Lanworks has directly witnessed the cyber destruction of a Russian Ransomware organization called REvil (Sodinokibi) that have hit several Toronto companies (that we are aware of). Their tactics of course includes cryptolocker but over the last year they have also used extortion as an added ransom payment incentive. A REvil representative that uses the alias “UNKN” (Unknown) on the cybercriminal forums recently talked to a Russian tech blog OSINT providing some details of their activities and their profits. REvil has hit several Toronto companies but their portfolio consists of some global big-name companies, among them: Travelex, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, SeaChange International, CyrusOne, Artech Information Systems, Albany International Airport, Kenneth Cole, and GEDIA Automotive Group. A conservative figure for the ransom paid last year to REvil is $100 Million US$.
Initially REvil would simply encrypt backups, encrypt servers and encrypt workstations but the ransom payment success rate was not that favourable as many businesses were able to restore their data and recover. The ransomware business changed last year when operators saw an opportunity in stealing data from breached networks and started to threaten victims with damaging leaks that could have a much worse impact on the company. This has proven far more successful as an incentive to pay a ransom; according to UNKN during their interview, 33% of business’s still pay the ransom despite having their servers fully restored.
Below are the first two companies on the top page of REvil’s Dark Web site where they post proof of exfiltrated data from their victims. For reference, there are 10 victims per page and there are 14 pages kept online before they fall off.
Also on REvil’s Dark Web site is an auction area where the public can bid on and purchase the stolen data. How brilliant, another source of revenue. One of the most public attacks was last May 2020 on Grubman Shire Meiselas & Sacks Law firm in New York, their clients consist of Madonna, Lady Gaga, Drake, Bruce Springsteen and many others. Initially REvil asked for $21M for the whole package of data but later they broke it down and auctioned the data by artist. Below you can see Jessica Simpson, Gallant and Ella Mai are still up for auction.