The Rise of Ransomware-as-a-Service: a Darknet Diaries Synopsis

In a recent episode of Darknet Diaries, host Jack Rhysider is joined by a threat intelligence analyst named Will who has spent his entire career monitoring the activities of a prominent Russian hacker group known as REvil. The name REvil is a shortened version of Ransomware Evil, abbreviated as such in homage to the popular Resident Evil franchise.

The Beginnings of Ransomware-as-a-Service and the Origins of REvil

REvil first emerged around April of 2019 as a variant of a group called GrandCrab. GrandCrab was a ransomware group that would infect machines, encrypt their hard drives, and then demand ransom payments from the owners of the devices. Over time, as GrandCrab grew, they became a brand whose name referred to the software, the organization itself, and the people behind it. As a group, GrandCrab pioneered big game hunting in the world of cyberattacks, where malicious entities attack the biggest companies they can for the most amount of money possible. As their notoriety within the cybercriminal community grew, they developed a Ransomware-as-a-Service model that eventually gave rise to REvil.

Under this Ransomware-as-a-Service model, initial access brokers obtain access to networks and then sell that access to cybercriminals. In turn, these cybercriminals expand the access the brokers obtained with their initial foothold. They’ll continually extend their access until they have administrative privileges, at which point the malware is installed. Criminals purchase ransomware from these groups, who then handle the negotiations with the victims, and the ultimate ransom payout is divided between the Ransomware-as-a-Service provider and the cybercriminal who engaged their services.

The Downfall of GrandCrab and the Rise of REvil

GrandCrab eventually grew too large and many people who used their services got arrested. At first, they went to forums to recruit more people, but after a time they announced that they were retiring. In reality, the GrandCrab team had not retired, but taken the time to retool and re-emerged with new ransomware, better than anything else available at the time, known as REvil.

REvil did all the typical things any piece of ransomware does, such as changing permissions and deleting backups before demanding the ransom, but it was uniquely effective for a couple of reasons. First, it detects the language settings of any machine it’s installed on to determine what country it operates in; this allowed the Russian group to avoid targeting companies in countries on behalf of which their government might be motivated to intervene. The group also upped the ante on their extortion practices. Companies that refused to negotiate payments would have their sensitive data posted online. If they still didn’t cooperate, REvil would flood their website or service with traffic to make it unusable.

Their attacks escalated, repeatedly breaking records for the largest ransom payments ever demanded following a malware attack. Major entertainment law firms, local government agencies, and the food supply chain were all among the victims of REvil. Other cybercrime groups began to change course or pop up as competitors, mimicking the Ransomware-as-a-Service model.

The Demise of REvil

REvil’s exploits came to a head when they successfully attacked Kaseya, a major IT company whose clients were primarily managed service providers. By accessing Kaseya’s network, REvil was able to in turn access their clients’ networks and their clients’ clients’ networks. Kaseya called the FBI and, in the end, several members of REvil were indicted and then extradited to the US. Others were arrested in Russia and the group shut down. However, although REvil is no longer operational, they played a critical role in ransomware’s rise to prominence and the development of the Ransomware-as-a-Service industry within cybercriminal communities. 

Although companies no longer face risks from REvil, copycat actors continue to execute similar schemes. To learn how to protect your company against these kinds of attacks, schedule a free consultation with one of CyberTeam’s cybersecurity experts.