126: REvil
01:04:02 Share

Yeah, scams going on out there today are getting wild. There was this one I read about. Let me tell you about it. Okay, so there's this guy named Gustavo. He's from Brazil, but he was in the U.S. just visiting. He wanted to drive for a rideshare company like Uber, but he was just visiting, so he didn't have a U.S. driver's license. Now, as you can imagine, a requirement to drive for Uber in the U.S. is that you need a driver's license in the U.S.,

Gustavo thought about it and decided to try to use someone else's driver's license to register to drive with Uber.

I'm not exactly sure how he borrowed someone's identity, but I imagine it's not all that hard to find someone's information online these days. I mean, I've seen people post pics of their driver's license to social media, so maybe he just took one of those and sent it to Uber to pass verification. Anyway, however he forged the driver details, it worked. He was approved to drive for a rideshare company, and he had it set up so he'd get paid for the work he did.

It was great for him to earn money while staying in the U.S. And the money was a whole nother scheme he was working on. I don't really know how, but he had to move it around in such a way that it didn't look like he earned it through ride shares or something. I don't know, but he was laundering the money. Well, his girlfriend was also interested in all this and she wanted in.

But again, she was from Brazil and not a US citizen, so no driver's license either. But not a problem for Gustavo. He just repeated what he did for himself and set her up with a fake driver account too. Then three more of his Brazilian friends wanted in, and before they knew it, this was a five-person team.

Then someone on the team was like, hey, I found a spot online that people are willing to buy Uber driver accounts. Because apparently there are quite a few people who want to drive for Uber but can't for some reason. Either they don't have a license or insurance or something makes them ineligible. So they might be interested in buying someone else's account so they can make some extra cash.

or even rent one out from someone. So these five Brazilians started posting rideshare driver accounts up for sale on these forums, and they were actually selling, making money from just selling driver accounts made from stolen identities.

But then the pandemic hit and rideshare usage went way down, but that wasn't a problem. This team just shifted focus and worked on food delivery apps like Grubhub. They started making all kinds of driver accounts for this now using stolen identities again. And sometimes there's this waitlist to get verified and stuff, but eventually they would get verified and then sell or rent out those accounts.

Gustavo and his four other friends made over 100 phony driver accounts on these apps and sold them on forums. I don't know how much these things go for, how much he made, but somehow the authorities got wind of this and investigated and ended up arresting all five of them. Stolen identities and money laundering were their main charges they faced. And I think all of them got two years in prison for this wild scam. These are true stories from the dark side of the internet.

I'm Jack Recider. This is Darknet Diaries. Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure. I know a few people who work over there, and I can vouch they do very good work. If you want to improve the security of your organization, give them a call. I'm sure they can help.

But the founder of the company, John Strand, is a teacher. And he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this.

The whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.

Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com.

This episode is sponsored by Delete Me. I like to think that some of you guys pay attention to the show and have learned to take better care of your internet hygiene. But if your info ever gets stolen or leaked, you'll have heard me suggest you use Delete Me to take on data brokers so you don't have to. But we all know people who aren't as aware of how their information can be used against them.

So that's why I gifted my friend a subscription to Delete.me. They were always kind of aware of cybersecurity, but never took it super seriously. But then they received the first report on what Delete.me found and deleted immediately.

and they were amazed. That's when they understood how helpful it is to have someone on their team when it comes to their privacy. Take control of your data and keep your private life private by signing up for Delete.me, now at a special discount for Darknet Diaries listeners and your loved ones. Today, get 20% off your Delete.me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout.

The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout. That's joindeleteme.com slash darknetdiaries, code DD20. So why don't we start out with what's your name and what do you do?

My name is Will. I work for the Equinix Threat Analysis Center. I'm a threat intelligence analyst. I wanted to talk with Will because as a threat intelligence analyst, he's been studying a certain kind of malware called R-Evil, and I want to hear all about it. So R-Evil first sort of appeared in, I think it was about April 2019. And I got my first job

in summer of 2019. I just graduated university and I got my job in summer of 2019. So I've been tracking them ever since I began my career, basically. Okay, so you might be wondering, what is R-Evil? Well, to answer that, let's back up a bit and look at what came just before it. So R-Evil first came out of another variant called GandCrab. And GandCrab was basically the group that pioneered

what we call big game hunting. So Gancrab is the name of some malware. And specifically, it infects machines and encrypts the whole hard drive and then says, pay us some money and we'll give you the key to unlock this machine. Gancrab is ransomware.

and a particularly effective one, too. And I think this Gancrab ransomware was developed and deployed by a group of criminals who kept it close to their chest. It wasn't passed around for just anyone to use. At least, not the whole thing. One piece of it did just the encryption for the machines, and then there were servers that were set up for handling incoming payments and to chat with victims and to generate decryption keys.

