Two massive ransomware attacks throttled vulnerable U.S. companies last month.
The May 7 hit on Colonial Pipeline caused a week of havoc and gas lines until the company coughed up $2.3 million in cryptocurrency. Three weeks later, the meat producer JBS SA was paralyzed after hackers hit computer servers in Brazil, the U.S., Australia and Canada.
After U.S. intelligence blamed two Russian-speaking cybergangs, DarkSide and REvil, Russian President Vladimir Putin was asked about the ransomware attacks on state TV.
“I’ve heard about some kind of a meat factory. Well, that is nonsense, simply ridiculous. The pipeline [attack] is ridiculous too, like the shareholder or the shareholders of the company that owns this pipeline system even paid money to the extortionists. Well, it’s just nonsense to blame Russia for this.”
Putin’s claim is misleading.
Plenty of not-ridiculous history has demonstrated Russia’s tolerance for hackers, not to mention the country’s alleged interference in U.S. elections with online disinformation and hacking. Then there is last year’s SolarWinds hack, which compromised multiple U.S. government agencies.
A recent report by a task force of experts from tech firms, government and law enforcement said that in 2020, nearly 2,400 U.S. government, health care facilities, schools and businesses were hit with ransomware attacks and paid out $350 million, a 300 percent increase over the prior year.
“Ransomware is no longer just a financial crime; it is an urgent national security risk that threatens schools, hospitals, businesses, and governments across the globe,” the report said, while making recommendations for a public-private partnership to fight the problem.
Testifying before the U.S. House of Representatives’ Judiciary Committee on June 10, FBI director Christopher Wray said that “[t]he Russians have a very-active clearly state-sponsored cyber campaign.” He also said his agency had identified and indicted members of the Russian military and foreign intelligence services in multiple attacks against the U.S. Apart from the intelligence operatives, there are “quite a number of cyber-criminal actors operating on Russian soil," Wray said.
“The degree of nexus between those cyber criminals and the Russian government is not something I can discuss in an open hearing,” Wray added.
REvil and DarkSide are relatively new Russian-speaking groups that break into computers, then encrypt and block the victims’ access to their own data.
According to analysts at Trend Micro, FireEye and other cybersecurity firms, REvil and DarkSide surfaced in 2019 and 2020 and have claimed annual revenues of up to $100 million.
Brian Krebs, a former Washington Post reporter and now cybersecurity blogger, described DarkSide’s modus operandi after the pipeline hack:
“DarkSide says it targets only big companies and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.
“Like other ransomware platforms, DarkSide adheres to the current badguy best practice of double extortion, which involves demanding separate sums for both a digital key needed to unlock any files and servers, and a separate ransom in exchange for a promise to destroy any data stolen from the victim.”
FireEye and Trend Micro reported observing evidence of a partnership between the DarkSide and REvil, and noted similarities in their tactics and structure, suggesting that both could be run by the same operator or by an alliance.
These networks operate via a structure known as Ransomware-as-a-service (RaaS), based on deals between malware (software) developers and distributors (hackers). If an attack is successful, developers get 20% to 30% and the hackers get the rest.
REvil and DarkSide took responsibility for the attacks, bragging about their success publicly in internet forums that are now closed.
The same day as Putin’s remarks, an anonymous person nicknamed UNKN (Unknown) commented on behalf of REvil about the attack on JBS in an interview with a popular vlogger with the screen name @Russian_OSINT. The exchange was published on Telegram.
Some media, including NPR and several cyber security web sites, cited the interview, referring to the “representative” either as authentic or alleged. The information technology website Bleeping Computer described “Unknown” as a “public-facing representative of REvil” who communicates with the outside world via web forums and chats.
The cyber website Intel471 summarized an earlier interview in English, also describing the person behind it as an “alleged” representative of REvil.
Asked about his communications with the REvil contact, @Russian_OSINT told Polygraph.info that he "can’t say it’s a 100% their representative. I’ve posted my questions in the forum they control, they posted their answers.”
Sergey Golovanov, chief security expert at the Russian antivirus company Kaspersky Lab, embraced @Russian_OSINT as a trustworthy and reliable source. He also shared REvil interviews on Twitter.
In one, the purported REvil representative complained that the group is “being dragged into politics” by the United States, which “put us on the agenda of the discussion with (Vladimir) Putin,” a reference to an upcoming meeting between U.S. President Joe Biden and the Russian leader in Geneva.
UNKN said that if the U.S. passes “a law banning the payment of ransom” or puts “us on the list of terrorists,” REvil will increase its attacks against the U.S. targets.
“Since it no longer makes sense to avoid working in the United States, all restrictions have been lifted,” UNKN said, threatening to sell U.S. data “for cheap” to whoever pays for it.
In fact, the U.S. government and businesses have been the gang’s main targets for some time.
A partial list of REvil’s U.S. targets includes:
Local governments in the state of Texas in August 2019, in an attack that held hostage the servers of 23 cities and was described as the first operation on such a scale launched by a single actor. REvil demanded $2.5 million; Texas authorities said no ransom was paid.
A May 2020 attack on the New York law firm Grubman, Shire, Meiselas and Sacks, whose clients include Hollywood celebrities like Madonna and Lady Gaga and top politicians like former President Donald Trump. REvil leaked some 169 of Trump’s emails as proof of the hack and said they sold Trump’s data to a “highest bidder.”
Quanta Computers, the Taiwan-based Apple supplier, in April, with REvil directly contacting Apple CEO Tim Cook and demanding $50 million. The hackers threatened to leak the blueprints and technical details of the firm’s upcoming products. The status of the case is unknown, but REvil published data and pictures of the Apple’s next laptop. The group then removed the ransom demand with no explanation.
REvil and DarkSide have a similar set of “never” rules, observed by Polygraph.info on Russian forums. These rules contradict Putin’s claim that there are no ties to Russia. They include:
Never accept an English speaker, even with a fluent knowledge of Russian, test all candidates for a knowledge and understanding of Soviet history, Russian folktales, and proverbs.
Never target companies, industries, individuals within the Commonwealth of Independent States – an economic and political alliance of former Soviet Republics founded in 1991 and a key part of Putin’s foreign policy.
Never go to America.
“Most of our targets never report that we’ve got them, preferring to pay us to unlock their data and ensure that we don’t leak it to the public. Especially, software developers, because they want to protect their reputation,” the UNKN said in a YouTube interview in October 2020.
REvil closed its web forums in late May but said the group is “not going anywhere.” On May 14, DarkSide deleted its forums and announced it had self-liquidated.
Putin has repeatedly denied Russia’s involvement in computer hacking. In 2017, he said alleged Russian interference in the 2016 U.S. presidential election could have come from “patriotic minded hackers” who joined the “justified fight against those speaking ill of Russia.”