There used to be a notorious ransomware group called REvil. Also known as Sodin and Sodinokibi, REvil made a name for itself by extorting large amounts of money from businesses. It also operated a ransomware-as-a-service (RAAS) business model in which it shared profits with affiliates who break into networks and spread its ransomware.

Until recently. The Russian-led gang was recently felled by a multi-country law enforcement operation. Its infrastructure was hacked and taken offline for the second time in a week and at the time of writing there is no sign of its operations reappearing elsewhere.

Fuel pipeline take down

The takedown appears to have been driven by a cyberattack on Colonial Pipeline earlier this year. The attack took the US fuel pipeline offline last month, causing major disruption. Encryption software used in the cyberattack was developed by associates of REvil. No doubt there are also other factors that tied the pipeline attack to REvil. In a sense, the hand of law enforcement was forced to move against REvil.
  • However, its interesting to note that earlier this month a hacker called Signature is said to have posted details of a secret “cryptobackdoor” in REvil’s code on a Russian forum used by the criminal underground.
  • Apparently, the backdoor code enabled REvil to restore encrypted ransomware files on its own, without the involvement of the affiliates it originally hired.
  • The backdoor allowed the REvil group to take over negotiations with a ransomware victim, cutting out the affiliate, and even restore encrypted files without the approval of their affiliate partners.
  • The hacker claimed that REvil jumped into a negotiation via the backdoor and posing as a victim abruptly ended an attempt to extort $7 million. Signature believes that one of REvil’s operators then took over the real negotiation and took the money for themselves.
Busted credibility

Together with the take down of its operations the credibility of REvil, among fellow cyber villains, has taken a serious hit. If this was a mafia operation a hit man would be sent out. The alleged backdoor actions have completely undermined REvil.
  • Ransomware-as-a-service operators like REvil rent their file-encrypting malware to ‘affiliates’ recruited through online forums. The affiliates then launch ransomware attacks and pay the operators like REvil a large share of the ransom.
  • This service model allows ransomware operators to improve the ransomware code, while the affiliates can focus on spreading the ransomware and infecting as many victims as possible. This creates an assembly line of ransom pay-outs that are split between the developer and affiliates.
Ruined reputation

This business model has served cyber criminals well. While the takedown of REvil may not have such a huge impact on ransomware attacks in general, the ransomware group has certainly shot itself in the foot by going behind its affiliates and taking all the money for themselves.

Of course, these people use the anonymity of the internet to hide their real-life identities so what’s to stop them from setting up in another name? However, they also have digital fingerprints, such as a quirky way of using language, which fellow hackers can use to identify them. As a result, they could find themselves out in the cyber cold, which when it comes to skilled ransomware creators is only a good thing.