Information security specialists of the Danish provider KPN applied sinkholing to REvil (Sodinokibi) cryptographic servers and studied the working methods of one of the largest ransomware threats today.
Recall that REvil works under the “ransomware as a service” (RaaS) scheme, which means malware is leased to various criminal groups.
“Because there are many groups, as well as because of the high customizability of REvil, it is extremely difficult to monitor all the operations of the encryptor and the numerous affiliate campaigns for its distribution”, – write KPN specialists.
KPN experts succeeded in synching and intercepting the messages that were exchanged infected by the ransomware computers and REvil management servers.
“We collected unique information about REvil operations, including the number of active infections, the number of infected computers per attack, and even found out a range of sums that hackers demand from their victims as a ransom”, – write researchers.
Analysts watched REvil for about five months and found more than 150,000 unique infections worldwide. All 150,000 infected machines were linked to only 148 REvil samples. Each of these samples represents a successful infection of a network of a company. Moreover, some attacks are huge, encrypting more than 3,000 unique systems. Researchers note that only a few of these attacks were discussed in the media, while many companies were silent about compromise.
According to KPN, in recent months REvil operators have requested ransoms totaling more than $38,000,000 and, on average, extort $260,000 from affected companies. In some cases, the ransom amount was $48,000, which is less than the average REvil level, but still higher than the usual $1,000-$2,000 that other extortionists demand from home users.
“If REvil manages to infect several workstations in the company’s network, the average ransom amount rises to $470,000, and in many cases, the demands of the attackers even exceeded $1,000,000”, — report KPN researchers.
It is not clear how many compromised companies agreed to pay a buyback to REvil operators, but the KPN study points to the fact that discussed above sums may be far from reality.
For example, according to Coverware, which helps victims recover from ransomware attacks and sometimes negotiates ransom on behalf of the victims, in the fourth quarter of 2019, the average ransom amount increased by 104% to $84,116, compared to $41,198 in the third quarter of 2019. Thus, REvil operators demand much more from their victims than other ransomware. Most likely, the fact is that REvil targets companies and large corporate networks, but not individual users.
Recall that according to a study, Emotet topped the rating of the most common threats in 2019. There is no good study on ransomware that appeared last year, though I think that in such a rating REvil (Sodinokibi) will take the leading place. Because some information security researchers believe that REvil is a reboot of the famous GandCrab ransomware, we can assume that we are dealing with one of the most dangerous ransomware of the decade.