REvil Ransomware Evolution: New Tactics, Impressive Gains, and High-Profile Targets

April 06, 2021 · 4 min read

The REvil gang stands behind the avalanche of attacks targeting major companies across the US, Europe, Africa, and South America. In March 2021, ransomware operators claimed almost a dozen of intrusions that resulted in sensitive data compromise. The list of victims includes law firms, construction companies, international banks, and manufacturing vendors. As per news reports, Acer, Asteelflash, and Tata Steel are among those who recently suffered from REvil malicious activity.

What is REvil Ransomware?

REvil (aka Evil, Sodinokibi) is one of the most notorious and widespread ransomware strains on the cyber threat arena. After its emergence in April 2019, security researchers identified REvil as GandCrab’s successor, with lots of code strains shared between both malware samples.

Currently, REvil acts as a ransomware-as-a-service (RaaS) threat, relying on the broad network of affiliates for distribution. In turn, REvil developers earn 20-30% of the proceeds in case of a successful attack. Recently, ransomware maintainers joined the lucrative double-extortion trend in an attempt to increase possible gains. Now, cyber-criminals not only encrypt sensitive data but also steal confidential details. As a result, despite the ability to restore information from backups, victims are pushed to pay the ransom to prevent the data leak. Furthermore, to put on maximum pressure, REvil developers contact the media and victim’s business partners to notify them about the ongoing intrusion. 

Such extortion tactics result in numerous victims and an impressive amount of subsequent gains for REvil associates. Security researchers estimate that during 2020 the notorious REvil gang managed to earn more than $100 million during attacks against approximately 150 vendors. According to the IBM Security X-Force’s inquiry, 36% of REvil victims paid the ransom, and 12% of victims had their sensitive data sold in an auction on the dark web during 2019-2020.

Notably, for the next year, the ransomware maintainers claim an even more ambitious goal of $2 billion. On the way to their objectives, adversaries are looking for new affiliates to their malicious network. For example, the gang deposited $1 million on a Russian-speaking underground forum. 

Moreover, to strengthen REvil malicious capabilities, developers have recently added a new feature allowing the threat to run in a safe mode and reboot infected Windows devices following the intrusion. Such innovation allows REvil to evade detection by antivirus software and proceed with successful infections.

Latest REvil Victims

After it surfaced in 2019, the REvil gang attacked such leading firms as Travelex, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, CyrusOne, Artech Information Systems, Albany International Airport, Kenneth Cole, and GEDIA Automotive Group. But the cyber-criminal gang has no intent to cut down their ambitions. The most recent news statements indicate that three more businesses have fallen victims of REvil activity. 

In the middle of March 2021, REvil maintainers attacked Acer, a major Taiwanese electronics and computer manufacturer. After the successful intrusion, cyber-criminals stole sensitive data and demanded a $50 million ransom for decryption and data leak prevention. 

Another loud incident blasted at the beginning of April 2021. This time REvil targeted French electronics producer Asteelflash, demanding a $24 million ransom. Although the company hasn’t officially disclosed the incident, security researchers managed to discover the Tor negotiation page for this attack.

Finally, the news reports from April 6, 2021, indicate that Indian steel group Tata Steel also became a victim of REvil, demanding a $4 million ransom for data restoration.

Detecting REvil Ransomware Attacks

To detect and prevent possible REvil attacks, you can download a set of fresh Sigma rules released by our active Threat Bounty developers. 

Malspam Campaign Drops IcedID and Leads to REvil Ransomware

REvil Ransomware Has a New ‘Windows Safe Mode’ Encryption Mode

AntiVirus/EDR Bypass via Safe Mode

Also, you can explore the full list of REvil detections available in Threat Detection Marketplace. Stay tuned to our blog not to miss the hottest updates.

Sign up to Threat Detection Marketplace and reach the industry-first SOC content library containing 100K+ detection algorithms and threat hunting queries for 23+ market-leading SIEM, EDR, and NTDR tools. Over 300 contributors enrich our global SOC content library each day to enable continuous detection of the most alarming cyber threats at the earliest stages of the attack lifecycle. Eager to craft your own #Sigma rules? Join our Threat Bounty Program for a safer future!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts