The story of REvil: From origin to beyond.
Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Jon DiMaggio: You know, there's been a ton of activity, talks, and reports over the past couple of years on this group. What I realized is, this was an amazing story and no one's really told it from start to finish.
Dave Bittner: That's Jon DiMaggio. He's Chief Security Strategist at Analyst1. The research we're discussing today is titled, "A History of REvil."
Jon DiMaggio: We really don't have a lot of good examples of ransomware groups where you could do sort of a use case that would show the cradle-to-grave lifecycle of an attacker. And I felt like this was going to be perfect for it, which is sort of what led me down the road to write this content.
Dave Bittner: Well, I have to say it is a real page turner. Even for those of us who have been, you know, following along, to have it all sort of laid out here, it is quite compelling. Let's go through it together here, and let's begin where you do, which is REvil's origin story. Where did they begin?
Jon DiMaggio: Yes. So, the beginning of REvil was really interesting because originally, you know, we got this wrong. But the group actually started out with another ransomware gang called GandCrab, and GandCrab was also a very well-known group that went away right as REvil began. And during that that process, when they transitioned over, there was sort of a window. And the two groups, one would communicate in and talk and forums together. There was a lot of sort of marketing between one another, and it was very clear there was a relationship between the two. And as GandCrab exited the scene and posted their retirement message, immediately, REvil began to recruit their affiliates and begin their own attack with their own payload. What was really interesting about that is during that first attack – that was the first notable attack that we ever saw using REvil – the hackers that were on network actually doing the attack dropped both a REvil payload, which is known as Sodinokibi – it's a mouthful – and they were also dropping the GandCrab payload, which is also the same name as the group – it's just called GandCrab.
Jon DiMaggio: But showing that they had access to both, in addition to this relationship we were seeing on the forums, there was also some strong technical relationships between the two. The most notable is there was a string in it where a developer string in it, a PDB string that actually said "gc6," and "gc" obviously, you can figure out the initials "GandCrab." Well, the last version of code for GandCrab's payload had the same string, but it was "gc5." So that and some of the ways that it documented their campaign IDs and their affiliates and things of that nature, just a number – I won't get too far in the weeds, but there were quite a few technical similarities that it was like, OK, this came from the same developer. There's some shared code. A lot of this very common between the two.
Jon DiMaggio: So, we, as researchers and analysts in the community as a whole, sort of accepted the GandCrab didn't really retire. They just evolved and rebranded. We found out that was not the case. So, it started with an interview where someone asked them, hey, what's your name? Researchers are calling you Sodinokibi, and they just didn't like that name and said, hey, we're going to get back to you. And when that happened, that's where they came back and they said, OK, you know, we want to be known as REvil.
Jon DiMaggio: And later, in an interview – because these guys did interviews, which I thought was really interesting and accessible – they talked about that origin story – I'm sorry, the origin background of that name, and it actually came from a video game, Resident Evil. So this was short for "Ransom Evil." And so just that sort of background was interesting. During that same interview with the REvil operator. They also went and talked about how they began and said, no, you know, guys got it wrong. We actually were an affiliate. And when GandCrab went away – I don't know if they purchased or acquired – but they approached the GandCrab operator, and that's how they acquired the payload that was then developed into Sodinokibi.
Jon DiMaggio: I think they got the source code and developed – bought the source code and developed it themselves, but we don't know. It could have been developed for them. But there were multiple iterations throughout the years of Sodinokibi, meaning they obviously had their own developers that were working on this. The two were very close together, like I said, but one was an affiliate, did the hacking, and they sort of switched roles, became a provider themselves and moved forward in their attacks as we know it over the past two, two-and-a-half years.
Dave Bittner: Yeah, one of the things that you point out in the research here is that for an organization like REvil to succeed, they have to be successful gathering affiliates. And that was part of the effort that they had in their startup phase here. Can you take us through how they went about doing that and where they were successful there?
Jon DiMaggio: Yeah. Well, I'll give you where they were successful and I'll tell you where they weren't, because it's actually a bit interesting there and there's some, good things to learn. So when they when they first, again, when they first came out, they just hit the same forums that GandCrab used to recruit their affiliates. And they went and they looked, and they they were looking for a limited amount of affiliates, and from some of the affiliates that I was able to actually talk to about their activity with it, there was actually a number of them that that would got into the actual interview process.
