What do we know about REvil, the Russian ransomware gang possible powering the Medibank cyber attack?
Australian Federal Law enforcement Commissioner Reece Kershaw on Friday verified law enforcement think the felony team at the rear of the latest Medibank cyber assault is from Russia. Kershaw stated their intelligence details to a
team of loosely affiliated cyber criminals who are possible dependable for earlier substantial breaches in countries throughout the world.
Kershaw stopped brief of naming any people today or groups.
But authorities suspect the attackers belong to, or have close backlinks to, the Russian-primarily based ransomware crime team, REvil.
The assault so much involves a multimillion-dollar ransom desire made to the clinical insurance provider for data on unique clientele stolen in the earlier levels of the attack. The attackers at first threatened to launch sensitive own healthcare information, and then on Wednesday released hundreds of data on to the dim net.
This sort of assaults cause enormous private strain for these whose data is uncovered, as effectively as substantial reputational injury to the entities keeping the data.
At the time the Medibank attack was publicly introduced, Property Affairs Minister Clare O’Neil described the unlawful action as a “dog act”.
Given that then, our cyber protection agencies, which include the Australian Federal Police and the Australian Cyber Stability Centre, have been scrambling to respond.
Attaining a greater understanding of the groups guiding these activities is consequently important, but tough.
So what do we know about REvil?
Hackers for employ
The group’s name is mentioned to be a contraction of the text “ransom” and “evil”. It’s dependent in Russia, despite the fact that its community of “affiliates” extends into Japanese Europe.
The see that the attack is the do the job of REvil is centered partly on inbound links noticed among existing REvil sites on the dark world-wide-web and the extortion internet site now internet hosting some of the stolen Medibank knowledge. Additional information will unquestionably appear to light in the coming weeks to validate or change this assessment.
But the nature of this attack is consistent with the approach and motivations revealed beforehand by REvil.
The group emerged in early 2019, possessing evolved from an earlier “ransomware as a service” (RaaS) team known as GandCrab.
According to 1 scholar, Jon DiMaggio, less than the RaaS design REvil relied on
hackers for retain the services of, acknowledged as affiliate marketers, to perform the breach, steal target knowledge, delete backups and infect victim methods with ransomware for a share of the income.
As we have also viewed in the Medibank situation, a further tactic of this group is to engage in double extortion, whereby failure to pay out the ransom leads to the stolen data being leaked or marketed in underground message boards on the dim internet.
REvil was notably active in 2021. This provided the extremely damaging ransomware attack in the United States on Kaseya, a managed companies service provider. REvil posted a ransom of US$70 million for a common decryption crucial to restore victims’ facts.
Australia was also touched by REvil in 2021. The group attacked JBS Meals, a key producer with functions in Australia as effectively as Brazil. The impact on Australian meatworks operated by JBS appears to be not to have influenced materials of meat, as a result drawing considerably less public interest than we have viewed in the Medibank circumstance.
Unstable and slippery
Soon following the Kaseya assault, in late 2021, REvil appeared to shut up store, next leakages of data from their hacked info web page and increased stress from law enforcement.
Having said that ransomware teams these kinds of as REvil are notoriously unstable and slippery. Numerous variables lead to this instability, including regulation enforcement pressure and greed. There’s very little honour among this species of cyber “thieves” when particular survival and enrichment are at stake. The RaaS model also relies upon free networks of associates that inevitably transform in excess of time.
Further evidence REvil was in retreat arrived in January 2022, just a month right before Russia’s invasion of Ukraine. Russian legislation enforcement authorities introduced they had arrested some 14 alleged associates of REvil.
For a temporary time, Western observers hoped the Russian action could be efficient in constraining potential ransomware assaults by the group.
But since the invasion in February this year, any pretence of cross-border cooperation in tackling these Russian groups has evaporated. In addition, people arrested are considered now to probably be absolutely free and again in business enterprise.
Examine extra:
Keeping the environment to ransom: the top 5 most harmful criminal organisations on-line proper now
Russian ransomware teams have close informal back links to Russian stability companies such as FSB, the Russian inside security agency. These backlinks deliver the team (and other Russian cybercrime teams) a degree of licence to have on their routines on the demanding comprehension their targets should lie outside the house Russia.
In some circumstances, though not so evidently in the scenario of REvil, these groups have expressed geopolitical motivations, directing cyber assaults versus Ukrainian targets and these of nations seen to be supporting Ukraine. The Conti ransomware group is an illustration in this article of a team that publicly declared its assistance for Russia more than Ukraine.
In the Medibank example, the team guiding it seems simply driven by fiscal get. Health care services these as hospitals have verified well-liked targets for ransomware teams since of their sensitive details holdings and for this reason vulnerability to strain to pay.
It appears REvil, or at the very least a close genetic descendant, is back again in organization. What we’re presently observing is dependable with prior working experience with this team: appearing, disappearing and reappearing, in some cases in a a little altered form.
Working with it is tough, a little bit like a video game of whack a mole – the offenders all also effortlessly vanish and then pop up someplace else.
The root causes of ransomware today can be political as properly as economic, generating productive inter-region cooperation in opposition to Russian-affiliated groups just about difficult.
This post draws upon function undertaken with my colleague David Wall (College of Leeds) analyzing the weaponisation of ransomware in relation to the Russia/Ukraine conflict. This perform is currently in draft report kind with the sponsoring organisation, the World-wide Initiative against Transnational Crime, Vienna and Geneva.