And it kept updating over time, adding new features, and it became its own brand. And like any brand, the name of it started to refer to the people behind it too. Like when I say Google, do you think of the search engine or the company or the people at the company? Google refers to all these things. So Gancrab was both the name of the ransomware and the group who were running it. And Will says it was this group that pioneered Gancrab.

big game hunting. So big game hunting is sort of a type of ransomware attack. So imagine you have like the Savannah and you've got all the companies on the landscape. And instead of going for just small companies and going for the small game, just trying to get like, you know, $5,000 or $10,000, they want to go for the biggest company they can.

and then lock all their systems and try and steal millions from them, try and extort them back for their files that are locked.

for as much money as they can. Mm-hmm. I get it. So if I got hit with ransomware or you got hit with ransomware on our home computer and that hard drive was encrypted and locked, whoever did it might only charge us a few hundred dollars to unlock it because it's just like one person. And this could scale up if you infect like thousands of people's home computers at once. And that does add up for criminals. But it sounds like this GAN crab group wasn't trying to hit regular people like you or me. They were focused on infecting big criminals

or companies that had a lot of money, at least, because those companies might just pay a million bucks to get their machine unlocked.

But there's a bit of a problem with this whole plan. Security. InfoSec teams everywhere know about ransomware, and they put methods in place to stop their company from getting hit with it. So even though Gancrab was great at encrypting machines, it still needed that initial access into the network. So how does a criminal get access into a big company's network? Well, they buy their way in.

So there's kind of a whole ecosystem that Ransomware works with called initial access brokers.

And there's entire underground markets that you can buy access into certain companies. Yeah, I actually know about this. I've seen underground forums where people are selling access into companies. In fact, I interviewed a guy who did sell a login to his ex-employer's network. That's episode 108 called Mark.

He was a disgruntled ex-employee. But there are also people who are out there just playing around, trying to find a way into a company. Maybe they're just curious or like the challenge, but they poke and prod until they find a way in. But they have no idea what to do once they get in. So that's where they see others are selling access into networks on forums and decide to just sell their access.

It's a weird and strange market. So this is how the Gancrab group would infect companies. They'd buy access into a company, then put ransomware on all those systems and ask for a huge payment to unlock all those systems.

But how much do you demand? And what companies should you hit? Well, to figure that out, Gancrab did some OSINT. I mean, there's things like, there's a website called Zoom Info, I think. Like, I've seen them on the underground forums, literally mentioning, linking to the websites. Here's how much they have in daily, in their yearly profit and turnover. Yeah.

Oh man, what a mess, huh? Like, publicly traded companies have to disclose their profits to shareholders so they can see what's going on. But of course, criminals are taking a look at that too, and they're like, oh, this company had a stellar year. That's a nice juicy target.

Anyway, so this is what Gant Crab focused on. Companies with lots of money that they could get into. They'd get in, encrypt the systems, and demand ransom to unlock everything. And guess what? Companies were paying this ransom hand over fist.

Yeah, if you can believe these criminals, they claim they earned $2 billion, roughly $2.5 million a week. I, for one, don't believe that number at all. I mean, they posted these numbers themselves. I think they just posted big numbers to look like they were doing great. I'm guessing it's more like $2 million that they made, not $2 billion. But

But that's still amazing profits, though. Now, Gancrab wasn't just ransomware, but it evolved into ransomware as a service. If you wanted, you could pay to use this ransomware to infect a company. But you'd have to first get access into that company in order to deploy Gancrab into it and infect it. But then the Gancrab team would handle it all from there, working with victims to collect money and supply a decryption key. Then you'd get paid if the victim paid up.

And some of these people who used Gancrab as a service got arrested in different places in the world because, as you can imagine, extorting people and companies is illegal. But as Gancrab grew, they needed to recruit more people to their team. On the forums that they recruited, where they got customers from, they all speak Russian. These are all Russian-speaking threat actors.

And I mean, there's a number of countries that speak Russian, but there's only so many countries that

allow cyber criminals to operate with almost impunity, except a very small marginal amount. And that's Russia. Okay, so there's not much you can do to stop cyber criminals operating out of Russia. The US has no jurisdiction or way to work with Russia to arrest these people. And Russia doesn't seem to care too much if it's not attacking Russian companies.