Jon DiMaggio: And most of us thought when there's teams of affiliates, these are guys that already know each other, teams of three or four guys. Well, in this case with REvil, that wasn't the case. They were interviewing candidates one by one. They wanted to make sure that they weren't actually, you know, spies or snitches or things like that. So they would ask them about Russian folklore, things that at least the REvil operators believed you could not find via the internet or Google or things like that, things that only a true Russian native would actually know. So they tried to eliminate by asking folklore based questions. It's almost like a trivia – kind of funny. And they would use they'd use a secure chat thing called qTox, and they'd sort of be in this session, and they would – once they got past that initial folklore vetting, they would ask them technical questions, engage them, and then they would pick, when they were done, they would pick the individuals they thought would make a good team, and then they closed out recruitment.
Jon DiMaggio: OK, so let's say that, you know, they had their pool, they created their teams. Those individuals were told, hey, you're going to have to split this money. The proceeds will give you seventy percent of our proceeds, and each of these individuals will get get this split up equally. That's how it started. By the end, they didn't control who did what or how much money was cut. But in the end, they really tried to control that.
Jon DiMaggio: And they had success at the beginning. But they also were not getting the big fish that they wanted, and there was some very public failures that they had, and about a year later, they went sort of on a second recruitment phase. This recruitment phase was much more detailed. So in the earlier one, they were just looking for people basically that could answer these questions, make it through the interview, that they felt would be good. And the second one, the differences you can see are notable because they list all these specific requirements that they want before anybody even applies for it. And in it, there were really interesting things that I had never even seen before – stuff like using a voice modulator, being able to speak English, because they don't want anybody who's not a true Russian, being able to speak English.
Jon DiMaggio: You know, we've never – I've never seen where they're actually talking to victims. It's usually done over a chat portal, and I've been lucky enough to have, you know, victims call me before and let me help them in some of their IR investigations where I've gotten to actually observe sort of the chat negotiation. And again, it's always been over a portal or over email. It's never been over the phone. So obviously there was probably some cases where they did talk to them, or the desire to talk over the phone since they had that. And clearly, speaking English, they realized, was something that is important. So they sort of change that direction that they went. And by the time this sort of second recruitment phase came along, the US had been a much, much larger target for them at this point. It almost – that was when we started to get personal, where they started to get angry. And you know, first it was with President Trump, then it was with President Biden, and the back and forth, and and the gloves off and things got nasty on both sides.
Jon DiMaggio: But yeah, the last piece I want to say about that affiliate recruitment is, on the first phase, they deposited a hundred to a hundred and thirty thousand dollars across the forums. Sort of, you could almost buy – this isn't the right word for it, but street credibility by – you get different levels in these forums and by putting larger deposits, you show you're a more serious player and there's money to be made. But just to give you an idea how much they grew in that year, in that second recruiting effort, they deposited a million dollars. So, big step up, really showing, Hey, we're going to make money, and they wanted to get the attention of the key players for affiliates, you know, sort of the best hackers, if you will, to come work for them. And that was sort of, seeing them grow and seeing those recruiting ads and those requirements change and showing, OK, we're really serious. You could just watch it progress.
Jon DiMaggio: So, those are the two main core campaigns that I saw to recruit. I'm sure there were more, but those are the forums that I was able to find them on and some of the chats that I was able to see them with. But I'm sure there were more that I didn't see, but I thought I got a pretty good snapshot of how it works with just that.
Dave Bittner: Can you take us through how they handled infrastructure and, you know, assembling the tools that were going to be the core of their operations?
Jon DiMaggio: Yeah. So they – all right, a couple of pieces to this. So they have what they call their happy blog, which is a name-and-shame slash data auction site. So they use it to post victims' information to shame them, and they use it to leak their data. At the same time, they also use it to auction off that data. Basically, it's an auction where the victim has first rights to buy, and obviously they want them to buy because they're going to pay the most money for it. If they don't, though, they will auction it off to the highest bidder in the criminal world.
Jon DiMaggio: So, that piece of their infrastructure they host on the dark web. Within that they also have a chat portal. That chat portal is accessed when a ransom payload goes off on a victim, they have a specific key that's in their ransom note that they have to paste in, and that key takes them to their own unique chat session on the chat portal that they have. Now, there is a both a dark web version of it, and there is one that you can access – was one that you could access via the traditional internet. So in other words, they wanted originally wanted everything in the dark web, but I think they realized they needed to make things easier for people to pay, so they made a version of it that would be on the traditional internet. Same with their decryptor site, if you will. And a lot of these were tied together. But they would have a second version, again, that you could access via the regular internet. And then things would get taken down and they would stand them back up and they'd just be another version of it. But those were the three components, sort of was the data auction, the chat portal, and the decryption. That was the main pieces to their puzzle of what they used for their infrastructure as it varied over time.
