Ransomware on its own is a powerful tool for hackers to extort money out of their victims. When there’s an organized team of hackers behind it, however, they can take it to the next level. That’s what the REvil ransomware was. Read on for more of the story.
“REvil” is the name of a “ransomware-as-a-service” operation in which a core group of hackers create and maintain a powerful piece of malware that they can distribute to other hackers – for a price. Lower criminals called “affiliates” can then use this malware to launch dangerous attacks.
In REvil’s case, the core team would demand a 40% cut for offering their versatile ransomware and support. However, researchers later discovered that the core team had left a backdoor in the ransomware that would allow them to chat with the victim and arrange a ransom payment while bypassing the affiliate attacker.
Some reports use the name REvil to refer to a criminal operation allegedly disrupted by the Russian FSB in early 2022. Indeed, many analysts believe that the group maintaining REvil is also Russian-speaking and Russia-based. However, it appears that the group arrested in Russia were probably affiliates. They may have been significant, as their disruption did have an impact on global attack frequency, but the attacks haven’t gone away entirely.
At its core, REvil works like most other ransomware. After getting onto the victim’s device, it encrypts their files with a key that only the hackers have. With the victim at their mercy, they can then demand a ransom for the victim to get their files back.
REvil, however, has caught analysts’ attention for two reason:
Brazen attacks: REvil and its affiliates have been attacking high-profile targets and getting away with significant ransoms. Some of their most significant targets included:
Again, these aren’t all of the attacks, only some of the biggest or most visible ones.
It isn't yet fully clear whether REvil attacks have subsided. However, a number of significant members of the core group were arrested following several significant international law enforcement operations. The group’s operations have been declawed in other ways as well.
In addition to having an impact on REvil attacks specifically, researchers have observed cooling interest in other ransomware and hacker groups as well. A number of key members of other groups have left, presumably fearing the repercussions of international legal scrutiny.