Enlarge image
Ransomware has become a nuisance because groups like »REvil« are taking the business model to extremes
Photo: urbazon / Getty Images
What do Lady Gaga and Donald Trump have in common?
Madonna and Bruce Springsteen?
They were all hit by a hacker attack in May 2020 as clients of the New York law firm Grubman Shire Meiselas & Sacks.
The group "REvil" demanded a ransom for allegedly explosive documents that they had stolen from the office.
But nobody wanted to bid on it.
»REvil« was angry and announced: »This data is either bought by the stars themselves or by various media for their own blackmail or simply by nice people with good intentions.
We do not care.
The main thing is that we get the money. ”But they got nothing, not even when they published some documents.
The ransomware group had miscalculated.
Meanwhile, things are going better for them - and worse for their victims: Among other things, »REvil« is behind the blackmail attack on the meat manufacturer JBS at the end of May, eleven million dollars in Bitcoin flowed as a ransom.
And on Friday the group succeeded in hacking the IT service provider Kaseya - and with it its customers.
Their IT systems were encrypted with malware and thus made unusable.
"Our price is 70 million dollars"
Now "REvil" is demanding $ 45,000 ransom for every system that has been paralyzed.
If the alleged perpetrators are correct, a million computers are affected, that would be a total of 45 billion dollars - and one of the largest attacks with ransomware to date.
On their page in the Darknet, however, they make their victims an offer: "If someone wants to negotiate a universal key - our price is 70 million dollars." For this sum, the group would publish a master key with which all victims "in less." than an hour «could access their data and networks again.
In the meantime she is apparently even ready for another discount: $ 50 million is now for the master key.
No victims in Russia - why do you think so?
»REvil«, also known as Sodinokibi or Pinchy Spider, is one of the ransomware plagues that have caused millions in damage for years.
The FBI is currently pursuing around 100 such extortion groups, few are as active and professional as these.
It appeared for the first time in April 2019 and is considered the successor to the group »GandCrab« due to the similar code of its malware.
The developers are suspected to be in Russia or another country in the Commonwealth of Independent States.
One of the clearest indications of this: When it starts, the malware checks whether the language settings for these countries have been selected on the infected computer.
If this is the case, the computer is not encrypted.
In the West it is interpreted as follows: criminals like »REvil« are left in peace by prosecutors in these countries as long as they do not attack compatriots.
The Russian government could also use the criminals for special hacking attacks, says the New York Times journalist Nicole Perlroth.
Letters of confession in the Darknet
Like other groups of perpetrators, »REvil« operates an affiliate model: Customers can rent the malware and adapt it to their needs, and the ransom is shared.
McAfee once determined that 30 to 40 percent remain with »REvil«.
The malware is spread via botnets or spam emails.
It is therefore not always clear who is actually behind an attack with "REvils" ransomware.
However, the group repeatedly publishes letters of confession on the Darknet, on their own website. This also serves as a leaking platform, because like other ransomware groups, »REvil« relies on double blackmail: Before computers are rendered unusable, data are backed up - and their publication is threatened. Trade secrets could increase the pressure on victims to pay ransom.
However, the Kaseya case is an exception to this scheme. According to "BleepingComputer", the perpetrators' chats with victims show that this time no data was exfiltrated. Apparently the ransomware attack had to be quick. The underlying security vulnerability at Kaseya was already known, but a patch was not yet ready. »REvil« was simply faster, as good business people are.