Threat Watch

REvil RaaS Means Business

The REvil ransomware (Sodinokibi) operation has deposited 99 Bitcoins (approximately $1 million USD) on a Russian-speaking hacker forum to prove to its affiliates that they mean business. The ransomware group posted on a Russian cybercrime forum that they are now recruiting new affiliates to compromise networks and deploy their ransomware. Many ransomware operations are conducted using a profit-sharing model known as Ransomware-as-a-Service (RaaS), where developers are in charge of building the ransomware and payment sites, and affiliates are recruited to use the software to compromise businesses for ransom. The normal arrangement is that the developers receive a 20-30% cut and the affiliate receives 70-80% of the ransom payments they generate. The more favorable split of 80/20 is given to affiliates that generate more than $1 million USD per week in ransom payments. The affiliates are expected to continuously compromise new victims—if there is no new activity for ten days, their relationship will be ended. The REvil operators handle negotiations with the victims, but allow the affiliates to participate if they wish to. REvil is a private organization, which means that potential affiliates are vetted before they are allowed access to the software. The 99-bitcoin deposit illustrates that they can spend $1 million without hesitation which will entice new affiliates to enter into the application process.

ANALYST NOTES

As with any ransomware program, paying the ransom only emboldens new affiliates to expand their operations. It is much better to have security monitoring in place to quickly stop attacks in the early stages, and restore any encrypted files from backup copies. Organizations that fall victim to attacks should contact the appropriate law enforcement agency and their security teams for proper investigation. Everyone who does business online should follow the 3-2-1 rule of backing up their data. Store three copies of the data on two different systems with one of them being offsite. Proper backups are the primary method to recover from ransomware. The encrypted data can be deleted from the infected systems and data from the clean backups can be used to restore the data.

Source Article: https://www.bleepingcomputer.com/news/security/revil-ransomware-deposits-1-million-in-hacker-recruitment-drive/