Dave Bittner: And I suppose for a group of this scale, getting access to bulletproof hosting, if you will, is fairly routine.
Jon DiMaggio: It is fairly routine. You know, it's one of those things where they're going to go with whatever is going to be the most secure product that's going to be the hardest to take down and is going to give them the ability for their infrastructure to withstand takedowns. Obviously, I don't think they expected an entire government to use all of its resources to get behind the takedown. But for our normal takedowns, law enforcement, sending a subpoena, warrant, whatever it is, there are certain vendors and technologies that make it more difficult for that to take place. And that's obviously where bad guys gravitate to.
Dave Bittner: One of the things you point out in your research here is that the REvil gang were unusually communicative with media, you know, making themselves available for conversations for inquiry. Was there an unusual, a unique amount of swagger that these folks had, or were they more businesslike?
Jon DiMaggio: No, there was absolute swagger. I mean, this was ego across the board. So their favorite reporters to talk to was BleepingComputer – REvil, not just them. That's like, for whatever reason, that's where ransomware guys go to talk. And so, you know, I used them as a great resource because there was so much information there that we had because the bad guy felt comfortable talking with them. And, you know, but in their messages, there was messages that they posted there, and there was also messages that they would post through their own site and on forums and things of that nature. But, point being, is the one consistent theme that we had is they would love to challenge authority and they just felt like they were untouchable. I mean, let's think about this. They had that affiliation with DarkSide, and when DarkSide got taken down and could no longer be their own voice and talk, these guys with all that heat on them, it was REvil that got up there and decided to speak on their behalf. I mean, that just goes to show that they had no fear.
Jon DiMaggio: And for a short time, they had put sort of a stop on attacking, you know, critical US infrastructure when things first happened. And then within days of that, when the Biden administration sort of said, hey, we're now taking ransomware as a national threat, we're going to put together a lot of resources to come after you, REvil, got out there and was like, OK, the gloves are off. We're taking those restrictions out. We're going to specifically come and target you now. Which was just insane, to make yourself even more of a target. And I think that was really what was the beginning of the end for them. But it was an ego-driven thing. It was a, hey, I need to be in the spotlight. Hey, you know, I'm going to fight authority and you can't tell us this and we're going to come after you for that. And it was just, if they had been humble, quieter, and just more selective on their targets, they'd probably still be making, you know, hundreds of millions of dollars today in the safety of Russia. But instead, because of that voice, that spotlight, and sort of celebrity mentality that they got, it just made them such a target, it led to their downfall. One of the key reasons, anyway.
Dave Bittner: Yeah. You know, you mentioned DarkSide, and it seems to me like a real turning point in this story arc is when DarkSide hits Colonial Pipeline.
Jon DiMaggio: Yeah, that's definitely a key story. You know, I refer to it – in my research paper, I refer to it as sort of their sidekick that screwed everything up, because that's really what it is. It was their sidekick. It wasn't REvil that went and hacked into a pipeline, shutting down gas. It was DarkSide, and DarkSide had a similar story as REvil. They began as an affiliate to REvil, and they spun off into their own group. And REvil in some way helped them with their payload because there were so many similarities between the two, and then they were the voice of them. When things went down and there weren't the only group – there was another group, Prometheus, that just didn't have the same level of attention that on their website put that they were an affiliate or a spinoff group from REvil. So they were almost like they were franchising and having these other groups go out and they were sort of making their own empire.
Jon DiMaggio: But back to what you said about DarkSide, yeah. So DarkSide, yeah, they screwed everything up for them. They did this. They got all this attention. They obviously didn't realize what they were doing at the time. But there's no way anybody would do this intentionally if they knew how it was going to all the attention it was going to get and how it was going to turn out, because it literally crippled them and they lost all the money that they gained when the US government came out after them and emptied their Bitcoin wallet.
Jon DiMaggio: So, at the end of the day, it just wasn't worth it, caused a lot of attention, caused a lot of trouble, and led to also the banning of discussing ransomware on a lot of the forums that these guys lived on, and more importantly, the forums they recruited on. And when you make it harder to recruit, that directly affects business. So all of it sort of stemmed from DarkSide screwing up, is where everything started to change and go the opposite direction for REvil.
