REvil: Cybercriminals Pushing the Limits of Ransomware

They want $ 70 million.

The criminals behind a three-day massive cyberattack released on Monday, July 5, one of the highest ransom demands in cybercrime history.

“We have compromised over a million computers.

If anyone wants to negotiate for a universal decryption tool, our price is $ 70 million, payable in bitcoin, ”the hackers said, in a post on the blog of REvil, the group of Russian cybercriminals suspected of being behind the operation.

Methods hitherto reserved for cyber spies

With this attack, REvil is riding the wave of ransomware, viruses that block access to files on a computer until the victims pay a ransom.

A type of cybercrime that has been very fashionable in recent years, and which has gained even more popularity since the start of the Covid-19 pandemic, in particular with criminals who have attacked hospitals and other health centers.

The attack, which began at the end of last week, however marks “an important step in the way of operating of these cybercriminals specialized in ransomware”, affirms Gérôme Billois, cybersecurity expert from the consulting firm Wavestone, contacted by France 24.

To deploy their malware, attackers have, for the first time, used an attack technique that has until now been considered a specialty of cyber spies. 

REvil attacked an IT service provider, Kaseya, in order to indirectly attack all of its customers.

Clearly, these criminals have compromised this company which “provides IT management solutions, that is to say which deploys patches or updates remotely for its users”, recalls Philippe Rondel, cybersecurity expert for the computer security company Checkpoint, contacted by France 24. 

All of Kaseya's customers - like the Swedish supermarket chain Coop, a Dutch drugstore chain, and hundreds of companies in Europe and the United States - downloaded the virus during a software update from Kaseya.

This is what then allowed the cybercriminals to trigger the ransomware on all the computers of these several thousand companies.

This way of attacking a large number of victims by going through an intermediary which serves as a digital Trojan horse is particularly popular with cyber spies “because it makes it possible to advance more discreetly than if we try to break into them directly. servers of its victims ”, underlines Gérôme Billois.

It is also useful for installing virtual moles on a large number of computers through a single point of entry.

The much-publicized late-2020 hack of SolarWind - a supplier of computer software to a large number of US administrations - had served as a gateway for cyber spies on the servers of more than 15,000 federal structures, such as the departments of the Treasury , National Security or even Trade and Energy.

Ever greedy cybercriminals

Until now, cyber ransomers have not seen as big as state-paid cyber-spies, if only “because it requires significant logistics, organization and a certain know-how. in order to be able to manage all the targets simultaneously ”, points out Philippe Rondel.

Historically, in the early 2010s, ransomware attackers first sent their virus randomly into the wild.

These were the first beginnings of this cybercrime, the victims of which were mainly individuals who had had the misfortune to click on a tricked e-mail.

At the time, the ransoms claimed hardly exceeded 300 or 400 euros.

Over the past four years, cybercriminals have started to target their prey better, specifically to attack victims who are able to pay more to unlock their computer systems. The ransoms demanded could then have reached hundreds or even millions of euros, as in the case of the attack, in July 2020, against California State University in San Francisco ($ 1.14 million) or that which targeted, in May 2021, the gas pipeline operator Colonial Pipeline (4.4 million dollars).

The attack on Kaseya marks “a new stage in the professionalization of this sector with a complete change of scale since it becomes possible to hold more than 1,000 companies to ransom simultaneously”, estimates Gérôme Billois. This development does not surprise Philippe Rondel because “these groups of hackers evolve with the aim of being able to ask for more money from their victims”.

But this greed could play tricks on cybercriminals.

First, “who will pay this ransom?” Asks Gérôme Billois.

Usually, cybercriminals do a small, discreet investigation first to find out how much their victims will be able to repay.

In the case of the attack on Kaseya, they installed their software in thousands of companies with a wide variety of profiles without knowing precisely before launching the attack who Kaseya's customers were.

In other words, they do not know precisely who can pay what ...

Hence the idea of ​​proposing a universal decryption key of 70 million dollars against ransom demands.

So who is going to pay?

Kaseya, because she is the source of the spread of the virus?

But, it is not obvious that she will agree to pay for everyone.

In addition, “by pushing up the stakes, these cybercriminals risk burning their wings,” notes Gérôme Billois.

The decision to simultaneously attack thousands of companies risks motivating the authorities to deploy all means to track down the culprits.

“As long as these hackers go after one or two companies, it's just plain crime.

But if, by the scale of their operations, they threaten the economy, the authorities can decide that it is a risk for national security and the States can then mobilize more resources ”, summarizes Gérôme Billois.

What should Russian cybercriminals worry about?

The summary of the week

France 24 invites you to come back to the news that marked the week

I subscribe

Take international news everywhere with you!

Download the France 24 application

google-play-badge_FR