So it seemed like Gancrab was living large. It had all the people, malware, victims, and customers all set up, and the cash flow was pouring in, and no trouble from the police. But then it all suddenly stopped. Gancrab posted on a forum saying, they're retiring. And you know what? I get it. It makes sense. They earned $2 billion. I'd retire too.

But they didn't retire. They spent time retooling, innovating, and improving their ransomware as a service business. They created a new ransomware malware. This time, they called it R-Evil. And victims started seeing what this could do firsthand. So R-Evil first appeared in April 2019, and it sort of began with,

In the first zero to two months, it did the things that most ransomware does, which deletes backups, changes the wallpaper. They actually do a language check. So before ransomware is executed, it will check the language that your computer is set to. And if it's set to...

a list of countries that are members of what you call the Commonwealth of Independent States, the CIS. So if it's a member of the CIS, then the ransomware will not execute and it will just exit. So whoever is behind REvil doesn't want to target countries that are basically ex-Soviet Union.

So R-Evil came on the scene, which again is the name of both the ransomware and the group operating it. I call them R-Evil because I'm pretty sure that's what they call themselves. It's based on Resident Evil. They call themselves R-Ransomware Evil, short for R-Evil. I mean, GangCraft, there was about five versions of it. So...

It was sort of like an experiment until they came out with R-Evil, which was basically the crown prince of ransomware. Like it was so perfectly developed for what it was designed to do. It just sort of, their entire work had sort of, this was like their magnum opus of ransomware. But here's the thing. The group behind R-Evil saw how much money Gancrab made as a service, that they realized...

That's what they should focus on. Offering ransomware as a service was more profitable than putting ransomware on systems themselves. The idea here is that other criminals in the world would get access into the networks and then they could use our evil to infect that network with ransomware. And then our evil does the rest, collecting payments, decrypting systems, helping victims get themselves sorted.

and then they'd split the ransom with whoever deployed it on that company. So criminals all over were using R-Evil to infect systems with ransomware, and they called their customers affiliates.

It will all start with the affiliate wanting to launch an attack. They can either do it by going to R-Evil first and becoming an affiliate and have a plan to use their malware, or the affiliate can launch an attack and then go and basically buy access to one of these RAS platforms and then deploy it.

So, it's at different stages of when our evil would be introduced. It would start with the OSINT. It would start with picking a target. It would start with going to the underground forums, looking for a way in. Because you can buy RDP credentials. You can buy cookies. You can buy just email account credentials and then start from there. Or you can do that sort of initial exploitation yourself.

One of the most common ways that our evil used to arrive inside the network was for exploiting a vulnerability in a public-facing server. So once the vulnerability had been exploited, they would deploy like a web shell or launch some PowerShell codes on the server.

that initial foothold and then do some reconnaissance inside the network and then spread around as best they can and as well as escalate privileges. And then once they are spread around enough and they've escalated their privileges to sort of domain administrator level, then they will introduce the ransomware. And one of the most, like the common way they deploy it is via scheduling a task on all the computers in the network via ransomware.

using the domain administrator credentials. So then everything is rebooted and you have about, you know, you could have thousands of machines at any one time. I believe, I think it was a telecom company in South America had 15,000 workstations locked up

And each one had a blue background saying, you have been attacked by our evil. Open the note for instructions on how to pay the ransom. Yeah.

Early on when R-Evil was first coming up, Will got to see the impact of them firsthand. He was traveling out of London and had to go through the Heathrow airport to fly somewhere. In Heathrow, you have these currency exchanges run by a company called Travelex.

And when I went into the currency exchange, I saw everything was extremely hectic. People were shouting. It was an extremely long queue. And I was like, what the hell's going on? And then I realized, I was like, oh, I remember reading your report not too long ago that TravelX had been hit by our evil ransomware. And I basically took a picture on my phone saying,

Because I could see all the employees were using pens and paper and clipboards and things because none of the computers worked. Everything was down for weeks. This was about three weeks after the attack had happened. And Travelex reportedly paid a 2.3 million ransom, I believe.

