BLOG: Who is REvil/Sodinokibi?

REvil (also identified as Sodinokibi) is a private ransomware-as-a-service (RaaS) operation. Over the past few years, REvil has obtained large amounts of money from wide-reaching organisations. Its moniker stands for Ransomware Evil which was founded via inspiration from the ‘Resident Evil’ movie series. It has been alleged by cybersecurity professionals and firms that it is the most widespread ransomware threat and the group behind it doubles down on its extortion efforts by also stealing business data and threatening to release it. REvil accounts for almost 4% of ransomware attacks on the public and private sectors.

REvil, also known as Sodinokibi, first appeared in April 2019 and soared to prominence quite quickly after this. During the initial reveal/discover of REvil, researchers recognised it as a strain of GandCrab or a possible affiliate of GandCrab with established links. During an interview last year, a member of the infamous group using the alias ‘Unknown’ explained that REvil ransomware was not a new creation but was in fact created on top of an older codebase that the group acquired.

Despite the ransomware group being fairly new and forming in April 2019, it has been estimated that REvil hit at least 140 organisations since it appeared in April 2019 and targeted numerous industries and organisations including wholesale, manufacturing, and professional services being the most frequently targeted industries. Around 60% of the gang’s victims are organizations from the US, followed by UK, Australia and Canada.

It has also been estimated that a third of REvil victims paid the ransom whilst that one in ten had their sensitive information auctioned off on the dark web. A third of the group’s victims had their data stolen. However, it seems that REvil reworks their ransom demands and payments centred around the annual income of the targeted organisations, this is why ransom requests made by REvil can range from between $1,500 and $42 million or up to 9% of the yearly revenue of the target/targets.

Researchers estimate that REvil’s profits in 2019 were at least $81 million. Last year it was reported that among the third quarter of 2020, REvil/Sodinokibi had the largest market share among ransomware groups based on them being responsible for 16% of infections. Almost half of all ransomware cases investigated by the company also involved threats to release exfiltrated data, with an increasing number of groups adopting this technique.

Cybersecurity professionals have seen instances where victims who paid the ransom demands found themselves being extorted again by REvil a few weeks later with threats to release the same data that they paid the ransom for. Other groups also failed to keep their promises by publishing the data of victims who chose to pay or by showing fake evidence of data deletion. Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future. The track records are too short and evidence that defaults are selectively occurring is already collecting.

A tactic that is somewhat ‘innate’ for REvil is exerting pressure and fear onto victims. REvil is allegedly looking into implementing other techniques, for instance initiating distributed denial-of-service (DDoS) attacks that force the hand of organizations that suspend negotiations. Cybersecurity professionals allege that REvil is now distributed primarily through compromised RDP sessions (65%), phishing (16%), and software vulnerabilities (8%).

REvil is one of the ransomware programs deployed during human-operated ransomware campaigns. This means that after breaking in, hackers use a variety of tools and techniques to map the network, perform lateral movement, obtain domain administrator privileges, and deploy ransomware on all computers to maximize the impact.
REvil stands out from many other ransomware programs due to REvil utilising Elliptic-curve Diffie-Hellman key exchange as an alternative for RSA, alongside Salsa20 in replacement for AES in order to encrypt files. This is a vital part of REvil as these cryptographic algorithms are extremely efficient and uncrackable when implemented correctly. The ransomware distributed by REvil destroys various processes on the targeted and infected machines, including email clients, SQL and other database servers, Microsoft Office programs, browsers and other tools that might keep important files locked or backed into RAM. It then deletes Windows shadow copies of files and other backups to prevent file recovery.