126: REvil

1h 4m

REvil is the name of a ransomware service as well as a group of criminals inflicting ransomware onto the world. Hear how this ransomware shook the world.


A special thanks to our guest Will, a CTI researcher with Equinix.


Sponsors

Support for this show comes from Zscalar. Zscalar zero trust exchange will scrutinize the traffic and permit or deny traffic based on a set of rules. This is so much more secure than letting data flow freely internally. And it really does mitigate ransomware outbreaks. The Zscaler Zero Trust Exchange gives YOU confidence in your security to feel empowered to focus on other parts of your business, like digital transformation, growth, and innovation. Check out the product at zscaler.com.


Support for this show comes from Arctic Wolf. Arctic Wolf is the industry leader in security operations solutions, delivering 24x7 monitoring, assessment, and response through our patented Concierge Security model. They work with your existing tools and become an extension of your existing IT team. Visit arcticwolf.com/darknet to learn more.

Listen and follow along

Transcript

Yeah, scams going on out there today are getting wild.

There was this one I read about.

Let me tell you about it.

Okay, so there's this guy named Gustavo.

He's from Brazil, but he was in the US just visiting.

He wanted to drive for a rideshare company like Uber, but he was just visiting, so he didn't have a U.S.

driver's license.

Now, as you can imagine, a requirement to drive for Uber in the US is that you need a driver's license in the U.S.

Gustavo thought about it and decided to try to use someone else's driver's license to register to drive with Uber.

I'm not exactly sure how he borrowed someone's identity, but I imagine it's not all that hard to find someone's information online these days.

I mean, I've seen people post pics of their driver's license to social media.

So maybe he just took one of those and sent it to Uber to pass verification.

Anyway, however, he forged the driver details, it worked.

He was approved to drive for a rideshare company and he had it set up so he'd get paid for the work he did.

It was great for him to earn money while staying in the U.S.

And the money was a whole nother scheme he was working on.

I don't really know how, but he had to move it around in such a way that it didn't look like he earned it through rideshares or something.

I don't know, but he was laundering the money.

Well, his girlfriend was also interested in all this and she wanted in.

But again, she was from Brazil and not a U.S.

citizen.

So no driver's license either.

But not a problem for Gustavo.

He just repeated what he did for himself and set her up with a fake driver account too.

Then three more of his Brazilian friends wanted in, and before they knew it, this was a five-person team.

Then someone on the team was like, hey,

I found a spot online that people are willing to buy Uber driver accounts.

Because apparently there are quite a few people who want to drive for Uber, but can't for some reason.

Either they don't have a license or insurance or something makes them ineligible.

So they might be interested in buying someone else's account so they can make some extra cash or even rent one out from someone.

So these five Brazilians started posting rideshare driver accounts up for sale on these forums and they were actually selling, making money from just selling driver accounts made from stolen identities.

But then the pandemic hit and rideshare usage went way down, but that wasn't a problem.

This team just shifted focus and worked on food delivery apps like Grubhub.

They started making all kinds of driver accounts for this now using stolen identities again.

And sometimes there's this wait list to get verified and stuff, but eventually they would get verified and then sell or rent out those accounts.

Gustavo and his four other friends made over 100 phony driver accounts on these apps and sold them on forums.

I don't know how much these things go for or how much he made, but somehow the authorities got wind of this and investigated and ended up arresting all five of them.

Stolen identities and money laundering were their main charges they faced and I think all of them got two years in prison for this wild scam.

These are true stories from the dark side of the internet.

I'm Jack Reeseider.

This is Darknet Diaries.

This episode is sponsored by my friends at Black Hills Information Security.

Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.

Through their anti-siphon training program, they teach you how to think like an attacker.

From SOC analyst skills to how to defend your network with traps and deception, it's hands-on, practical training built for defenders who want to level up.

Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses all designed by hackers.

For hackers.

But do you need someone to do a penetration test to see where your defenses stand?

Or are you looking for 24-7 monitoring from their active SOC team?

Or maybe you're ready for continuous pen testing where testing never stops and your systems stay battle ready all the time.

Well, they can help you with all of that.

They've even made a card game.

It's called Backdoors and Breaches.

The idea is simple.

It teaches people cybersecurity while they play.

Companies use it to stress test their defenses.

Teachers use it in the classroom to train the next generation.

And if you're curious, there's a free version online that you can try right now.

And this fall, they're launching a brand new competitive edition of Backdoors and Breaches, where you and your friends can go head to head hacking and defending just like the real thing.

Check it all out at blackhillsinfosec.com/slash darknet.

That's blackhillsinfosec.com/slash darknet.

This show is sponsored by DeleteMe.

DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

Delete Me knows your privacy is worth protecting.

Sign up and provide DeleteMe with exactly what information you want deleted, and their experts will take it from there.

DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.

They're even on the lookout for new data leaks that might re-release info about you.

Privacy is a super important topic for me.

So a year ago, I signed up.

Delete Me immediately got busy scouring the internet looking for my name and gave me reports of what they found.

Then they got busy deleting things.

It was great to have someone on my team when it comes to protecting my privacy.

Take control of your data and keep your private life private by signing up for Delete Me.

Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknet diaries and use promo code dd20 at checkout.

The only way to get 20% off is to go to joindeleatme.com slash darknet diaries and enter code dd20 at checkout.

That's joindeleatme.com slash darknet diaries code dd20.

So why don't we start out with what you, what's your name and what do you do?

My name is Will.

I work for the Equinix Threat Analysis Center.

I'm a threat intelligence analyst.

I wanted to talk with Will because as a threat intelligence analyst, he's been studying a certain kind of malware called R Evil, and I want to hear all about it.

So R Evil

first sort of appeared in,

I think it was about April 2019.

And I got my first job in summer of 2019.

I just graduated university and I got my job in summer of 2019.

So I've been tracking them ever since I began my career, basically.

Okay, so you might be wondering, what is R-Evil?

Well, to answer that, let's back up a bit and look at what came just before it.

So R-Evil first came out of another variant called Gandcrab.

And the sort of Gandcrab is, it was basically the group that pioneered what we call big game hunting.