What a payday. I mean, you can put ransomware on a lot of systems, but if nobody ever pays to get their stuff unlocked, then it's all for nothing. But when someone pays $2.3 million to have their computers unlocked...

then that's the fuel that makes our evil ransomware crew keep going. Some people think this whole ransomware thing can just all go away if we all agree to never pay the ransom ever again. But the truth is, companies are still paying in a big way, which incentivizes ransomware crews to keep at it. And there's no guarantee these companies won't get reinfected the next day and have to pay it all again.

Clearly, the best idea if you get infected is to have good backups that you can restore rapidly. But our evil knew this, so they purposely looked for how systems got backed up, and then they went and wiped those backup servers first. This is probably why it was so effective. If the company had their backups wiped out and no path of rebuilding, it's a lot cheaper to pay a few million dollars to get things back up and running.

I mean, three weeks of being down could cost a company over $2 million in losses anyway. Surely it's a tough spot for any company to be in.

After a while, researchers started to notice a guy named Unknown who kept making posts on the forum claiming to be part of our evil. So he used to post to two Russian-speaking underground forums. One of them is called Exploit and another one is called XSS. So, you know,

kind of typical names for hacker forums, but these two forums have been going for like about 15 years. And they're basically the two most

popular hacking forums for Russian, like hardened Russian cybercriminals. He was basically boasting how our evil was the best ransomware. It was competing with several other strains at the time, including Maze and RagnarLocker, I think, as well. And he basically became the front man of the whole operation. Everyone

it was like his net, his, his alias was, was basically synonymous with our evil. And he actually went on to do interviews with, with several people online. And, you know, they'd interview him, say, you know, how did you decide to get into the business of ransomware? Or how much money have you made, make doing ransomware? Those sort of questions. And yeah, it's sort of,

It just makes it sound like it's a huge, it's basically a big organization of cyber criminals. I would probably say there's anywhere between 10 and 20 individuals actually connected to the running of the REvil core business, the core ransomware as a service business.

Another thing this unknown guy was saying was how our evil was doing more to extort people than just demanding ransom. They would then step it up a notch by leaking, stealing data and then leaking it to a Tor website. And because it's on Tor, you can't get it taken down. It's like a wall of shame. That's what they call it. It's there forever. And then...

A few months later, they'd add another level of extortion. So that's what they used to call double extortion, with encrypting your files and then leaking your data. They had a third level. They would now begin to DDoS you or your partners.

And they would DDoS your websites until you actually began negotiations with them. Whoa, wait, what? They're DDoSing you too? This is where they flood your website or service with so much traffic that your website is just completely unusable? I mean, it's a low blow to hit you while you're down. If you still haven't entered the chat with them, because in the ransom notes, they have a link to the chat.

if you haven't answered the chat with them to negotiate, like paying the ransom or anything like that, they basically believe, oh, you're able to recover. Like, if you're a big company, like an international company, then you will basically have backups. You'll be able to restore files. You'll be able to basically carry on after a few weeks of recovery and rebuild the network or whatever. So,

R-Evil don't like that when companies can recover on their own. So they will DDoS your website. And if you have, say if you're like a retail company, you have customers coming to your website, every hour is money. So if they're DDoSing you, taking it down, it's still costing you more and more money. Okay, up until this point, I've been referring to R-Evil as a ransomware group. But at this point, this is mean. This is more like stupidity.

street gang behavior. Going around hurting people and robbing them without any remorse. So I'm going to now start referring to them as the R-Evil cyber gang because these guys are ruthless. Here, let me play something for you. This is a voicemail that a ransomware gang member left on an employee's phone, a victim's phone. It's not from the R-Evil cyber gang. It's a different one called Sun Crypt. But I think it's worth playing here just to give you an idea how cold-blooded these guys can be.

This message is to authorized IT specialists or to company management representatives. We are Suncrypt Group. We hacked your company yesterday and now we have around 80 gigabytes of your company data encrypted on your servers as well as downloaded to our servers. Those are employees' personal information, partners' data, financial and accounting data of your company and much more.

you need to start negotiations with us about decrypting your IT servers and bringing your company's data back. Negotiate with us and you will get decrypter together with all your data back within one day. And no one in the world will know about this leak. But in case of your refusal to cooperate, we will run a great damage to your business.

You will lose 10 times more in courts due to violation of the laws on GDPR and your partner's data leak. We will inform your employees, partners, government about this leak. Your data will be published on public blogs and sold to competitors. We will inform media about the successful cyber attack to your company. And backdoor access to your company data will be sold to other hacker groups.

and this will be the last day of your business. We don't want to do that for sure. And we will not do that if we will negotiate successfully. So we are waiting for you in the chat. Think about your future and your families. Thank you. Bye. Think about your future and your families?