Dave Bittner: Well, let's go through the ultimate undoing, then. I mean, as we say, it seems like DarkSide was sort of the catalyst, but it was downhill from there.
Jon DiMaggio: Yeah, yeah. DarkSide definitely started it and REvil finished it. So it was in May on the forums, and, you know, a lot of researchers, not just me, saw this. I think it was Advanced Intel that first reported it. But there was, in May, there was an affiliate who – there's a process of when a hacker on these forums gets sort of screwed out of money, or buys a service and they don't get it, or whatever it is, where you can request arbitration, where, as I told you, you could put down these Bitcoin deposits on the forum, arbitrator will come in and look at the case. You'll have to send in logs or evidence to support your side and then they make a decision. If they decide you were wronged, they'll give you money from that pool of the deposit. Well, and if that doesn't, if there isn't money and you don't do it, they get kicked off the forum and their reputation is hurt, and that's something that most these criminals really care about.
Jon DiMaggio: Well, what happened with that is one of the affiliates posted this in May, and it didn't get a lot of attention, and they did post all the evidence publicly, which they don't always do. A lot of other ransomware criminals in this community were upset that they did post it publicly, but it gave us researchers a lot of cool information.
Jon DiMaggio: I really thought they were going to get awarded the money, but they didn't. The arbitrator sided with REvil, but what was interesting is REvil made a large deposit to that forum a week after the arbitrator weighed in their favor. Whether or not that was, you know, buying them out or not, I don't know. But I thought it was interesting timing. But the reason this May event was important is because in September, so several months later, in September, that's where I was saying that the company Advanced Intel – those guys do great work – and they actually found a backdoor in the attacker's malware. So it was a backdoor designed to double cross the affiliate who's working for the provider. So REvil's affiliates were the ones infected with this backdoor, not the victim.
Jon DiMaggio: So that's where the double cross comes in that makes it so interesting. Bad guys use a user panel to manage their attack and they have sort of their own software that's part of the REvil infrastructure and payload. And within this, they installed a backdoor so that they could have sort of a double chat. They could watch and view the affiliate negotiating and talking with the victim. And what they would do is if it looked like the affiliate was going to pay, they sort of interrupted that session, making it look like the victim just backed out and decided not to pay. And then they stepped in, and the victim just sees the chat portal. They don't they don't know that it's somebody else behind it now. So now they're talking to them, now they're going to pay, and they give them the instruction to pay, and now instead of paying the affiliate seventy percent of, let's say, a $10 million ransom, they keep the whole thing for themselves and just say, sorry, I guess these guys didn't pay, better luck next time.
Jon DiMaggio: And this kept happening over and over again. And once this came out and they put the technical analysis out there, bad guys started doing their own analysis and posting, finding more things and posting all of this at the binary analysis level on these forums and demanding that REvil explain what they did, and people were calling them names, and it's just – I mean, their reputation was just done. People were pulling out left and right. Nobody wanted to work with them.
Jon DiMaggio: And the most interesting part, though, REvil stayed. They could have been quiet. They could have disappeared. They stayed, and they adamantly argued that they did not do this, that it isn't what happened. And I always thought that was interesting, because if they really didn't put this backdoor in, then who did? And, you know, the only other person I could think of it would have to have been like a major, you know, government or intelligence agency. That's some conspiracy theory stuff...
Dave Bittner: (Laughs)
Jon DiMaggio: ...But the whole community believes REvil, did it. But I'm just saying, if they didn't, and it was a government, that would be ingenious because, you know you're not going to arrest them because they're protected in Russia. What's the next best way to get rid of them? Kill their credibility. So I think that's a really cool, you know, secondary story if we ever found out that they really didn't put the backdoor in. But I thought it was so interesting that they stuck, they hung in there adamantly to the very end, claimed that they did not do this, and there was no denying in the code that it was there. So, yeah, the community does believe, though, that they did do it to screw these guys.
Dave Bittner: Yeah, no honor among thieves, right?
Jon DiMaggio: Right, exactly. Yeah, it's hard to feel bad for you, you know?
Dave Bittner: Yeah. Now, ultimately, the story kind of ends with law enforcement knocking on some people's doors. How did that play out?