So Gandcrab is the name of some malware.

And specifically, it infects machines and encrypts the whole whole hard drive and then says, pay us some money and we'll give you the key to unlock this machine.

Gancrab is ransomware.

And a particularly effective one, too.

And I think this Gann Crab ransomware was developed and deployed by a group of criminals who kept it close to their chest.

It wasn't passed around for just anyone to use.

At least, not the whole thing.

One piece of it did just the encryption for the machines.

And then there were servers that were set up for handling incoming payments and to chat with victims and to generate decryption keys.

And it kept updating over time, adding new features, and it became its own brand.

And like any brand, the name of it started to refer to the people behind it too.

Like when I say Google, do you think of the search engine or the company or the people at the company?

Google refers to all these things.

So Gann Crab was both the name of the ransomware and the group who were running it.

And Will says it was this group that pioneered big game hunting.

So big game hunting is sort of a type of ransomware attack.

So it's imagine

you have like the savannah and you've got all the companies on the landscape.

And instead of going for just small companies and going for the small game, just trying to get like, you know, five or ten thousand dollars, they want to go for the biggest company they can and unlock all their systems and try and steal millions from them, try and extort them for back for their files that are locked for as much money as they can.

Mm-hmm.

I get it.

So if I got hit with ransomware, or you got hit with ransomware on our home computer, and that hard drive was encrypted and locked, whoever did it might only charge us a few hundred dollars to unlock it because it's just like one person.

And this could scale up if you infect like thousands of people's home computers at once.

And that does add up for criminals.

But it sounds like this GAN crab group wasn't trying to hit regular people like you or me.

They were focused on infecting big companies or companies that had a lot of money at least because those companies might just pay a million bucks to get their machine unlocked but there's a bit of a problem with this whole plan security infosec teams everywhere know about ransomware and they put methods in place to stop their company from getting hit with it so even though gann crab was great at encrypting machines it still needed that initial access into the network So how does a criminal get access into a big company's network?

Well, they buy their way in.

So there's kind of a whole ecosystem of

that ransomware works with called initial access brokers.

And there's entire underground markets that you can buy access into certain companies.

Yeah, I actually know about this.

I've seen underground forums where people are selling access into companies.

In fact, I interviewed a guy who did sell a login to his ex-employer's network.

That's episode 108 called Mark.

He was a disgruntled ex-employee, but there are also people who are out there just playing around trying to find a way into a company.

Maybe they're just curious or like the challenge, but they poke and prod until they find a way in.

But they have no idea what to do once they get in.

So that's where they see others are selling access into networks on forums and decide to just sell their access.

It's a weird and strange market.

So this is how the Gandcrab group would infect companies.

They buy access into a company, then put ransomware on all those systems and ask for a huge payment to unlock all those systems.

But how much do you demand?

And what companies should you hit?

Well, to figure that out, Gancrab did some OSINT.

I mean, there's things like, there's a website called Zoom Info, I think.

Like I've seen them on the underground forums, literally mentioning, linking to the websites.

Here's how much they have in daily, in yearly profit and turnover.

Oh man, what a mess.

Huh?

Like publicly traded companies have to disclose their profits to shareholders so they can see what's going on.

But of course criminals are taking a look at that too.

And they're like, oh, this company had a stellar year.

That's a nice, juicy target.

Anyway, so this is what Gand Crab focused on.

Companies with lots of money that they could get into.

They'd get in, encrypt the systems, and demand ransom to unlock everything.

And guess what?

Companies were paying this ransom hand over fist.

Yeah, if you can believe these criminals, they claim they earned $2 billion,

roughly $2.5 million a week.

I, for one, don't believe that number at all.

I mean, they posted these numbers themselves.

I think they just posted big numbers to look like they were doing great.

I'm guessing it's more like $2 million that they made, not $2 billion.

But that's still amazing profits, though.

Now, Gancrab wasn't just ransomware, but it evolved into ransomware as a service.

If you wanted, you could pay to use this ransomware to infect a company, but you'd have to first get access into that company in order to deploy Gancrab into it and infect it.

But then the Gancrab team would handle it all from there, working with victims to collect money and supply a decryption key.

Then you'd get paid if the victim paid up.

And some of these people who used Gancrab as a service got arrested in different places in the world because, as you can imagine, extorting people and companies is illegal.

But as Gancrab grew, they needed to recruit more people to their team.

On the forums that they,

you know, recruited

where they got customers from, they all speak Russian.

These are all Russian-speaking threat actors.

And I mean, there's a number of countries that speak Russian, but there's only so many countries that allow cyber criminals to operate with almost impunity, except a very small

marginal amount.

And that's Russia.

Okay.

So, yeah, there's not much you can do to stop cyber criminals operating out of Russia.

The U.S.

has no jurisdiction or a way to work with Russia to arrest these people, and Russia doesn't seem to care too much if it's not attacking Russian companies.

So it seemed like Gancrab was living large.

It had all the people, malware, victims, and customers all set up, and the cash flow was pouring in, and no trouble from the police.

But then it all suddenly stopped.

Gancrab posted on a forum saying, they're retiring.

And you know what?

I get it.

It makes sense.

They earned $2 billion.

I'd retire too.

But they didn't retire.

They spent time retooling, innovating, and improving their ransomware as a service business.

They created a new ransomware malware.

This time, they called it R Evil.

And victims started seeing what this could do firsthand.

So R Evil first appeared in April 2019, and it sort of began with,

you know, the first what, zero to two months, you know, it did the things that most ransomware does, which deletes backups, changes the wallpaper.

They actually do a language check.

So before ransomware is executed, it will check the language that your computer is set to.

And if it's set to

a list of countries that are members of the what you call the Commonwealth of Independent States, the CIS.

So if it's a member of the CIS, then the ransomware will not execute and

it will just exit.

So whoever is behind R-Evil doesn't want to target countries that are basically ex-Soviet Union.

So R-Evil came on the scene, which again is the name of both the ransomware and the group operating it.

I call them R-Evil because

I'm pretty sure that's what they call themselves.

It's based on Resident Evil.

They call themselves Ransomware Evil, short for R-Evil.

