What do we know about REvil, the Russian ransomware gang likely behind the Medibank cyber attack?

Australian Federal Police Commissioner Reece Kershaw on Friday confirmed^[1] police believe the criminal group behind the recent Medibank cyber attack is from Russia. Kershaw said their intelligence points to a

group of loosely affiliated cyber criminals who are likely responsible for past significant breaches in countries across the world.

Kershaw stopped short of naming any individuals or groups.

But experts suspect the attackers belong to, or have close links to^[2], the Russian-based ransomware crime group, REvil.

The attack so far involves a multimillion-dollar ransom demand made to the medical insurer for data on individual clients stolen in the earlier stages of the attack. The attackers originally threatened to release sensitive personal medical records, and then on Wednesday released hundreds of records onto the dark web^[3].

Such attacks cause enormous personal stress for those whose data is exposed, as well as considerable reputational damage to the entities holding the data.

At the time the Medibank attack was publicly announced, Home Affairs Minister Clare O’Neil described^[4] the illegal action as a “dog act”.

Since then, our cyber security agencies, including the Australian Federal Police and the Australian Cyber Security Centre, have been scrambling to respond.

Gaining a better understanding of the groups behind these activities is therefore vital, but challenging.

So what do we know about REvil?

Hackers for hire

The group’s name is said to be a contraction of the words “ransom” and “evil”. It’s based in Russia, although its network of “affiliates” extends into Eastern Europe.

The view that the attack is the work of REvil is based partly on links observed between existing REvil sites on the dark web and the extortion site^[5] now hosting some of the stolen Medibank data. Further information will undoubtedly come to light in the coming weeks to confirm or alter this assessment.

But the nature of this attack is consistent with the approach and motivations shown previously by REvil.

The group emerged in early 2019, having evolved from an earlier “ransomware as a service” (RaaS) group known as GandCrab.

According to^[6] one scholar, Jon DiMaggio, under the RaaS model REvil relied on

hackers for hire, known as affiliates, to conduct the breach, steal victim data, delete backups and infect victim systems with ransomware for a share of the profits.

As we have also seen in the Medibank case, another tactic of this group is to engage in double extortion, whereby failure to pay the ransom leads to the stolen data being leaked or sold in underground forums on the dark web.

REvil was particularly active in 2021. This included the highly damaging ransomware attack in the United States on Kaseya, a managed services provider. REvil posted a ransom of US$70 million^[7] for a universal decryption key to restore victims’ data.

Australia was also touched by REvil in 2021. The group attacked JBS Foods^[8], a major producer with operations in Australia as well as Brazil. The impact on Australian meatworks operated by JBS seems not to have affected supplies of meat, thus drawing less public attention than we have seen in the Medibank case.

Unstable and slippery

Shortly after the Kaseya attack, in late 2021, REvil appeared to shut up shop, following leakages of information from their hacked data site and increased pressure from law enforcement.

However ransomware groups such as REvil are notoriously unstable and slippery. Various factors contribute to this instability, including law enforcement pressure and greed. There’s little honour among this species of cyber “thieves” when personal survival and enrichment are at stake. The RaaS model also relies upon loose networks of associates that inevitably change over time.

Further evidence REvil was in retreat came in January 2022, just a month before Russia’s invasion of Ukraine. Russian law enforcement authorities announced they had arrested some 14 alleged members of REvil^[9].

For a brief time, Western observers hoped the Russian action might be effective in constraining future ransomware attacks by the group.

But since the invasion in February this year, any pretence of cross-border cooperation in tackling these Russian groups has evaporated. Moreover, those arrested are believed^[10] now to likely be free and back in business^[11].

Read more: Holding the world to ransom: the top 5 most dangerous criminal organisations online right now^[12]

Russian ransomware groups have close informal links to Russian security agencies such as FSB, the Russian internal security agency. These links provide the group (and other Russian cybercrime groups) a degree of licence to carry on their activities on the strict understanding their targets must lie outside Russia.

In some cases, although not so clearly in the case of REvil, these groups have expressed geopolitical motivations, directing cyber attacks against Ukrainian targets and those of countries seen to be supporting Ukraine. The Conti ransomware group is an example here of a group that publicly declared its support for Russia^[13] over Ukraine^[14].

In the Medibank example, the group behind it appears simply driven by financial gain. Medical facilities such as hospitals have proven popular targets for ransomware groups because of their sensitive information holdings and hence vulnerability to pressure to pay.

It seems REvil, or at least a close genetic descendant, is back in business. What we’re currently seeing is consistent with prior experience with this group: appearing, disappearing and reappearing, sometimes in a slightly altered shape.

Dealing with it is difficult, a bit like a game of whack a mole – the offenders all too easily disappear and then pop up somewhere else.

The root causes of ransomware today can be political as well as economic, making effective inter-country cooperation against Russian-affiliated groups almost impossible.

This article draws upon work undertaken with my colleague David Wall (University of Leeds) examining the weaponisation of ransomware in relation to the Russia/Ukraine conflict. This work is currently in draft report form with the sponsoring organisation, the Global Initiative against Transnational Crime, Vienna and Geneva.

References

1. ^{^} confirmed (www.abc.net.au)
2. ^{^} close links to (www.afr.com)
3. ^{^} released hundreds of records onto the dark web (www.theguardian.com)
4. ^{^} described (www.canberratimes.com.au)
5. ^{^} the extortion site (www.afr.com)
6. ^{^} According to (analyst1.com)
7. ^{^} ransom of US$70 million (www.forbes.com)
8. ^{^} attacked JBS Foods (www.bleepingcomputer.com)
9. ^{^} arrested some 14 alleged members of REvil (www.washingtonpost.com)
10. ^{^} believed (therecord.media)
11. ^{^} free and back in business (us.macmillan.com)
12. ^{^} Holding the world to ransom: the top 5 most dangerous criminal organisations online right now (theconversation.com)
13. ^{^} declared its support for Russia (www.wired.com)
14. ^{^} over Ukraine (securitybrief.com.au)