Ransomware as a service (RaaS) is a business model for criminal organizations where creators of ransomware rent or sell it to other criminals, called affiliates, in exchange for a percentage of the ransomware rewards they collect. RaaS enables highly damaging attacks to be conducted by cybercriminals who don’t have the skill or resources to build their own ransomware.
REvil, also known as “Sodinokibi,” was a group of Russian-speaking or Russian-based cybercriminals that once ran a highly successful ransomware as a service (RaaS) operation. REvil is short for “Ransomware Evil,” a title inspired by the Resident Evil media franchise. The group was believed to be an offshoot from a previous ransomware gang called GandCrab. The REvil/Sodinokibi ransomware is difficult to detect and highly evasive, making it a very potent and dangerous type of cyberattack. REvil ransomware has been responsible for several high-profile ransomware attacks on large enterprises, including the meat processing company JBS, the oil company Colonial Pipeline, the software company Kaseya, and a supplier of the tech giant Apple. The REvil ransomware group was active from 2019 until January 2022, when it was dismantled by law enforcement. Despite its demise, the influence REvil had on developing the RaaS business model continues to pose a significant threat to governments and organizations around the world.
How did REvil ransomware work?
Like other forms of ransomware, REvil attacks infiltrated the IT systems of organizations using a variety of techniques. Hackers using REvil relied on zero-day vulnerabilities in hardware and software, breaches of Remote Desktop Protocol (RDP) servers, and phishing emails that duped users into downloading malware to their devices. Once the REvil malware was downloaded, it encrypted files on servers and devices, preventing users from accessing business-critical data until ransom demands were met. Ransom notes usually demanded payment in bitcoin in exchange for decryption keys. Unlike other types of ransomware, REvil performed a double extortion, exfiltrating sensitive data before encrypting it and threatening to post or auction off the stolen data on its “Happy Blog” site unless the ransom was paid.
How does REvil operate as a service?
The cybercrime gang that created REvil relied on other cybercriminals called “affiliates” to distribute the ransomware and carry out attacks, with the original gang receiving 20% to 30% of the illegal proceeds.
How was REvil stopped?
Beginning in 2021, efforts by Russian authorities, the FBI, and private cybersecurity firms were able to damage the operations and reputation of the REvil group.
- July 2021: REvil websites and infrastructure disappeared from the internet, possibly due to efforts by Russian authorities. The FBI was able to help some victims restore their files using a decryption key.
- September 2021: A Romanian cybersecurity firm published a free universal decryptor utility for REvil/Sodinokibi ransomware. Malware researchers discovered a backdoor built into REvil malware that allowed the original members of the gang to cheat REvil affiliates out of ransomware payments, undermining the affiliates’ trust in REvil.
- October 21: REvil servers were hacked and forced offline.
- November 2021: Indictments from the United States Department of Justice led to the arrest of Ukrainian and Russian threat actors, who were charged with conducting ransomware attacks against multiple victims. The national police of Ukraine seized more than US$6 million tied to ransomware payments.
- January 2022: The Russian Federal Security Service reported that REvil had been dismantled and members of its gang were being charged.
Is REvil still a threat?
Whether or not other members of the REvil cybercrime gang are still operating, the model created by REvil malware and its RaaS offering are likely to resurface in other types of ransomware threats.
How can REvil ransomware attacks be prevented?
The same cybersecurity methods and controls used to prevent other types of cybercrime and ransomware attacks should be effective against REvil attacks as well.
- Manage security policy centrally. Managing policy from one location allows security teams to take steps like preventing users from launching executables from local folders or deactivating macros in Microsoft Office. These are two steps that are crucial to blocking REvil attacks.
- Adopt a Zero Trust approach. By assuming that no person or system should be inherently trusted or granted access to IT assets, a Zero Trust approach to security limits the “blast radius” of a ransomware attack by preventing malware and threat actors from moving laterally to encrypt or compromise additional parts of the network.
- Segment the network and IT assets. Software-defined microsegmentation isolates individual assets and parts of the network to prevent attackers from moving laterally.
- Implement antivirus and anti-malware solutions. These technologies can help by monitoring email network traffic to filter out executable files or viruses. The latest antivirus solutions can neutralize many ransomware threats before they do damage.
- Conduct regular security awareness training. Human error often plays a critical role in ransomware attacks. Awareness programs on ways to recognize ransomware, phishing emails, and on best practices for optimal security hygiene should all be available for employee training.
- Encrypt data. When files are encrypted, a ransomware attack like REvil will not be able to steal and expose sensitive data.
- Deploy strong identity and access control. Limit who can access or modify data by using strong passwords and multi-factor authentication.
- Perform frequent backups. Regularly backing up files and keeping them in storage that’s disconnected from the network makes it easier to recover quickly from a ransomware infection without having to pay a ransom or permanently losing files.
- Update and patch hardware and software frequently. Setting a regular cadence for installing updates and patches can help remediate the vulnerabilities that attackers use to access systems.
Frequently Asked Questions (FAQ)
Ransomware is a type of malicious software, or malware, that cybercriminals use to encrypt files and prevent individuals or organizations from using critical applications and systems. To regain access to data, victims must pay a ransom. Variants like REvil, BlackCat ransomware, and WannaCry ransomware have been responsible for some of the most high-profile cyberattacks in history.
Cybercriminals use a variety of techniques to gain entry to an IT system and introduce ransomware. Social engineering attacks use phishing email or fake websites to dupe users into downloading infected files to their machines. Zero-day attacks exploit previously unknown vulnerabilities in applications and APIs. Attackers may also use stolen or compromised credentials to gain access to user accounts, or spread malware using botnets like the Meris botnet.
Security certifications enable businesses to prove to customers and regulators that they have adopted practices, programs, and technologies designed to provide the highest levels of cybersecurity. The ISO 27001 certification, for example, signals that a company has identified risk-based processes to incorporate measures for detecting security threats. The Payment Card Industry Digital Security Standard (PCI DSS) outlines steps that companies must comply with as they accept, process, store, and transmit credit card information. The United States Department of Defense Impact Level 5, or IL5 certification, signals that cloud service organizations are in compliance with a rigorous assortment of physical, logical, and cryptographic isolation controls required to store and process certain types of highly valuable information.
Why customers choose Akamai
Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.