I mean, GangCrab, there was about five versions of it.

So

it was sort of like an experiment until they came out with R-Evil, which was basically the crown prince of ransomware.

Like it, it was so perfectly developed for what it was designed to do.

It just sort of

their entire work had sort of this was like their magnum opus of ransomware.

But here's the thing.

The group behind R-Evil saw how much money Gancrab made as a service, that they realized that's what they should focus on.

Offering ransomware as a service was more profitable than putting ransomware on systems themselves.

The idea here is that other criminals in the world would get access into the networks, and then they could use R-Evil to infect that network with ransomware.

And then R-Evil does the rest, collecting payments, decrypting decrypting systems, helping victims get themselves sorted.

And then they'd split the ransom with whoever deployed it on that company.

So criminals all over were using R Evil to infect systems with ransomware.

And they called their customers affiliates.

It would all start with the affiliate wanting to launch an attack.

They can either do it by going to R Evil first and becoming an affiliate and have a plan to use their malware, or you know, the affiliate can can launch an attack and then

go and basically buy access to one of

these RAS platforms and then deploy it.

So

it's at different stages of when REVOL would be introduced.

It would start with the OSINT, it would start with picking a target, it would start with going to the underground forums, looking for a way in

because you can buy RDP credentials, you can buy cookies, you can buy just email account credentials, and then start from there.

Or you can do that sort of initial exploitation yourself.

One of the most common ways that REVO used to arrive inside the network was via

exploiting a vulnerability in a public-facing server.

So

once the vulnerability had been exploited, they would deploy like a web shell

or launch some PowerShell codes on the server, establish that initial foothold, and then do some reconnaissance inside the network and then spread around as best they can and as well as escalate privileges.

And then once they are

spread around enough and they've escalated their privileges to sort of the main administrator level, then they will introduce the ransomware.

And one of the most like the common way they deploy it is via scheduling a task on all the computers in the network via using using the domain administrator credentials.

So then everything is rebooted, and you have about, you know, you could have thousands of machines at any one time.

I believe, I think it was one of a telecom company in South America had 15,000 workstations locked up

overnight.

And each one had

like a blue background saying you have been attacked by our evil open

for open the note for instructions on how to pay the ransom early on when our evil was first coming up will got to see the impact of them firsthand he was traveling out of london and had to go through the heathrow airport to fly somewhere in heathrow you have these currency exchanges run by a company called travel x and when i went into the currency exchange i saw everything was you know extremely hectic People were like shouting, it was like an extremely long queue.

And I was like, what the hell's going on?

And then I realized, I was like, oh, I remember reading your report not too long ago that TravelX had been hit by our evil ransomware.

And

I took a pic, I basically took a picture on my phone because I could see all the employees were using pens and paper and clipboards and things because none of the computers worked.

Everything was down for weeks.

This is about three weeks after the attack had happened.

And TravelX reportedly paid a 2.3 million ransom, I believe.

Whoa, what a payday.

I mean, you can put ransomware on a lot of systems, but if nobody ever pays to get their stuff unlocked, then it's all for nothing.

But when someone pays $2.3 million to have their computers unlocked, then that's the fuel that makes our evil ransomware crew keep going.

Some people think this whole ransomware thing can just all go away if we all agree to never pay the ransom ever again.

But the truth is, companies are still paying in a big way, which incentivizes ransomware crews to keep at it.

And there's no guarantee these companies won't get reinfected the next day and have to pay it all again.

Clearly, the best idea if you get infected is to have good backups that you can restore rapidly.

But our Evil knew this, so they purposely looked for how systems got backed up, and then they went and wiped those backup servers first.

This is probably why it was so effective.

If the company had their backups wiped out and no path of rebuilding, it's a lot cheaper to pay a few million dollars to get things back up and running.

I mean, three weeks of being down could cost the company over $2 million in losses anyway.

Surely, it's a tough spot for any company to be in.

After a while, researchers started to notice a guy named Unknown who kept making posts on the forum claiming to be part of our evil.

So he used to post to two Russian-speaking

underground forums.

One of them is called Exploit and another one is called XSS.

So, you know, kind of typical names for hacker forums, but these two forums have been going for like about 15 years and

they're basically the two most popular hacking forums for Russian, like hardened Russian cyber criminals.

He was, you know, basically saying, boasting how

R-Evil is the best ransomware.

You know,

it was competing with several other strains at the time, including Maze and Ragnar Locker, I think, as well.

And he basically became the frontman of the whole operation.

Everyone, it was like

his alias was basically synonymous with our evil and he actually went on to do interviews with um with several people online um and you know they'd interview him say you know how did you decide to get into the business of ransomware or how how much money have you made make doing ransomware those sort of questions

and

yeah it sort of it just makes it sound like it's a it's a huge uh it's a big auto it's a basically a big organization of cyber criminals.

Like I would probably say, you know, there's anywhere between 10 and 20 individuals actually connected to the running of the R Evil core business, the core ransomware as a service business.

Another thing this unknown guy was saying was how R Evil was doing more to extort people than just demanding ransom.

They would then step it up a notch by leaking, stealing data and then leaking it to a to a tour website and because it's on tour you can't get it taken down it's it's like a wall of shame that's what they call it it's there forever

and then

you know a few months later they'd add another level of extortion so that's what we they used to call double extortion with encrypting your files and then leaking your data They had a third level.

They would now begin to DDoS you or your partners.

And they would DDoS your websites until you actually began negotiations with them.

Whoa, wait, what?

They're DDoSing you too?

This is where they flood your website or service with so much traffic that your website is just completely unusable.

I mean, it's a low blow to hit you while you're down.

If you still haven't entered the chat with them, because in the ransom notes, they have a link to the chat.

If you haven't entered the chat with them to negotiate like paying the ransom or anything like that, they basically believe, oh, you're you're able to recover.

Like, no, no business, like, if you're a big company, like an international company, then

you will

basically have backups, you'll be able to restore files, you'll be able to basically carry on after a few weeks of recovery and rebuild the network or whatever.

So, our evil don't like that when companies can recover on their own.

So, they will DDoS your website.

