Advertisement

‘Disgruntled insider’ shared REvil information with researchers, helped law enforcement

REvil was among the most notorious ransomware crews until international attention and arrests hobbled the group.
Getty Images

In the fall of 2019, after writing about how Sodinokibi ransomware affiliates bragged online about the money they were making, threat intelligence researchers with McAfee Advanced Threat Research received an interesting email.

The sender turned out to be a “disgruntled internal source” upset with how other hackers boasted about earnings while they hadn’t been paid. The insider went on to help researchers understand the inner workings of the group that became known as REvil, whose antics and crimes made headlines after attacking beef producer JBS.

Russian authorities arrested multiple REvil members in January, and Russian officials hailed it as a sign of “cooperation” between Washington and Moscow. But Russia’s invasion of Ukraine on Feb. 24 broke off any cooperation between the two countries, a U.S. official told CyberScoop in April, and it’s unclear how the prosecutions are proceeding, if at all.

John Fokker, head of threat intelligence at Trellix — and formerly of McAfee ATR — revealed the interactions with the insider in new research on Thursday. He notes that the source shared screenshots of REvil’s back end pane that helped confirm earlier theories from Fokker’s team about how REvil tracked its associates. It also shows in minute detail how the operations worked.

Advertisement

The source also shared “TTPs, internal relationships, information on the group’s operations,” Fokker wrote. “The tools, tactics and techniques they used ranged from infostealer logs, RDPBrute, ADFind, Mimikatz, WinPEAS, Cobalt Strike and PowerShell scripts.”

The interactions also revealed where affiliates would access the actual panel via Tor, which led Fokker’s team to be able to find the actual IP address of the panel.

“This unprecedented finding was surprising, and we immediately packaged these findings together with additional analysis on individual members and the organization’s communication channels in a 55-page report for global law enforcement,” Fokker wrote.

(Trellix)

In an interview with CyberScoop this week, Fokker declined to name any specific law enforcement entities that used the information. But in November, Europol credited the team for its help in leading to the arrest of two REvil ransomware suspects in November as part of the “GoldDust” cooperative that involved 17 countries, including the U.S., who came together to fight ransomware.

Advertisement

The Europol announcement came the same day that U.S. authorities announced the seizure of $6 million in ransomware payments connected to REvil activity and charges against Yevgeniy Polyanin, a Russian national, and Ukrainian Yaroslav Vasinsky for their alleged roles in REvil extortions.

Fokker told CyberScoop that the inside access he received was akin to the Conti leaks situation. In that case, a Ukrainian researcher with access to that ransomware group’s back end spilled reams of data, including chat logs, after Conti declared its support of the Russian government after the invasion. Upset insiders can do a lot of damage if they’re wronged, he said.

“You can call them a snitch if you want, but there was somebody disgruntled an unhappy, and that happened way before the Conti leaks,” Fokker said. “It shows that if you’re not paying your people, you’re not paying what people think they’re owed, the loyalty goes out the door.”

The revelation comes amid signs that REvil, or someone with access to REvil infrastructure, is back at extorting victims for money after being forced offline in October 2021 after reportedly being targeted by U.S. Cyber Command and a foreign government, according to The Washington Post.

The new iteration was perhaps “some members of REvil, but it wasn’t, as far as we know, the original leader,” said Allan Liska, an intelligence analyst with Recorded Future. “It seems like it was a few of the developers who tried to take over and continue operations.”

Advertisement

The group’s “Happy Blog” posts one to two victims each month — “way, way off the highs of the original REvil,” Liska said — with the last posting on Sept. 1. “My guess is there is more happening beneath what we see on the extortion site, but broadly they are still lower tier since their re-resurrection,” he added.

Fokker said that whatever’s happening with REvil, ransomware overall continues to be a major problem.

“There’s very large organizations that continue to be vulnerable, and they’re a profitable target for ransomware actors, so the victims are there,” Fokker said. “For a lot of these actors, they’re quite comfortable hacking into these systems and gaining access, and then it’s a matter of negotiation.”

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts