REvil: one of the most dangerous Ransomwares

Today, when it comes to cybercrime, ransomware attacks are on the rise.

Marked mainly by assaults on information systems and the demand for ransom payments most often accompanied by blackmail in the disclosure of confidential data. One of the most famous in the field is REvil, a malware used by a group of cyber criminals known as Sodinokibi.

According to computer security company Coveware, the REvil ransomware is distributed primarily:

– Through compromised RDP sessions in 65% of cases

– Phishing in 16% of cases;

– Via software vulnerabilities in 8% of cases.

Note that REvil is a ransomware-as-a-service. It is used by cyber criminals who for years have been extorting huge sums of money from organizations around the world. Especially in the last year. "His name – contraction of Ransomware Evil – was inspired by the series of video games – adapted into films – Resident Evil. explains Lucian Constantin, CSO.

This article will also be of interest: Ransomwares: We do not recover the data after paying the ransom

According to several computer security companies, REvil is one of the most common threats in the context of ransomware. This group of cyber criminals have distinguished themselves through extortion and data disclosure blackmail.

Hacker group Sodinokibi, the software's main operator, officially began operations in 2019. It has appeared precisely since the shutdown of GandCrab, another ransomware operator. At the beginning of REvil's activities, the program was identified as one of the GrandCrab strains. Of course, several links could be made between them. Besides a group member confirmed that the malware used but you did not have something that had been designed newly. REvil would have been designed on the basis of our malware that already exists, and acquired by the group.

"The developers behind RaaS operations rely on other cybercriminals as "affiliates" to distribute the ransomware to them. In fact, ransomware developers earn between 20% and 30% of illegal revenue, with the rest going to affiliates who take steps to access corporate networks and deploy malware. explains Lucian Constantin. The more successful a ransomware transaction, this is likely to attract more affiliates. And when the attacks don't work the number of affiliates decreases and move to other groups. This is exactly what happened in the case of GrandCrab and the Maze Group recently, whose members announced their retirement and affiliates moved to other ransomware groups including Egregor, also known as Sekhmet.

According to IBM Security X-Force's response team, which specializes in responding to a computer incident, one in three ransomware attack involves REvil/Sodinokibi. The group therefore called on the organizations to be more preventive in the face of this persistent threat. "The ransomware strain that IBM Security X-Force saw most frequently in 2020 is Sodinokibi, a ransomware-as-a-service attack model that capitalized this year on mixed ransomware and extortion attacks," says IBM Security X-Force researchers.

"This malware has been implicated in ransomware and data theft attacks and, in some cases, its operators have stolen and auctioned sensitive data on the Internet when they were unable to compel victims to pay. Sodinokibi also accounts for 29% of all IBM Security X-Force ransomware mobilizations in 2020, suggesting that Sodinokibi's actors are more adept at accessing victim networks than other strains of ransomware. they note.

According to the latter, the group of cyber criminals behind REvil would have by the end of April 2019, a total of 140 organizations in different sectors as important as the other. 60% of the victims of this group of cybercriminals, are in particular American companies. Nearly a third of the companies affected by these hackers sold them and paid the ransom. The threat still persists. And the number of victims in that are not reported may be as great.

Now access an unlimited number of passwords:

Check out our hacking software