And if you have, say, if you're, you have like a, you're like a retail company, you have customers customers coming to your website

every hour is money.

So if they're DDoSing you, taking it down,

they're still costing you more and more money.

Okay, up until this point, I've been referring to Art Evil as a ransomware group.

But at this point, this is mean.

This is more like street gang behavior, going around hurting people and robbing them without any remorse.

So I'm going to now start referring to them as the R-Evil cyber gang because these guys are ruthless.

Here, let me play something for you.

This is a voicemail that a ransomware gang member left on an employee's phone, a victim's phone.

It's not from the R Evil Cyber Gang, it's a different one called SunCrypt.

But I think it's worth playing here just to give you an idea how cold-blooded these guys can be.

This message is to authorized IT specialists or to company management representatives.

We are SunCrypt Group.

We hacked your company yesterday, and now we have around 80GB of your company data encrypted on your servers as well as downloaded to our servers.

Those are employees' personal information, partners' data, financial and accounting data of your company and much more.

You need to start negotiations with us about decrypting your IT servers and bringing your company's data back.

Negotiate with us and you will get the decryptor together with all your data back within one day.

And no one in the world will know about this leak.

But in case of your refusal to cooperate, we will run a great damage to your business.

You will lose 10 times more in courts due to violation of the laws on GDPR and your partner's data leak.

We will inform your employees, partners, government about this leak.

Your data will be published on public blogs and told to competitors.

We will inform media about the successful cyber attack to your company.

And backdoor access to your company data will be sold to other hacker groups.

And this will be the last day of your business.

We don't want to do that for sure.

And we will not do that.

if we will negotiate successfully.

So we are waiting for you in that chat.

Think about your future and your families.

Thank you.

Bye.

Think about your future and your families?

That's so ominous.

I mean, what would you do with a threat like that?

Now, sometimes the our evil cyber gang would just go infect targets themselves.

And if they did, they'd get to keep 100% of the ransom they make from that.

But in most cases, they worked with their customers or affiliates to infect the targets for them.

So it is known that

they basically split the ransom with the affiliate.

They'd say, if you hit a company and you're able to get them to basically agree to pay a $10 million ransom,

we'll keep $60 million.

You'll get 40 million.

It's like this, like a 60-40 or a 70-30 split because they're, at the end of the day, our evil.

The RAS, the ransomware as a service, would provide not only the malware, but also the decryption functionality, which

is one of the best, most complex decryption systems of any of the ransomware families at the moment, even.

And then they add all the infrastructure for darknet chats,

darknet leak sites, money laundering.

They provide like a lot of the back end.

So

it's a worthwhile split for both parties.

And so it was on the affiliate to figure out a way into the networks to deploy R Evil as a service.

So I believe the affiliates are choosing the targets.

They're basically getting into these companies, doing the, they basically do the legwork, as I'd like to describe it.

Like someone is, it's

a whole ecosystem.

You have someone who gets an initial foothold in the network.

They're called the initial access broker.

They will sell that, however small it is or big it is, they'll sell that to someone else, the the

R-Evil affiliate.

The R-Evil affiliate will spread around the network and escalate privileges and steal data.

And then they will deploy our Evil.

It's just nasty, like all of it.

For R-Evil to make it a turnkey solution so it's easy for anyone to commit crimes with.

And then people are just buying their way into these companies, sometimes through disgruntled ex-employees.

And then R-Evil comes in and destroys backups and encrypts everything, and then DDoSes you, and then taunts the victim until they pay.

It's awful.

But we're just getting started.

You gotta hear what they do next, and what happens at the end of all this.

We're gonna take a short break here, but stay with us.

This episode is sponsored by Shopify.

Starting a new solo project is really overwhelming.

When I started this podcast, I suddenly had to worry about writing, editing, researching, interviewing, and so much more, all alone.

And when you're starting something new, finding the right tool that not only helps you out, but simplifies everything can be a game changer.

For millions of businesses, that tool is Shopify.

Shopify is the commerce platform behind millions of businesses around the world and 10% of all e-commerce in the U.S.

From household names like Mattel and Gymshark to my own t-shirt shop, which is shop.darknetdiaries.com.

And I love Shopify because of how easy it makes getting my business online.

And once it's there, Shopify has built-in tools to help me create, execute, and analyze my online marketing campaigns.

So get started with your own design studio.

With hundreds of ready-to-use templates, Shopify helps you build a beautiful online store to match your brand's style.

If you're ready to sell, you're ready for Shopify.

Turn your big business idea into

with Shopify on your side.

Sign up for your $1 a month trial and start selling today at shopify.com slash darknet.

Go to shopify.com slash darknet, Shopify.com/slash darknet.

Our evil continued to infect companies and make millions of dollars from these ransoms.

I believe there are lots of companies that we'll never know about that got hit with this, but there are some companies we do know that got hit with this because it made the news.

One of them was in 2019, and the victim was the Texas government.

Yeah, so the Texas government one was interesting because because it sort of started a trend that our evil liked to,

it ended up being deployed at what you call a managed service provider,

which is an IT company that handles the IT of other organizations.

So the Texas government, you know, they actually paid a single company to just manage the IT of all their all their institutions.

Not each institution doesn't have to have an IT department then.

It's just one company that does it all for them.

So one of the REVOL affiliates managed to get into

the Texas government and deploy, I think it was 22 different governments ended up being, like entities ended up being attacked in this one instance.

And this one made the CBS news.

In Privacy Watch now, government computers in 22 Texas towns are being held hostage by ransomware.

The state's Department of Information

Resources said that the coordinated attack happened on August 16th, and many of the local governments still have not been able to get back online.

See, when so many government facilities have a computer outage all at the same time, it makes the news because it's a noisy problem.

It's not something you can easily cover up quietly or make it go away quickly.

And of course, our Evil was saying, hey, all these problems can go away if you pay us $2.3 million.

But the Texas government did not enter the chat and did not pay a single cent.

They recovered all on their own somehow.

In May 2020, a company called GSM Law was the victim to this cyber gang.

Here's CNBC News.

An entertainment law firm run by Alan Grubman confirming its computer systems were hacked.