That's so ominous. I mean, what would you do with a threat like that? Now, sometimes the R-Evil cyber gang would just go infect targets themselves. And if they did, they'd get to keep 100% of the ransom they make from that. But in most cases, they worked with their customers or affiliates to infect the targets for them. So it is known that they basically split the ransom with the affiliate. They'd say, if you hit

a company and you're able to get them to basically agree to pay a $10 million ransom, we'll keep 60 million, you'll get 40 million. It's like a 60-40 or a 70-30 split because at the end of the day, our evil

the RAS, the ransomware as a service, would provide not only the malware, but also the decryption functionality, which is one of the best, most complex decryption systems of any of the ransomware families at the moment, even.

And then they would, you know, they add all the infrastructure for Darknet chats, Darknet leak sites, money laundering, you know, they provide like a lot of the backend. So,

It's a worthwhile split for both parties. And so it was on the affiliate to figure out a way into the networks to deploy R-Evil as a service. So I believe the affiliates are choosing the targets. They're basically getting into these companies. They basically do the legwork, as I'd like to describe it. It's a whole ecosystem. You have someone who...

gets an initial foothold in the network. They're called the initial access broker. They will sell that, however small it is or big it is, they'll sell that to someone else, the REvil affiliate. The REvil affiliate will spread around the network and escalate privileges and steal data. And then they will deploy REvil.

It's just nasty, like all of it. For our evil to make it a turnkey solution so it's easy for anyone to commit crimes with? And then people are just buying their way into these companies, sometimes through disgruntled ex-employees. And then our evil comes in and destroys backups and encrypts everything and then DDoSes you and then taunts the victim until they pay? It's awful. But we're just getting started. You gotta hear what they do next and what happens at the end of all this.

We're going to take a short break here, but stay with us. This episode is sponsored by Vanta. Trust isn't earned, it's demanded.

Whether you're a startup founder navigating your first audit or a seasoned security professional scaling your GRC program, proving your commitment to security has never been more critical or more complex. And that's where Vanta comes in. Businesses use Vanta to establish trust by automating compliance needs across over 35 frameworks like SOC 2 or ISO 27001, centralized security workflows, complete questionnaires up to five times faster, and proactively manage vendor risk.

Vanta can help you start or scale your security program by connecting you with auditors and experts to conduct your audit and set your security programs quickly. Plus, with automation and AI throughout the platform, Vanta gives you time back so you can focus on building your company. Join over 9,000 global companies like Atlassian, Quora, and Factory who use Vanta to manage risk and prove security in real time. For a limited time, listeners get $1,000 off Vanta at vanta.com slash darknet.

That's Vanta, V-A-N-T-A, Vanta.com slash Darknet for $1,000 off.

Our evil continued to infect companies and make millions of dollars from these ransoms. I believe there are lots of companies that we'll never know about that got hit with this. But there are some companies we do know that got hit with this because it made the news. One of them was in 2019, and the victim was the Texas government. Yeah, so the Texas government one was interesting because it sort of started a trend that our evil would like to...

It ended up being deployed at what you call a managed service provider, which is an IT company that handles the IT of other organizations. So the Texas government, they actually paid a single company to just manage the IT of all their services.

or their institutions. Not each institution doesn't have to have an IT department then. It's just one company that does it all for them. So one of the REvil affiliates managed to get into the Texas government and deploy, I think it was 22 different governments ended up being, like entities ended up being attacked in this one instance.

And this one made the CBS News. In privacy watch now, government computers in 22 Texas towns are being held hostage by ransomware. The state's Department of Information Resources said that the coordinated attack happened on August 16th and many of the local governments still have not been able to get back online.

See, when so many government facilities have a computer outage all at the same time, it makes the news. Because it's a noisy problem. It's not something you can easily cover up quietly or make it go away quickly. And of course, our evil was saying, hey, all these problems can go away if you pay us $2.3 million. But the Texas government did not enter the chat and did not pay a single cent. They recovered all on their own somehow.

In May 2020, a company called GSM Law was the victim to this cyber game. Here's CNBC News. An entertainment law firm run by Alan Grubman confirming its computer systems were hacked. The hackers say they have sensitive information about several big star clients and those hackers want $42 million in ransom.

