this involved at least three CVEs that were reportedly fixed as of 12 July 2021: CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120. These vulnerabilities addressed issues with credential disclosure, bypassing two-factor authentication, and cross-site scripting.

What’s notable here is that the rapid weaponization of these vulnerabilities occurred on the heels of another responsible disclosure for the same problem. This news indicated increased professionalization on the criminal side. Historically, the development of exploits around zero-days was generally seen as exclusive for nation-state actors, which REvil likely owes to high technical skill and a decent budget.

*Digital Shadows (now ReliaQuest) has been monitoring the Kaseya incident in SearchLight.*

What’s the update since then?

In the hours before press time on the Kaseya incident’s aftermath blog, several exciting developments occurred with REvil, namely all of their sites, including “Happy Blog,” were down. In addition, their representative “Unknown” had been banned from the popular forum XSS.

*The Twitterverse wakes up to REvil sites being unavailable.*

*REvil’s forum representative Unknown is banned from XSS.*

In recent days, underground chatter about the outage has been limited, likely due to some Russian-language forums’ hostile attitudes towards discussing ransomware. Some threat actors speculated that even if law enforcement agencies have successfully targeted REvil, this will not spell the end of the group’s activities. Still, others predicted that the group would reappear under another name or split into smaller groups to attract less attention, which is a thought shared by some researchers in the Twitterverse. Losing access to XSS might have served a few purposes: reducing attention on the forum itself or preemptively banning members to prevent outside forum access in case of a law enforcement operation.

However, you spin it, the inaccessibility of the REvil ransomware group’s websites is unusual because the group’s infrastructure has historically been more stable than other ransomware groups. There are possibilities the site’s down from temporary technical issues or upgrades, but it could also signify a law enforcement disruption of the group’s operations. Given the recent absences of REvil representatives, it does pose interesting questions.

A June 2021 story from Russia’s Life News didn’t get much circulation in the West, likely owing to historically pro-Kremlin stories. But, what made it interesting was that the article attested to the Russian FSB’s willingness to work with the US in the fight against hackers. The story included direct quotes from FSB Director Aleksandr Bortnikov and was published in the wake of the G7 summit. If there is a genuine willingness to work with the US, this adds a little color to the potential for joint law enforcement operations.

*FSB Director Bortnikov was quoted as being ready to work jointly with the US*

Based on public reporting up to now, however, historically, US-Russian joint operations have had mixed results. Given the current climate of distrust between the two countries, lack of substantial media reporting elsewhere, and the notoriously tight-lipped US FBI not commenting on current investigations, it’s tough to say. If true, this would likely be a huge win in political capital for both countries, especially for a prolific operator like REvil, who’s proven to be an expensive thorn in everyone’s side. The feeling here at Digital Shadows (now ReliaQuest) was if this were indeed a law enforcement takedown, we would’ve heard or seen something by now, much like with previous raids and arrests involving other ransomware operators.

One last thought, REvil doesn’tbut REvil didn’t seem to shy away from notoriety, so the sudden quiet is odd. In early June 2021, a representative of REvil told an interviewer on Telegram in the wake of the JBS cyberattack that critical infrastructure and US targets were not going to be off-limits despite the more rigid stance and political moves the country was making. Not to mention, REvil seemed unconcerned about the ransomware bans on popular forums.

An interview with a REvil representative after the JBS attack.

This interview also came about just weeks after the fallout from DarkSide’s attack on the US company Colonial Pipeline and its infrastructure. In essence, despite bans, REvil was no longer interested in operating on forums, as they had plenty of business from affiliates by word of mouth; and they were okay with operating without restrictions on the types of targets because there was money to be made regardless. Public admissions like this would seem to place a group in somebody’s crosshairs, but, again, who would be the organization to take them down?

In the end, the possibilities at the time of writing seem to indicate a cooling-off period, which may be coupled with a rebrand. This reportedly happened before with GandCrab and may happen again with their next moves. Also, despite inactivity or bans from specific forums, there are plenty of others to choose from, along with social media possibilities. Also, it’s realistically possible that this may have just been that last big score they needed before they retired.

Protecting your organization against ransomware actors

If you’re looking to protect against the rapidly increasing ransomware threats, Digital Shadows (now ReliaQuest)’ SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) offers the latest threat intelligence on rising threat actors such as REvil at a tactical, operational, and strategic level. Get rapid updates and industry-leading analysis and reporting from our team at Photon, including MITRE associations and mitigations, with a free demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. You can additionally get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures.

For further information—our previous blog article Tracking Ransomware Within SearchLight shows you how SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) tracks emerging variants, enables you to export and block associated malicious indicators in various formats, instantly analyze popular targets, and map to your security controls with ease.

REvil’s Threat Intelligence profile in Searchlight