The hackers say they have sensitive information about several big star clients, and those hackers want $42 million in ransom.

Whoa, $42 million?

That's the largest ransom payment ever demanded at the time.

They must have stumbled upon something spicy in that network.

So some of GSM Law's clients include Madonna,

Elton John, Lady Gaga,

and probably most famously Donald Trump, because it's a big New York law firm.

So Donald Trump, you know, he's lived in New York his whole life.

So at our evil managed to get into

GSM law and steal, allegedly steal, you know, hundreds of gigabytes of data from them.

756 gigabytes, they claimed.

And

they threatened to basically disclose Donald Trump's solicitor's information, like from

his

lawsuit.

Everyone knows Donald Trump has

thousands of lawsuits on the go.

So, you know, R Evil was basically basically able to go through them all.

Huh, that's interesting.

Our evil is presumed to be operating out of Russia.

I wonder if they had to stop for a moment and think about what to do with Trump's legal documents.

It became a whole thing.

Everyone was, you know, everyone was saying, oh, this is, you know, this is like cyber terrorism or whatever.

This is...

How can Russia allow this to happen?

This is, you know, meddling with the presidency or whatever.

Because he was still president at the time.

And

yeah,

basically, our evil said they had to come out and make a statement like, we are apolitical, we're just, you know, financially motivated criminals.

We don't want to, you know, cause any

problems.

They actually seemed to

I mean, it's kind of a weird thing to say, but they actually seemed to like Donald Trump, I think, because

they thought of themselves as these, you know, ultra-rich, super-smart, cyber-criminal masterminds.

And they sort of admired Donald Trump because he was really rich as well.

Research into this is a little murky.

R-Evil had released a little bit of what they stole to prove they had something from one of GSM Law's clients.

And then they said, the next person we're going to dump records on will be Trump.

One news agency looked into this and said, Trump isn't even a client of GSM Law.

So we think Trump probably wasn't a client and just mentioned in some lawsuit.

But you might wonder, what happened next with GSM Law?

Did they pay the ransom or what?

Well, we don't know.

Nothing happened.

We never saw R-Evil release any data on Trump or dump a bunch of legal documents.

So that makes me think that either they never had the data, which they did lie sometimes, or GSM Law negotiated the ransom.

I'm not exactly sure what happened with that.

Now, ransomware at this point was looking looking like a very lucrative way for criminals to make money.

I mean, if you think about it, suppose you hack into a company and you were a criminal and you wanted to profit off this access.

What are your options?

Okay, well, you could sell your access that you have, but I can't imagine this making very much money, maybe a thousand bucks.

You could try to install some crypto miners on there, but that's such a slow process to make money from.

You could try to look around for some database to steal and then maybe sell that database to someone, but that's a tough market to be involved with.

You could do a business email compromise attack and try to figure out what's going on in the finance department and see if you can get them to send you some money.

Or you could look around to see if there's anything valuable in the company to steal, like money, right?

In fact, there was another group at the time called Fin7, which focused on hacking into banks and stealing credit cards.

Well, you would think that that's a very good way to make money illicitly, and it is.

But Fin7 was seeing how much easier it is to just put ransomware on a computer and just leave it at that.

Because there's a lot of work to dealing with thousands of credit cards or trying to launder money and make it clean.

But it's so much easier to just wait for a single ransomware payment in Bitcoin and then move on.

And since Fin7 was already pretty good at breaking into networks, this really turned them onto a whole new revenue stream.

Yeah, so Darkseid was Fin7's first ransomware project.

They had tried out R-Evil Evil for a few times.

Their infrastructure had been connected to R Evil attacks via pivoting on IP addresses and things from known attacks.

And Fin7 basically realized, okay,

every time we launch an attack using R Evil, we have to give them a cut.

Isn't it just easier if we develop our own ransomware and then launch our own attacks?

And then we don't have to give a cut to anyone.

We can keep it all for ourselves.

And then,

so

after a time, they realized: okay, it's actually you make even more money if you begin ransomware as a service because then you just rent out the ransomware to multiple groups and begin making money your own way.

Wow, so at that point, Fin7 had totally quit robbing banks and turned into a ransomware as a service business because of how profitable they saw our evil was.

Ransomware is the most valuable way to make money when you're inside any network, anywhere in the world.

Fin7 was one of the most profitable criminal groups out there.

So it's just crazy to hear how they switched from robbing banks to ransomware.

But at this point, they became competitors.

And I'm not going to go into any more details about Fin7 or Darkseid in this episode, but rest assured, that's a really interesting story all by itself.

And I'll have to cover that in an episode someday.

Now, when R-Evil gets a ransomware payment, they typically receive it in Bitcoin.

And then they're actually pretty good at laundering that money by typically converting it into Monero, which is much more secure and, I think, untraceable.

And then they'd be able to cash it out without it leading back to whoever is behind R Evil.

But I have to imagine how insane of a chat it must be when a company does want to pay a million-dollar ransom in Bitcoin.

These ransomware negotiation chat rooms must be the wildest thing ever.

I've heard from ransomware negotiators and incident response people that these ransomware teams have much better customer service than most companies do.

They'll guide you like step by step the whole way on

how to pay a ransom, how to get the cryptocurrency, how to store it, how to send it to them, you know, all the checks, all the balances.

I mean, can you imagine being the IT admin and all your computers are encrypted and your management has given you the go-ahead to pay the ransom?

So you get on tour and enter the ransomware negotiation chat room.

And you might say, like, okay, look, we're willing to pay, but we don't have any Bitcoin.

Can we just wire you the money?

And our evil ransomware negotiators are like, lol.

No, that's traceable.

You need to send us Bitcoin.

Go to an exchange and buy some.

And here's the problem.

You can't just show up to Coinbase or Gemini or Binance or whatever and be like, yeah, I'd like to buy $2 million in Bitcoin, please.

No, they have daily limits set up.

You can only buy a few thousand dollars worth at a time.

So you call up customer support at an exchange and you tell them, listen, I want to buy $2 million worth of Bitcoin.

And the exchange might be like, whoa, that's a lot of money.