Whoa, $42 million? That's the largest ransom payment ever demanded at the time. They must have stumbled upon something spicy in that network. So some of GSM Law's clients include Madonna, Elton John, Lady Gaga, and probably most famously Donald Trump. It's a big New York law firm. So Donald Trump, you know, he's lived in New York his whole life. So...

And R-Evil managed to get into GSM Law and steal, allegedly steal, you know, hundreds of gigabytes of data from them. 756 gigabytes, they claimed. And

They threatened to basically disclose Donald Trump's solicitor's information from his lawsuit. Everyone knows Donald Trump has thousands of lawsuits on the go. So, you know, our evil was basically able to go through them all.

Huh, that's interesting. Our evil is presumed to be operating out of Russia. I wonder if they had to stop for a moment and think about what to do with Trump's legal documents. It became a whole thing. Everyone was, you know, everyone was saying, oh, this is, you know, this is like cyberterrorism or whatever. This is, how can Russia allow this to happen? This is, you know, meddling with the presidency or whatever. Because he was still president at the time. Yeah.

And yeah, basically our evil said they had to come out and make a statement like we are apolitical. We're just financially motivated criminals. We don't want to cause any problems. They actually seemed to...

I mean, it's kind of a weird thing to say, but they actually seem to like Donald Trump, I think, because they thought of themselves as these ultra-rich, super-smart, super-criminal masterminds. And they sort of admired Donald Trump because he was really rich as well.

Hmm. Research into this is a little murky. Our Evil had released a little bit of what they stole to prove they had something from one of GSM Law's clients. And then they said, the next person we're going to dump records on will be Trump. One news agency looked into this and said, Trump isn't even a client of GSM Law. So we think Trump probably wasn't a client and just mentioned in some lawsuit. But you might wonder, what happened next with GSM Law? Did they pay the ransom or what?

Well, we don't know. Nothing happened. We never saw our evil release any data on Trump or dump a bunch of legal documents. So that makes me think that either they never had the data, which they did lie sometimes, or GSM Law negotiated the ransom. I'm not exactly sure what happened with that.

Now ransomware at this point was looking like a very lucrative way for criminals to make money. I mean, if you think about it, suppose you hack into a company and you were a criminal and you wanted to profit off this access. What are your options? Okay, well, you could sell your access that you have, but I can't imagine this making very much money, maybe a thousand bucks. You could try to install some crypto miners on there, but that's such a slow process to make money from. You

You could try to look around for some database to steal and then maybe sell that database to someone, but that's a tough market to be involved with. You could do a business email compromise attack and try to figure out what's going on in the finance department and see if you can get them to send you some money. Or you could look around to see if there's anything valuable in the company to steal, like money, right? In fact, there was another group at the time called Fin7, which focused on hacking into banks and stealing credit cards. What?

Well, you would think that that's a very good way to make money illicitly, and it is. But FIN7 was seeing how much easier it is to just put ransomware on a computer and just leave it at that. Because there's a lot of work to dealing with thousands of credit cards or trying to launder money and make it clean. But it's so much easier to just wait for a single ransomware payment in Bitcoin and then move on. And since FIN7 was already pretty good at breaking into networks...

This really turned them on to a whole new revenue stream. Yeah, so DarkSide was Fin7's first ransomware project. They had tried out REvil for a few times. Their infrastructure had been connected to REvil attacks via pivoting on IP addresses and things from known attacks. And Fin7 basically realized that

okay, every time we launch an attack using our evil, we have to give them a cut. Isn't it just easier if we develop our own ransomware and then launch our own attacks? And then we don't have to give a cut to anyone. We can keep it all for ourselves. And then, so after a time, they realized,

Okay, it's actually you make even more money if you begin ransomware as a service because then you just rent out the ransomware to multiple groups and begin making money your own way. Wow. So at that point, FIN7 had totally quit robbing banks and turned into a ransomware as a service business because of how profitable they saw our evil was. Ransomware is the most valuable way to make money when you're inside any network.

anywhere in the world. Fin7 was one of the most profitable criminal groups out there. So it's just crazy to hear how they switched from robbing banks to ransomware. But at this point, they became competitors. And I'm not going to go into any more details about Fin7 or DarkSide in this episode, but rest assured, that's a really interesting story all by itself, and I'll have to cover that in an episode someday.

Now, when our evil gets a ransomware payment, they typically receive it in Bitcoin. And then they're actually pretty good at laundering that money by typically converting it into Monero, which is much more secure and I think untraceable. And then they'd be able to cash it out without it leading back to whoever is behind our evil. But I have to imagine how insane of a chat it must be when a company does want to pay a million dollar ransom in Bitcoin. These ransomware negotiation chat rooms must be the wildest thing ever.

