DDoS attacks and ransomware – though related – have largely remained separate entities. Ransomware extorts a business from the inside, while the other exerts power through external cloud DDoS attacks.
However, a familiar face in the extortion scene has recently returned. With the financial demands of a ransomware gang, wielding the resource-draining capabilities of the Meris botnet, they could be out for vengeance.
Back to REvil’s Roots
Unlike traditional hacking groups composed of a few individuals, the name REvil describes two groups of threat actors. The first group is the developers and creators of the ransomware code itself. The second group is those that distribute the code or the affiliates.
Initially a play on the Resident Evil franchise, REvil soon made a name for itself in the Ransomware-as-a-Service world. Affiliates, having struck up a working relationship with the group, would themselves work to exploit attack vectors. Upon the affiliate’s successful implementation of ransomware, the REvil creators would take their cut of roughly 30%.
REvil’s Classic Ransomware
Ransomware is itself a powerful tool, but only once the encryption software has gained access to a device. This made REvil dangerous thanks to its ever-expanding range of attack approaches. For example, the attack that placed REvil on the map was committed in 2019, as REvil affiliates exploited software from the B2B service provider Kaseya. This company offers a suite of IT management solutions. However, one of their servers involved in backups and restore functions was harboring one major flaw.
Just as Kesaya had started a patching process for this very exploit, REvil struck. Implanting malicious code onto the server itself, their malicious “Kaseya VSA Agent Hot-fix” procedure targeted Windows systems, immediately disabling Windows Defender and unencrypting a major payload mechanism.
In order to dodge any other anti-malware solutions, the ransomware made use of an old Windows exploit, in the form of a DLL side-loading attack. This is where malicious code is held in a DLL file with a very similar name to the legitimate one, forcing Windows to load the malicious file.
Finally, the payload is executed and the encryption process can begin. REvil ransomware works its way through every file on the hard drive, jumbling each into a collection of nonsensical strings. It then reboots the victim’s device and flashes the ransom note in their face.
The Difficulty of Identifying an Attack Group
The issue with Ransomware as a Service (RaaS) is that affiliates are free to chop and change their ransomware providers at will. Whereas you may struggle with a provider’s restrictive 5-year contract, RaaS affiliates have no such qualms. When each REvil attack can demand up to 9% of their victim’s annual revenue, the more ransomware attacks committed the merrier.
This muddies the water significantly for researchers. Throughout REvil’s initial run of attacks, they meticulously maintained their extortion blog. This certainly made it easier to establish the group’s activities, as they openly bragged about their own attacks.
However, RaaS threat actors thrive on their reputation. REvil themselves did not generate any extorted money; this was performed entirely by their affiliates. Thanks to the fact that extortion is (rightfully) illegal, affiliates will always remain on the lookout for the highest performing RaaS tool.
It was clearly working, too: in 2020, up to 29% of all IBM ransomware engagements were REvil-related cases. They boasted the largest slice of the ransomware pie, extorting millions and rapidly gaining affiliates.
The above attack pattern worked splendidly throughout 2019, 2020 and 2021. Then, in early 2022, the group was traced back to Russia. The Russian government took action. A number of affiliates were also identified – one 22-year-old was stripped of the $6 million he had made.
The blog grew cold; REvil had been put to bed.
New REvil: With Added Flavor
In March 2022, a DDoS attack was launched at an unsuspecting business. While the botnet was busy making 2.5 million requests per second to the site, the IT team were receiving certain messages embedded within the HTML requests detailing their monetary demands. The URL request continued, detailing the attacker’s wallet address and how this payment of roughly $30,000 per day would protect the site, and allow it to stay online.
They continued this Mafia-esque tactic with another victim, vaporizing a hospitality firm’s site with a similar DDoS attack. Not only was the same tactic used to extort them to the sum of tens of thousands per day, but the group also demanded they stop operating in one location thanks to a recent Supreme Court decision made in that country.
Some researchers see this as a break from previously apolitical activity, but it’s worth noting that REvil’s very first attack in 2019 included a critical file named BlackLivesMatter.exe, and the rebooted system was given the password DTrump4ever. It’s no surprise that these political ‘easter eggs’ would attract more politically-motivated affiliates.
Thanks to rapidly growing botnets such as Mirai and Meris, dependent on weakly-protected Internet of Things devices, DDoS attacks are becoming stronger by the day.
Managing the DDoS Threat
When you’re dependent on a cloud service provider for your site, it’s vital to not even allow malicious HTML requests past the perimeter. Normal DDoS attacks can tank your site and leave your customers totally in the dark, but cloud DDoS attacks are a double whammy. They massively inflate your server budget, your site pulling more and more resources in its attempt to manage the millions of requests and stay afloat.
Many businesses view DDoS protection as an unnecessary business expense, but REvil themselves know that you choose to let your site go under or pay up. So, there are two options: either pay REvil to leave your site alone or pay a DDoS prevention solution to stop it in the first place.