What is REvil, the ransomware group dismantled by Russia at US request

The announcement comes as Ukraine was responding to a massive cyberattack that shut down government websites, though there was no indication the incidents were related. Here we take a closer look at REvil ransomware gang and its functioning.

Who/what is REvil?

REvil’s name is an amalgam of “ransomware” and “evil”. The group is a Russia-based hacking organisation. Security researchers have previously named the organisation’s family of malware as REvil/Sodinokibi, or REvil.Sodinokibi.

Gangs such as REvil deploy ransomware, which is essentially a file blocking virus that encrypts files after infection. After the data is stolen and made inaccessible to the victim, the group sends out a ransom request message to the victims. The message typically demands that the ransom be paid in cryptocurrencies such as Bitcoin. If the ransom is not paid in time the demand doubles. The reason cryptocurrencies are preferred is due to perceived anonymity and ease of online payment.

The group REvil would steal data from the computers, lock the victims out of their computers, and then threaten to release stolen data by auctioning it off. This is a unique technique of applying additional pressure on victims.

REvil also acted as a business and sold hacking technology among other tools to third-party hackers. REvil members would lease that ransomware to other hacking groups so that a similar attack could be implemented. They would offer ransomware as services (RaaS). In exchange for using REvil’s services and malware, the group would a substantial cut of any ransomware payments from the other group.

Interestingly, some of the most high-profile ransomware attacks of this year were done through RaaS groups, including the famous ransomware attack in May against Colonial Pipeline, an American oil pipeline company, where the cybercriminal leased the service of REvil.

The ransomware gang has been linked to high-profile attacks, including against Quanta, a Taiwanese company that sells data center gear to Apple. REvil said it was able to steal sensitive data from Apple-like computer designs and demanded a $50 million ransom. However, as tech publication MacRumors reported in April, REvil “mysteriously removed all references related to the extortion attempt from its dark web blog.” As of now, it is unclear whether Apple or Quanta paid the ransom.

It should be noted that, unlike state-sponsored hackers, REvil is purely financially motivated. The notorious group also took credit for hacking New York law firm Grubman, Shire, Meiselas & Sacks, claiming to have obtained documents related to former President Donald Trump.

The shutdown of REvil

In a joint operation, police and FSB searched 25 addresses, detained 14 people, and seized 426 million roubles (roughly Rs 40 crore), $600,000 (roughly Rs 4 crore), 500,000 euros, computer equipment, and 20 luxury cars.

According to Reuters, a Moscow court identified the two accused as Roman Muromsky and Andrei Bessonov and remanded them in custody for two months. Muromsky was a web developer who designed websites for a shop called “Motohansa” selling motorcycle spare parts.

“He is a smart person and I can imagine that if he wanted to do it (hacking) he could, but he charged very little money for his services. Several years ago he had a Rover car. That’s not an expensive car at all,” Sergei, the shop owner was quoted by Reuters. Muromsky is in his thirties and was born in Anapa in Russia’s south where he worked as a normal programmer.” The group members have been charged and could face up to seven years in prison, according to the report.

Earlier, in November, a report by cybersecurity firm Sophos revealed that ransomware, fueled by cryptocurrency, was involved in 79 percent of the global cybersecurity incidents from 2020-2021. The Conti and REvil ransomware attacks were on top of the list, notes Sophos.