I've heard from ransomware negotiators and incident response people that these ransomware teams have much better customer service than most companies do. They'll guide you step by step the whole way on how to pay a ransom, how to get the cryptocurrency, how to store it, how to send it to them, all the checks, all the balances, everything.

I mean, can you imagine being the IT admin and all your computers are encrypted and your management has given you the go-ahead to pay the ransom? So you get on Tor and enter the ransomware negotiation chat room. And you might say like, okay, look, we're willing to pay, but we don't have any Bitcoin. Can we just wire you the money? And our evil ransomware negotiators are like, LOL, no, that's traceable. You need to send us Bitcoin. Go to an exchange and buy some.

And here's the problem. You can't just show up to Coinbase or Gemini or Binance or whatever and be like, yeah, I'd like to buy $2 million in Bitcoin, please. No, they have daily limits set up. You can only buy a few thousand dollars worth at a time. So you call up customer support at an exchange and you tell them, listen, I want to buy $2 million worth of Bitcoin. And the exchange might be like, whoa, that's a lot of money. What's that for? And you're like, oh, it's to pay a ransom.

That's a red flag for the exchange. I think by law, exchanges can't sell you Bitcoin if they know you're going to use it to pay a ransom with. So it becomes a huge ordeal just to secure that much Bitcoin. You have to remember that when millions of dollars are involved here, like if a company says, okay, yeah, we plan to pay $5 billion in a ransom, they will hire...

to help them with it. So there are ransomware negotiation firms now that their whole job is to help companies get through when they've been hit by a ransomware attack. So these negotiators know all the ways to pay a ransom, basically. They even know, they keep track of all the wallets, they keep track of all the contact details of each ransomware group. So they know, sometimes if these negotiators respond

respond to multiple incidents, they will be able to recognize the person on the other end of the ransomware negotiation portal. What? There's a whole industry out there helping people negotiate and pay ransom? This is madness. I mean, think about it. Imagine if you're in the chat with R-Evil and you're like, oh, how do I do this? And they're like, okay, well, you could just call this company and they'll help you walk through it.

It's just so zany to think about this. Like, I wonder, do these ransomware negotiators offer any sort of like referral program? So if our evil refers them and they hop on the chat and like, oh, hey, Dimitri, how's it going? Thanks for referring me. I'll make sure to get you that referral bonus.

Or like take it a step further. Imagine R-Evil refers you to a quote unquote expert service who's just another criminal. And you give them $2 million to buy Bitcoin and they just take off with the money. Well, there are legitimate companies. But as you say, this could easily be taken advantage of and has been by companies like

that really do some really shady stuff. Like, say, if a company gets hit by ransomware, sometimes they'll come in, the company will come in, like the response company will come in

and say, yeah, yeah, we can deal with it all for you. How much did the ransomware gang tell you it was going to cost? Oh, $4 million. Well, actually, it's going to cost $5 million. And then they'll pay the ransom, decrypt the files, clean the network, and then be like, yep, here's your bill, $5 million. But you just use the decryption key. Yeah.

If you turned on NBC News on June 1st, 2021, you would have saw this. It's another attack on critical infrastructure, this time the food supply. The world's biggest meat producer, JBS, forced to curtail operations after a ransomware attack. At least six plants in the U.S. shut down. Operations also affected in Australia and Canada. That was a huge international incident. Everyone said that was like

the one step too far. JBS is the largest meat supplier in the US. I think they produce over 20% of the meat for the US with locations in Canada and Australia. And because it was so big, it was deemed critical infrastructure. If the food supply chain is unable to deliver food, well, that can be a really big problem.

The meatpacking firm JBS USA paid a ransom equivalent to $11 million after it fell victim to a cyberattack. The company's U.S. CEO said on Wednesday they made the payment to protect their customers. Last week's cyberattack led to the suspension of cattle slaughtering at all of JBS' U.S. plants for a day. The company produces nearly a quarter of America's beef.

$11 million paid up? That's a lot of Bitcoin to send over to someone that you hope will fulfill their end of the deal and give you an encryption key. What a nail biter that's got to be when you click send and you're just sitting there in chat waiting for the criminal to give you a key.

