You’ve probably heard about what happened to Kaseya. Just as a refresher, the IT solutions provider announced that it was “experiencing a potential attack” against one of its solutions on July 2 and ordered customers to shut down their product servers while they waited to hear more. A day later, Kaseya urged customers who encountered ransomware to avoid clicking on any links.

Huntress examined the forensic patterns, ransom notes, and the Tor URL used in those ransomware instances. In the process, it determined that an affiliate for the REvil ransomware group was most likely behind the attack. The REvil affiliate extorted victims individually at first, but it eventually demanded $50 million in exchange for a universal decryptor, per Bleeping Computer.

A Look Back at REvil’s Evolution

To better understand the Kaseya supply chain attack, we can look back to some of REvil’s recent history. The ransomware strain first arose in April 2019 after GandCrab, another Ransomware-as-a-Service (RaaS) operation, shut down. Security researchers initially identified REvil as a strain of GandCrab. Years later, an alleged member of the REvil group known as “Unknown” confirmed that they had built their strain on top of GandCrab’s codebase.

Like GandCrab, REvil functions as a RaaS where its developers supply payloads to affiliates for staging their own attack campaigns. Affiliates get to keep upwards of 70% for running those attacks, stealing data, and deploying the ransomware, noted Bleeping Computer in October 2020. The developers keep the remaining 30%, an arrangement through which they made more than $100 million in a single year.

REvil’s profitability hinges on the fact that its affiliates mainly go after corporate networks, not individual users. The logic here is that the attackers can cause a bigger disruption and encrypt more computers that way. By extension, they can demand higher ransoms.

Just look at some of REvil’s targets from this year alone. Provided below are a few highlights:

  • In March 2021, Bleeping Computer reported that REvil had infected computer giant Acer and demanded $50 million. At the time, that was the largest-known demand made by any ransomware gang against any victim anywhere.
  • Just a few weeks later, Threatpost wrote about how REvil had successfully breached the servers of a Fortune 500 electronics manufacturer and stolen some files including blueprints for new Apple products. The attackers attempted to extort the manufacturer to pay $50 million. When that didn’t work, the REvil gang switched their attention to Apple, published several of the blueprints during the tech giant’s Spring Loaded event, and threatened to leak more unless the company agreed to pay the $50 million ransom.
  • It was at the beginning of June when JBS SA, one of the world’s largest meat processing companies, fell victim to REvil. JBS SA halted operations at 13 of its meat processing plants, reported CBS News, and it eventually paid the $11 million ransom demand.

As the attacks discussed above illustrate, the REvil gang has a penchant for maximizing payouts from victims. That would explain why REvil attackers sometimes try to extort victims for the same stolen data even after they’ve received a payment, noted ZDNet.

Sometimes, but not always. Take the Kaseya attack. As Bleeping Computer wrote at the time, the REvil affiliate didn’t rely on their usual method of deleting backups, didn’t gain extensive network access, and didn’t steal data from the organizations affected by the attack. Many victims of the attack therefore elected not to pay.

How to Defend Against REvil Ransomware

Less than two weeks after the Kaseya attack, Bloomberg reported that all REvil’s infrastructure went offline. It’s unclear from this writing whether the group decided to go dark or whether law enforcement succeeded in taking down their operation. It’s also unclear whether the attackers will resume their attacks and/or rebrand as another operation at some point.

One thing is clear, though: REvil is just one of countless ransomware operations that would seek to prey upon organizations, disrupt their business functions, and steal their data. There’s plenty for organizations to defend themselves against—even in REvil’s absence. They just need to figure out how to keep themselves safe in the first place.

All of us at ReliaQuest wanted to take the guesswork out of ransomware protection, so we designed the GreyMatter platform to be an all-in-one tool that provides organizations with the visibility, detection, threat intelligence, and response capabilities they need to defend themselves against digital threats such as ransomware. GreyMatter works by delivering Open XDR-as-a-Service, visibility which helps security teams to identify, detect, and respond to incidents more quickly. It also comes with valuable reporting tools that they can use to analyze an incident and improve their security posture going forward.

If you are attending Black Hat this year, Marcus Carey and I will be presenting “How to Operate a Successful Ransomware Campaign,”   Thursday, August 5,  from 11:30am–12:20pm (Business Hall Theater C) where we will discuss how ransomware gangs operate as a business. If you want to learn how to investigate a ransomware incident in ReliaQuest’s GreyMatter platform, from first alert to identifying root cause and business impact, come see us at booth #1747.