What's that for?

And you're like, oh, it's to pay a ransom?

That's a red flag for the exchange.

I think by law, exchanges can't sell you Bitcoin if they know you're going to use it to pay a ransom with.

So it becomes a huge ordeal just to secure that much Bitcoin.

You have to remember that when millions of dollars are involved here like tech like if a company is says okay yeah we plan to spend you know we plan to pay you know five billion dollars in a ransom they will hire experts to help them with it so there are ransomware negotiation firms now that their whole job is to help companies you know get through when they've been hit by a ransomware attack so these negotiators know all the ways to pay a ransom basically they know they even know they keep track of all the wallets they keep track of all the, you know, the contact details of each ransomware group.

So they know, you know, sometimes if these negotiators respond to multiple incidents, they'll be able to recognize the person on the other end of the ransomware negotiation portal.

What?

There's a whole industry out there helping people negotiate and pay ransom?

This is madness.

I mean, think about it.

Imagine if you're in the chat with our evil and you're like, oh, how do I do this?

And they're like, okay, well, you could just call this company and they'll help you walk through it it's just so zany to think about this like i wonder do these ransomware negotiators offer any sort of like referral program so if our evil refers them and they hop on the chat and like oh hey dimitri how's it going thanks for referring me i'll make sure to get you that referral bonus or

like take it a step further um imagine our evil refers you to a quote-unquote expert service who's just just another criminal and you give them two million dollars to buy bitcoin and they just take off with the money

well there are legitimate companies um

but as you say this could easily be taken advantage of and has been um by companies

like that really do some really shady stuff like

say If a company gets hit by ransomware, sometimes they'll come in and the company will come in, like the response company will come in and say, Yeah, yeah, we can deal with it all for you.

How much did the ransomware gang tell you it was going to cost?

Oh, $4 million.

Well, actually, it's going to cost $5 million.

And then they'll pay the ransom, decrypt the files, clean the network, and then be like, Yep,

here's your check.

Here's your bill, $5 million.

But you just...

you just use the decryption key.

If you turned on NBC News on June 1st, 2021, you would have saw this.

It's another attack on critical infrastructure, this time the food supply.

The world's biggest meat producer, JBS, forced to curtail operations after a ransomware attack.

At least six plants in the U.S.

shut down.

Operations also affected in Australia and Canada.

That was a huge international incident.

Everyone said that was like...

the one step too far.

JBS is the largest meat supplier in the U.S.

I think they produce over 20% of the meat for the U.S.

with locations in Canada and Australia.

And because it was so big, it was deemed critical infrastructure.

If the food supply chain is unable to deliver food, well, that can be a really big problem.

The meat packing firm JBS USA paid a ransom equivalent to $11 million after it fell victim to a cyber attack.

The company's U.S.

CEO said on Wednesday they made the payment to protect their customers.

Last week's cyber attack led to the suspension of cattle slaughtering at all of JBS's U.S.

plants for a day.

The company produces nearly a quarter of America's beef.

$11 million.

Paid up.

That's a lot of Bitcoin to send over to someone that you hope will fulfill their end of the deal and give you an encryption key.

What a nail biter that's got to be when you click send and you're just sitting there in chat, waiting for the criminal to give you a key.

There was another company that was another, you know, in quotes, step too far.

They've done it now.

They hit a company called Soul Orient, which was a nuclear weapons contractor for the US.

And they,

you know, this is like, okay, now you're affecting the nuclear triad or something like that.

You know,

how can this ransomware group get away with all of this?

But still, we haven't gotten to our evil's biggest hits yet.

Over this period of years, our Evil was getting into hundreds of companies and putting ransomware on them.

And the ones who didn't pay would get posted to their blog.

Their leak site

had 282 leaked companies' data published to it.

So

that's how many companies didn't pay because they were leaked

onto the leak site.

And some of the stats coming out of Europol said that they had launched thousands of attacks.

Probably one of the smartest things R Evil ever did was they went into a

what we call a cyber insurance company.

So because ransomware is such a huge thing, companies, like when they get hit by a ransomware attack, it can cost them not only X number of million dollars for the ransom, but to actually clean up the network and restore it or rebuild it could cost them hundreds of billions.

So they need insurance to be able to cover that cost for ransomware specifically.

So what R-Ebo did was they went into an insurance company and they looked at all of the insurance company's clients and they hit each target one by one because they know how much they were going to get paid out for from the insurance cost.

And then they hit the insurer themselves as well.

For good measure.

Here's a clip from CBS News that tells us about the next victim.

FBI investigating what may become one of the world's largest ransomware attacks when companies get back to work following the holiday weekend.

A Russia-based cyber criminal group called R-Evil is demanding a $70 million ransom.

Hackers hit IT software company Kaseya Friday.

Wow, where do I begin?

The

Kaseya, that was basically one of the biggest supply chain incidents since

not Petya.

Kaseya are the manufacturers of a software called like Kaseya VSA is their software.

And

companies, like I mentioned before, managed service providers will buy KSIA VSA and use it to do administration on their customers' networks.

So, by going into the Kaseya software, REVOL basically had a foothold into all of the MSP's customers.

So, by exploiting the Kaseya software to deploy REVOL, they were able to hit like 1,500 networks in one go overnight.

Whoa, 1,500 different companies hit with the R-Evil ransomware in one day?

That's a massive amount of damage.

And this is what's called a supply chain attack because R-Evil was able to get into all of Kaseya's customers, which were sort of like tech support companies who had access into other companies, and those companies were hit with R-Evil too.

This was a crazy event.

Perhaps one of the biggest ransomware attacks ever.

In Michigan Saturday, President Biden said intelligence officials are investigating.

Direct to the intelligence community, you're giving me a deep dive on what's happened.

Last month, he warned the Russian president to rein in cyber criminals or face a strong U.S.

response.

And if it is

either with the knowledge of and or a consequence of Russia, then I told Putin we will respond.

So this happened in July 2021.

Biden was president by then and it's hard to hear, but he said in this impromptu interview in a grocery store in Michigan that if Russia is in any way involved, then he told Putin he's going to respond.

