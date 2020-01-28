In today’s busy ransomware landscape, the REvil (Sodinokibi) reigns ransomware gang supreme, shading other similar ransomware operations.

Run as a Ransomware-as-a-Service (RaaS), the REvil gang rents its ransomware to other criminal groups.

These groups, known as affiliated partners of REvil, are solely responsible for distributing the ransomware through the channels they prefer to victims and then ask for the ransom demand they consider necessary, based on the number of computers they have on the corporate network can infect.

Because of this multi-actor setup and the configurability of REvil, keeping an eye on all REvil RaaS activities and partner distribution campaigns has always been complicated, which required an enormous effort in terms of both manpower and working hours.

Researcher sinkhole REvil RaaS backend

In a report published today that was shared with ZDNet, the security team at KPN, a Dutch telecommunications provider, said it could sink and intercept the communication between REvil-infected computers and REvil’s command and control (C&C). servers.

KPN researchers say that they have gained unique insights into how the REvil RaaS works, such as the number of active infections, the number of infected computers per attack and even the sum of money (ransom) hackers who are victims in each recent incident.

After collecting all their data, the KPN team says that in the last five months in which they have followed REvil activities, they have seen more than 150,000 unique infections worldwide.

These 150,000 infected computers were fed back to only 148 samples from REvil ransomware strains. Since REvil strains are usually deployed on a case-by-case basis, each strain represented a successful corporate network infection.

“Some attacks are large-scale and encode more than 3000 unique systems in one attack,” the KPN team said. “Some of these attacks were discussed in the news, but many companies remained silent.”

Image: KPN

But in addition to knowing how many companies and computers have infected REvil operators in recent months, KPN researchers say they could also determine how much money the hackers were trying to extort from their victims.

According to their findings, KPN was able to establish that affiliated companies of REvil have received ransom requests in the last few months totaling more than $ 38 million, with an average of $ 260,000 per infected company.

Of the 148 samples analyzed by the KPN team, 73 samples only have encrypted data on only one computer, meaning that REvil partners have not escalated from their access point and have spread to the entire network of a company.

In these cases with a single infection, the average ransom demand was $ 48,000, smaller than the average of $ 260,000, but still much larger than the usual $ 1,000 or $ 2,000 that regular ransomware types usually ask home users.

However, a much higher average demand for ransom was found in cases where the REvil partners were successful in extending their access from the initial phoooled to the entire internal network of a company.

For these 75 REvil samples that appeared to have infected multiple workstations within the corporate network, the average ransom demand was $ 470,000 per company, and with many incidents that exceeded the $ 1 million limit.

Image: KPN

It is unclear how many of these ransom victims have paid REvil, but the average ransom requires KPN to extract from the REvil samples are superior to the figures reported by other sources in the cyber security industry.

According to Coverware, a cyber security company that helps victims recover from ransomware attacks and sometimes negotiates payments on behalf of victims, the average ransom payment in the fourth quarter of 2019 increased 104% to $ 84,116, an increase of $ 41,198 in the third quarter , 2019.

If we compare the two numbers – $ 260,000 and $ 84,116 – we see that the REvil gang is trying to extort payments from victims that are much larger than what most other ransomware gangs demand.

One of the reasons for this may be REvil’s excellent PR campaign on underground hack forums, where the ransomware creator has often advertised it as a first-class solution that can be used primarily and only in attacks against large corporate networks, rather than home consumers via everyday spam campaigns.