Jon DiMaggio: Well, so there are two parts to it. In November, when the US conducted or issued indictments, the only doors that got knocked on were ones that were outside of Russia. So, we got some affiliates in Ukraine. There was another affiliate in Russia that, you know, his name was and picture were given, but they couldn't touch him and the Russian government wouldn't help. But with President Biden going to Vladimir Putin in Geneva when they met in July and saying, hey, we need, we need help with this or we're going to have to act, basically. Maybe not quite the same wording, but it's basically what he asked for. What we found here is, you know, they finally came in and gave us a hand. I was shocked when I heard about it, but yeah, the FSB night raids, they kicked in twenty-five doors, arrested fourteen people in Russia. We still don't know the full fallout of it, whether there's speculation they were developers. Others speculate they're the core members. But regardless, it's a much bigger hit than it was when they just arrested guys outside of Russia.
Jon DiMaggio: But more importantly, regardless of who the specific players were within the gang that got arrested, it was that message that was just sent of, hey, Russia's no longer protecting you. And that was huge. And for the first time ever, I saw the conversation change where people were concerned and talking about, hey, this isn't worth it if I'm going to go to jail. Like, we're concerned if we're not protected by Russia anymore. Unfortunately, I don't think that's going to stick, because of the tension with the US right now, with Russia, with invading Ukraine. And if things get worse and we do become full-on adversaries again, you know, I'm sure they'll open the door again to have at it and keep targeting the US.
Jon DiMaggio: But regardless, it's the first time where we've seen sort of, even if the psychological impact, an impact on Russian-based ransomware attackers where they're second thinking what they're going to do, I just, I had never seen that before and it really surprised me. So that's a win for us. Regardless of how long it lasts, that's a win for us. It's a step in the right direction.
Dave Bittner: Yeah, I would imagine even just shaking up their confidence, you know, the operators' confidence over there that perhaps they're not as bulletproof as they thought they were. That's a good thing. The narrative of this story is, you know, good enough for a Hollywood feature, and I have to say I laughed out loud, one of the things you point out in your write up is the only thing missing is a good car chase. And I wonder when Hollywood eventually does make the story, will they figure out a way to put one in there? (Laughs)
Jon DiMaggio: Well, here's the good thing, Dave. When they arrested these guys, they said it over twenty quote unquote "premium cars" that were taken. So we've got, you know, if we say based on a true story, we've got the cars, we've got bad guys, let's just throw a good car chase in there and make it perfect...
Dave Bittner: (Laughs)
Jon DiMaggio: ...Because this really was such an interesting story, it literally could be a movie. You know, it really could be.
Dave Bittner: Yeah. What do you take away from this? I mean, having gone through the exercise of really digging into the details here and laying it out from start to finish, how do you think this informs where we go from here?
Jon DiMaggio: Yeah, I think one of the things that we really need to do to prevent this is find a way to not just try and stop them from technical means. We need to find ways to get into sort of these communities with law enforcement, to get into these communities. Even if we're, let's say that we're able to break into sort of the places where they recruit affiliates and things like that – even if we're not successful in gaining access to the gang by doing that, just by making it harder and more difficult to find affiliates and to know who to trust and to have them second guess or question, we need to get closer to them. And, you know, from conversations that I've had, I don't think right now we have a strong capability within a lot of those inner circles. And you know, I could be wrong. I'm just telling you from the conversations that I've had. And the thing is, if there's guys out there like me that are able to do it, certainly there's law enforcement and government organizations that can do it, and I'm sure that that's something they're working on.
Jon DiMaggio: But knowing where to go and getting in there and making it harder, sort of injecting deceit and injecting questionable content and making them really wonder if the people they're working with or the payloads that they're getting are things that they can trust is going to just be a sidestep and it's going to have a psychological effect that's going to cause distrust, which will hopefully lead to less ransomware attacks and things of that nature.
Jon DiMaggio: On the other end, yeah, we need to keep doing things where we're infiltrating their wallets, taking money back, dedicating intelligence community resources, things that that nobody else in the world has, to figure out who the guys are behind the keyboards, putting their pictures out there, making sure that if they travel out of the country, they know they're going to get arrested. You know, doing everything we can to sort of put the heat on them and to get it, knowing that we're not just going to sit back anymore.
Jon DiMaggio: Unfortunately, there is no easy solution, and this could be like the war on drugs. We may never win it, but there are things that we can do that are going to slow it down and give us at least a better chance of protecting ourselves against it, if that makes sense.
Dave Bittner: Our thanks to Jon DiMaggio from analyst one for joining us. The research is titled, "A History of REvil." We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.