And it's wild to me when the president of the U.S.

is able to just jump into a discussion about ransomware off the cuff like that.

Like I've felt like such a geek all my life, head down in a computer, learning about the most geeky things you can imagine.

And to look up from the screen and see it talked about on the world stage like that, it's just a trip.

Oh, look, there's the president fielding a question about the R-Evil ransomware.

Far out.

So, what were the ransomware demands for Kaseya?

Well, it was actually one of the highest ransom demands ever in history.

They demanded $70 million in Bitcoin.

After the attack took place,

it popped up on the R Evil blog, which

was called the Happy Blog, by the way.

The Kassir attack popped up and it said, this is what R Evil wrote.

They said, on Friday,

we launched an attack on MSP providers.

More than a million systems were infected.

If anyone wants to negotiate about a universal decryptor, our price is $70 million in Bitcoin.

I gotta say, this is a situation that Casia probably didn't plan for.

I mean, suppose they have a don't pay the ransom policy.

Okay, that's fine.

It's a good policy to have, but they aren't the only victims here.

And it was their fault that caused hundreds of other companies to be infected with ransomware.

Do you owe it to all of them as sort of an apology?

Like, sorry for getting your ransomware.

Here's the decryption key.

Hope you stay as a customer.

And this was a preventable problem.

There was a vulnerability on Kaseya's servers that gave R-Evil the foothold to take over a server.

And at least one person reported this to Kaseya before the attack too.

And I think they were working on fixing it when all this happened.

So Kaseya must have looked at this $70 million ransom demand and took a deep breath and had a long think about it.

Again, it's that old thing of we don't want to be the company that's paid the biggest ransom in history.

And, you know, they so

to give,

you know, credit to Kaseya, they went straight to the FBI for help.

And the FBI are very, very well experienced with these types of ransomware attacks.

So they guided them.

and were basically with them by their side the whole time.

And at the end of the day, it basically the decisions became the FBI's decisions at the end of the day for what Kaseya was supposed to do.

Kaseya didn't pay the ransom.

They called the FBI, who apparently sprang right into action.

The FBI actually explained what happens next.

Here's the director of the FBI, Christopher Wray, in a press briefing explaining what happened.

When Kaseya realized that some of their customers' networks were infected with ransomware, they immediately took action.

They worked to make sure that both both their own customers, managed service providers, and those MSP's customers downstream quickly disabled CASEA's software on their systems.

They also engaged with us early.

The FBI then coordinated with a host of key partners, including CISA and foreign law enforcement and intelligence services, so CASEA could benefit from all of our expertise and reach as it worked to put out the fire.

CASEA's swift response allowed the FBI and our partners to quickly figure out which of its customers were hit and for us to quickly share with CASEA and its customers information about what the adversaries were doing, what to look for and how the companies could best address the danger.

Here we were able to obtain a decryption key that allowed us to generate a usable capability to unlock CASEA's customers' data.

We immediately strategized with our interagency partners and reached a carefully considered decision about how to help the most companies possible, both by providing the key and by maximizing our government's impact on our adversaries who were continuing to mount new attacks.

When the FBI is engaged early, we can provide victims more and better support.

We can get them intelligence and technical information they need faster.

And we can work quickly back from the intrusion to follow and seize the criminal's money before it can jump through wallet after wallet and exchange after exchange.

He makes it sound like they're willing to help anyone with ransomware.

I mean, listen to the Deputy Attorney General Lisa Monaco in the same press briefing.

To Americans watching today, to those who own small businesses, to those who run Fortune 500 companies, who manage hospitals and oversee school districts, This case is the reason you want to work with law enforcement.

Know that if you pick up the phone phone and if you call the FBI, this team is waiting for you on the other end of the line.

I just wonder if that's a little misleading.

I mean, people email me all the time telling me about how they were extorted or scammed or hit with ransomware and just want some advice.

Is the proper advice that I should give them is that they should call the FBI, just skip the police altogether and go straight to the FBI?

You would think the FBI would have some kind of threshold for how big something should be before we call them.

Like maybe they only care about about larger extortions or attacks on national infrastructure, not small-scale stuff like my local barber's website getting their WordPress site taken over, right?

Or the question is, how bad of a computer problem does it need to be before you call the FBI?

There's a big difference between your whole network being ransomed versus one user account being compromised.

Listen, I'm curious now, if you've ever called the FBI over a computer problem you've had, I want to hear from you.

Send me a note.

Tell me how it worked out.

Did they get back to you right away or wait six months or no reply at all?

I just imagine the FBI must be flooded with calls and problems that there's no way they can get back to all the people who report computer problems to.

Anyway, sorry, a little rant there.

Okay, yeah, what FBI Director Ray said was really interesting.

They obtained a decryption key?

What?

How?

That's amazing.

Did they reverse engineer the malware?

Did they join the chat and pressure the R-Evil gang to provide a key or else kind of thing?

I'm really curious how they obtained that.

You know, rumor has it the FBI were able to compromise the R-Evil servers after

during the Kazaya incident.

Like the FBI is allegedly,

because I don't know if this is proven or not, but they were able to compromise the, you know, the system

or the R-evil systems following this.

And

soon after they post about Kasey,

the R-Evil servers all go offline.

What we do know is R-Evil went quiet just after the Kaseya hack, and it stayed quiet for months.

Then, out of the blue, the FBI gave a press briefing.

Here's the U.S.

Attorney General, Merrick Garland.

Today, we are announcing that we are bringing to justice an alleged perpetrator of a significant wide-reaching ransomware attack.

On July 2nd, the multinational information software company Kaseya and its customers were attacked by one of the most prolific strains of ransomware, known as R-Evil.

To date, R-Evil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom.

Six weeks later, on August 11th, the Justice Department indicted Yaroslav Vasinsky, also known by the online moniker Robotnik.

The indictment, which was previously under seal, charges him with conspiring to commit intentional damage to protected computers and to extort in relation to that damage, causing intentional damage to protected computers, and conspiring to commit money laundering.

The indictment charges that Vasinski and co-conspirators

authored our evil software, installed it on victims' computers, resulting in encryption of the victims' data, including in the July 2nd attack, demanded ransomware payments from those victims, and then laundered those payments.

