From Security Weekly Wiki
Jump to navigationJump to search


REvil ransomware crew dangles $1,000,000 cybercrime carrot

REvil ransomware deposits $1 million in hacker recruitment drive

I’m sure you’ve heard the old adage of “crime doesn’t pay.” Unfortunately, that saying has been taking a beating due to attackers motivated to make money. A couple of articles that I found this week illustrate this situation pretty well. One is from Bleeping Computer and the other from the Naked Security blog. In these posts they explain that the operators of the REvil ransomware are recruiting and have put money on the table. Where I work, we call the operators of the REvil ransomware as a service by the name PINCHY SPIDER. I personally get a kick out of talking about them because the name is fun to say, but that has nothing to do with what they actually do.

We’ve talked about RaaS a number of times on the show, but this is interesting because it gives some insight into their recruiting process. If you aren’t familiar with PINCHY, they write the REvil ransomware and operate the infrastructure used by it. This includes handling the decryption keys, the leak sites for data stolen during the attack, and all the other pieces to make the extortion successful. They recruit “affiliates” to actually break into companies and deploy the ransomware. To be honest, the recruitment bit is something that I’ve wondered about. How do they get in contact with potential affiliates and how do they check them out? They certainly don’t want any law enforcement in there or intel groups that track these types of operations. And unfortunately, these articles don’t give us that much more insight into the process. But it does open the curtains slightly for us.

First, it tells us the types of people they are looking for. Notably, they are interested in people that know how to use penetration testing tools. The people pulling off these intrusions don’t bother with much custom tooling. Unfortunately, there is plenty of high quality tooling that is available commercially and through open source. Some folks might argue that it shows a lack of sophistication and skill on the part of the attackers, but it’s fairly simple economics. These tools work well, the attackers don’t have to spend time creating alternatives, and the tools are more than sufficient for their targeted victims. There’s less ego here and much more importance placed on the income.

Speaking of tools… PINCHY also wants people who have an understanding of NAS (network attached storage), tape backup systems, and virtualization. They want to limit the ability of victims to recover their data without paying out. So locking up the backups is a big deal, as is using virtualization to avoid security tooling. In summary, they are getting more and more skilled at locking things up.

I mentioned that the emphasis of this group is on the income. Just how much money are we talking about? Apparently, the group put 99 bitcoins up on the forum as proof of just how much money they have. Right now, that’s roughly $1m US. So yeah, there’s money involved. In fact, if they can lock up business critical data, the attackers will demand very large payouts to decrypt the data and avoid it being released publicly. According to the Naked Security article, these demands run in the 6 to 7 figure range. The sums of money demanded by these groups can be truly mind blowing. So while putting $1m in bitcoin up on the forum entails some risk for the group, it’s money that they can make back with a few intrusions.

From my view, the operations of these groups can be extremely frustrating to watch. With what I see on a regular basis, they are taking advantage of unpatched systems, RDP and SMB hanging out on the internet, and basic misconfiguration mistakes. Configuring your endpoint security products to block this stuff is also important. You’d be surprised to see how many organizations deploy these tools with settings to detect activity and not prevent it. No matter how fast you can type, you can’t respond quicker than ransomware can encrypt. So many incidents could be avoided with some security basics.

Finally, we need to stop paying out. Yes, it will take longer to recover. Yes, the attackers might leak customer data to prove we had an incident. But this kind of thing is going to happen as long as there is money in it. Unfortunately, this is an example of where crime does pay. And they can recruit new people faster than law enforcement can investigate and arrest people carrying out the crimes.