The REvil group of cybercriminals has established itself as one of the most formidable players in the digital threat landscape. Specializing in ransomware attacks, this Russian collective has orchestrated some of the most lucrative extortion operations of recent years. Let’s delve into the dark world of REvil to understand how it works, its impact and how to protect yourself.
REvil’s modus operandi: a well-oiled extortion machine
REvil, also known as Sodinokibi, has perfected the art of digital extortion. The group operates on a ransomware-as-a-service (RaaS) model, an approach that multiplies its effectiveness. This system enables REvil to recruit talented affiliates to propagate its malware, considerably extending its reach.
REvil’s strategy is based on a particularly pernicious double extortion:
- Encryption of the victim’s data
- Threat of disclosure of stolen sensitive information
This tactic puts organizations in an inextricable situation, often forcing them to give in to the cybercriminals’ demands. REvil mainly targets the following sectors
- Wholesale
- Manufacturing
- Professional Services
The group uses three main attack vectors to infiltrate its victims’ systems:
- Exploitation of insecure RDP (Remote Desktop Protocol) protocols
- Sophisticated phishing campaigns
- Exploitation of zero-day vulnerabilities
Once inside, REvil’s ransomware deploys advanced encryption algorithms such as Diffie-Hellman and Salsa20, making data recovery almost impossible without the decryption key.
The extent of the damage caused by REvil
The financial impact of REvil’s attacks is colossal. The group is said to have amassed more than $100 million from its malicious operations. This astronomical sum testifies to the formidable effectiveness of their approach.
REvil adjusts its ransom demands according to the financial capacity of its victims. The amounts demanded can vary considerably:
| Type of organization | Ransom amount |
|---|---|
| Small business | 1 500 $ |
| Large company | Up to $42 million |
One of REvil’s most striking attacks targeted IT giant Acer in 2021. The group demanded a record ransom of $50 million, illustrating the audacity and inordinate ambition of these cybercriminals.
To increase the pressure on its victims, REvil does not hesitate to resort to additional tactics, such as threatening DDoS (Distributed Denial of Service) attacks. This strategy aims to paralyze the targeted organization’s online services, amplifying the damage and urgency of the situation.
Protect your organization against the REvil threat
Faced with the growing sophistication of REvil attacks, it is essential for businesses to put in place a robust defense strategy. Here are the main measures to adopt to reduce risks:
- Secure remote access: Implement multi-factor authentication and strictly limit RDP connections.
- Keep systems up-to-date: Regularly apply security patches to plug known vulnerabilities.
- Train employees: Make staff aware of phishing techniques and good IT security practices.
- Back up offline: Create regular backups and store them on media disconnected from the network.
We also recommend implementing an Endpoint Privilege Management (EPM) solution. This approach limits administrator rights and considerably reduces the attack surface exploitable by cybercriminals.
REvil’s links with other cybercriminal groups
The cybercrime ecosystem is complex and interconnected. Links have been established between REvil and other notorious groups such as GandCrab and FIN7. These connections suggest a possible collaboration or sharing of resources between different criminal entities.
The GandCrab group, in particular, bears striking similarities to REvil in its modus operandi and structure. Some experts even suspect that REvil could be an evolution or rebirth of GandCrab under a new identity.
As for FIN7, known for its attacks mainly targeting the financial sector, technical and strategic overlaps have been observed with certain REvil operations. This convergence raises questions about the possible pooling of skills within the Russian-speaking cybercriminal community.
REvil’s ability to actively recruit new talent and forge strategic alliances contributes to its adaptability and longevity in the digital threat landscape. This dynamic makes the fight against this group particularly complex for authorities and cybersecurity experts worldwide.