Two months after the indictment, on October 8th, Wozinski crossed the border from Ukraine into Poland.

There, upon our request, Polish authorities arrested him pursuant to provisional arrest warrant.

We have now requested that he be extradited from Poland to the United States pursuant to the extradition treaty between our countries.

In addition to securing the arrest of Wrzinski, the Justice Department has seized $6.1 million tied to the ransom proceeds of another alleged R-evil ransomware attacker, Russian national Yegeny Palyanin.

As set forth in the public filings related to the seizure, Palyanin, whom we also charged by indictment, is alleged to have conducted approximately 3,000

ransomware attacks.

Palianin's ransomware attacks affected numerous companies and entities across the United States, including law enforcement agencies and municipalities throughout the state of Texas.

Palyanin ultimately extorted approximately $13 million from his victims.

Whoa, so they caught one guy who they said was the author of the R-Evil malware and seized funds from another guy.

This ultimately disrupted R-Evil.

They weren't active at all after this.

Now, along with these indictments, they released photos of these people.

And here is where Will could look into the eyes of the people behind this malware that he spent years following and investigating.

The indictment dropped, and it had you know, the names of these two R-Evil affiliates.

These were the first two names we had for any of them.

And

I immediately,

and shout out to my guy at

my team in Curators Intelligence.

We joined the voice chat and Discord, and we were all just talking about it and basically celebrating.

And then we quickly were like, oh, using these usernames and names and things, we can find all their social media profiles because we can use OSIN to find them.

And we found his VK

account and we found his other social media profiles.

We found he ran an Instagram account which was used to

sell DDoS attacks with number spoofing, um,

like phone call DDoS attacks and things.

And he even had like a certificate for Microsoft,

and there was like a picture of him at his college and him on holiday and things.

And yeah, he just looked like a normal young guy that was, you know, obviously good at IT.

And it was kind of, yeah, it was surreal just to see him, you know, in the flesh.

Now, it seems like the bulk of the people involved with our Evil were somewhere in Russia, and the U.S.

authorities don't really have a way to arrest people in Russia or even get Russian authorities to arrest them.

But something very particular happened next.

Yeah, so it was in a very interesting timing.

In January, on the January 14th, I believe it was, the Russian

FSB

released a press release that said they had arrested 14 members of our evil from Moscow and St.

Petersburg.

The FSB said they seized more than 426 million rubles, $600,000 and half a million euros.

along with cryptocurrency wallets and 20 expensive cars.

You know, it was, it was this, you know, it it made news globally that the gang had finally been arrested.

You know, our evil is over.

You know,

his

videos of the FSB busting down the door, putting them on the ground and taking them away, it seemed justice has been served.

Here's an Al Jazeera news clip.

The scene was not uncommon.

Russian police and intelligence agents harshly taking down more than a dozen men, all played out on television.

But the reason was extraordinary.

The Russian government tells the Biden administration the operation dismantled a group of hackers inside Russia on behalf of the United States.

Security agents took down alleged hackers from the ransomware group Are Evil at over two dozen addresses, seizing millions of rubles, vehicles, and technology.

Among those arrested, alleged ringleader Roman Moromsky, appearing in court in a cage, and Andrei Bisonov, both wanted by the U.S.

Huh.

That's it then.

Case closed?

Story over?

It's all nicely wrapped up with a bow at the end, and all the criminals are caught.

Well, I'm not sure.

Here, let me show you what I mean.

The exact same day of these arrests, on January 14th, 2022, CBS News reported this.

And Ukrainian officials are assessing the damage done by a massive cyber attack on government servers.

The U.S.

has condemned the attack and vows to help with the investigation.

The hack comes as Ukraine faces a potential invasion by Russia.

Some Ukrainian officials feared this type of cyber attack prior to Russian military action.

A cyber attack on the Ukrainian government?

Gosh, who would possibly do that?

But is this somehow related?

I should admit that I've officially put on my conspiracy theory hat here and I'm just guessing at stuff from here on out.

But there are some weird questions that arise from all this.

Like for instance, if Russia comes out with news that they've arrested the our evil cyber gang and did it as a favor to the United States, is that an attempt to control the news cycle of the day?

This way, less news is on the Ukraine cyber attack and more news is on how great Russia is for capturing these criminals.

And what's all this talk about doing favors for the US?

Russia doesn't typically arrest criminals on behalf of the US, and we've seen how Russia lies to control the narrative.

So is any of this real?

Did they really arrest anyone?

I mean, there are so many more ransomware gangs walking freely in Russia today, like the evil corp ransomware gang.

They've been identified and indicted, yet Russia hasn't touched them.

Why just are evil?

And they didn't extradite these criminals.

No, they were just processed in Russia, and we have no idea what punishment they got.

I mean, shoot, for all we know, this arrest might have just been a way for them to recruit those hackers to go work for the Russian government and not actually bring these criminals to justice.

It's extremely cloudy and suspicious what any of these arrests mean.

Well, whatever happened, it did mean the end of Our Evil as we knew it.

They were around for about two years, and after the FBI indictment, they just fizzled out.

But with this group being gone, it created space for new ransomware gangs to step up and fill the gap.

There's the Evil Corp ransomware gang.

There's Conti.

There's Lockbit.

These are all doing the same exact thing that Our Evil did.

And we don't know what the end of of their stories are, but they are certainly attracting a lot of attention from authorities.

So I can only imagine those stories will probably end in a wild and crazy way.

A big thank you to Will for coming on the show and telling us about what he's been so laser focused on for the last few years.

You can follow Will on Twitter.

His name there is Bushido Token, or follow the Equinix Threat Analysis Center to see more information about malware they are tracking.

This show is made by me, the ticket jockey, Jack Reeceider, original music by the spaghetti coder, Garrett Tiedeman, Editing Help This Episode by the linguistic analyst Damien, mixing done by Proximity Sound, and our theme music is by the super snoozer, Breakmaster Cylinder.

Uh, what blood type is your computer?

Mine is definitely type O.

This is Darknet Diaries.