Cyber ​​crime: How “REvil” blackmailed thousands of companies

It is one of the biggest cyberattacks to date: the hacker group “REvil” is demanding a ransom of 70 million US dollars from companies whose data they keep under lock and key. How does the business model work?

The cyber criminals are merciless chat partners. “Get sober again. Come back when you are clear in your head,” write the hackers. You were contacted by a company whose network was encrypted with so-called ransomware. The company wants to pay money to get its files back. But apparently something went wrong in communication and the hackers are becoming abusive.

The chat runs over the darknet. BR research could see him. It shows how safe the criminals feel, who are called “REvil” by IT security experts. They have achieved a coup: They are currently trying to extort 70 million US dollars in ransom after they have managed to encrypt more than “thousands of IT devices”, as the Federal Office for Information Security (BSI) announced.

The hack begins with an attack on the software manufacturer Kaseya. According to its own information, it has over 40,000 customers. You either use the software as a cloud solution or have it installed locally. Only the latter are affected. It has not yet been finally clarified how the hackers managed to break into the networks. There are security flaws in the software that hackers have exploited.

IT service provider as the entrance gate

In an interview with the AP news agency, Kaseya CEO Fred Voccola estimates that the networks of 50 to 60 customers could be affected. But the majority of these customers are IT service providers whose job it is to protect the networks of smaller companies that cannot afford an IT department.

And so a single incident leads to customers being hacked by customers, the number of companies affected could run into the thousands and the hackers wanting to extort a record amount. The Kaseya case shows, argues BSI President Arne Schönbohm, what dependencies exist today, because: “In the current attack, ransomware was rolled out across every link in a software supply chain.”

Hackers brag on the darknet

The hackers write on their page on the Darknet that they have infected over a million devices. The number is not proven, the purpose of the blog is marketing for the hackers. Kaseya itself assumes that there are currently a total of 1,500 people affected. The publicly known victims include kindergartens in New Zealand, a supermarket chain in Sweden that had to close hundreds of branches, to unnamed IT service providers from Germany. “It’s just about business,” said the hackers in a chat with a journalist. She doesn’t seem particularly impressed by the international excitement.

Cybercriminals’ license-based business model

According to information from IT security experts, the cyber criminals from “REvil” have a license-based business model. They only work with selected hackers and lease them access to their software. If these hackers are successful and can extort money, they have to give the developers of the malware a percentage share.

How the hackers can penetrate networks, they have to find out for themselves, explains the expert Andreas Rohr from the German cyber security organization DCSO. Sometimes these accesses are bought from other cyber criminals, sometimes phishing emails are sent. In the current case, it has apparently been possible to find a security hole and exploit it. “Only then is the malware used by ‘REvil’. In other words, the encryption that was developed by this group is only the second step.”

Track to the CIS countries?

It is currently unclear who is behind the group. However, the hacker’s code gives clues as to the country in which the malware was developed. Because it is noticeable: When the computer starts, the software checks the language settings. If a language from the CIS countries is used – including Russia, Ukraine, Armenia, Azerbaijan, Kazakhstan and Uzbekistan – the infected computers will not be encrypted afterwards.

IT security researchers from McAfee described in lectures that they could help customers while on vacation in Russia by sending photos they had taken themselves from Moscow. The hackers thought they had a Russian victim and provided the tools for decryption for free. There is speculation about connections to the Russian state, but they have not been proven. The Russian state is accused of acting too laxly against groups of hackers who can operate freely from there.

The situation in Germany is unclear

How many cases there are in Germany is currently unclear. The BSI generally speaks of the fact that IT service providers are also affected in Germany. The company HiiSolutions currently looks after five medium-sized companies whose networks have been encrypted. “In our estimation, the majority of these are not critical cases,” says Enno Ewers from HiiSolutions in an interview with BR research. The companies have backup data. If these are imported again, the affected companies get off lightly.

Price negotiations possible

In the current case, US $ 70 million is required to provide a master key. The amount that is required depends on several factors, explains Andreas Rohr from the DCSO: “On the one hand, it is about how well companies are able to pay such claims. But what is also important is how great the pressure is on is a company to get the data back as quickly as possible. ”

The hackers from “REvil” are often ready to reduce the amount significantly. In one case in which a German copper manufacturer was hacked, the hackers wanted $ 7.5 million at the beginning, but were satisfied with $ 1.27 million in the end. In a chat with IT security expert Jack Cable, the hackers at least indicated that they are open to such negotiations in the current case. You’d settle for $ 50 million too.