There was another company that was another, you know, in quotes, step too far. They've done it now. They hit a company called Sol Orient, which was a nuclear weapons contractor for the U.S.,

And they, you know, this is like, okay, now you're affecting the nuclear triad or something like that. How can this ransomware group get away with all of this? But still, we haven't gotten to R-Evil's biggest hits yet. Over this period of years, R-Evil was getting into hundreds of companies and putting ransomware on them. And the ones who didn't pay would get posted to their blog.

Their leak site had 282 leaked companies' data published to it. So that's how many companies didn't pay because they were leaked onto the leak site. And some of the stats coming out of Europol said that they had launched thousands of attacks. Probably one of the smartest things REvil ever did was they went into a...

what we call a cyber insurance company. So because ransomware is such a huge thing, companies, like when they get hit by a ransomware attack, it can cost them not only X number of million dollars for the ransom, but to actually clean up the network and restore it or rebuild it could cost them hundreds of billions. So they need...

insurance to be able to cover that cost for ransomware specifically. So what REvil did was they went into an insurance company and they looked at all of the insurance company's clients and they would hit each target one by one because they know how much they were going to get paid out for from the insurance cost. And then they hit the insurer themselves as well for good measure.

Here's a clip from CBS News that tells us about the next victim. FBI investigating what may become one of the world's largest ransomware attacks when companies get back to work following the holiday weekend. A Russia-based cyber criminal group called R-Evil is demanding a $70 million ransom. Hackers hit IT software company Kaseya Friday.

Wow, where do I begin? The Kaseya, that was basically one of the biggest supply chain incidents since NotPetya. Kaseya are the manufacturers of a software called Kaseya VSA. It's their software. And

like I mentioned before, managed service providers will buy Kaseya VSA and use it to do administration on their customers' networks. So by going into the Kaseya software, REvil basically had a foothold into all of the MSP's customers. So by exploiting the Kaseya software to deploy REvil, they were able to hit like 1%.

1,500 networks in one go overnight. Whoa, 1,500 different companies hit with the R-Evil ransomware in one day? That's a massive amount of damage.

And this is what's called a supply chain attack because REvil was able to get into all of Kaseya's customers, which were sort of like tech support companies who had access into other companies, and those companies were hit with REvil too. This was a crazy event. Perhaps one of the biggest ransomware attacks ever.

In Michigan Saturday, President Biden said intelligence officials are investigating. I'm directing the intelligence community to give me a deep dive on what's happened. Last month, he warned the Russian president to rein in cyber criminals or face a strong U.S. response. If it is, either with the knowledge of and or...

So this happened in July 2021. Biden was president by then, and it's hard to hear, but he said in this impromptu interview in a grocery store in Michigan that if Russia is in any way involved, then he told Putin he's going to respond.

And it's wild to me when the president of the U.S. is able to just jump into a discussion about ransomware off the cuff like that. Like, I've felt like such a geek all my life, head down in a computer, learning about the most geeky things you can imagine, and to look up from the screen and see it talked about on the world stage like that, it's just a trip. Oh, look, there's the president fielding a question about the R-Evil ransomware.

So what were the ransomware demands for Kaseya? Well, it was actually one of the highest ransom demands ever in history. They demanded $70 million in Bitcoin. After the attack took place, it popped up on the iReval blog, which was called the happy blog, by the way. They...

the Casilla attack popped up and it said, this is what our evil wrote. They said, on Friday, we launched an MSP, we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about a universal decryptor, our price is $70 million in Bitcoin. And

I gotta say, this is a situation that Kaseya probably didn't plan for. I mean, suppose they have a "don't pay the ransom" policy. Okay, that's fine. It's a good policy to have. But they aren't the only victims here. And it was their fault that caused hundreds of other companies to be infected with ransomware. Do you owe it to all of them as sort of an apology? Like, "Sorry for getting you ransomwared. Here's the decryption key. Hope you stay as a customer."

And this was a preventable problem. There was a vulnerability on Kaseya's servers that gave our evil the foothold to take over a server. And at least one person reported this to Kaseya before the attack, too. And I think they were working on fixing it when all this happened. So Kaseya must have looked at this $70 million ransom demand and took a deep breath and had a long think about it.

Again, it's that old thing of we don't want to be the company that's paid the biggest ransom in history. And, you know, they...

To give credit to Kaseya, they went straight to the FBI for help. And the FBI are very, very well experienced with these types of ransomware attacks. So they guided them and were basically with them by their side the whole time. And at the end of the day, basically the decisions became the FBI's decisions at the end of the day for what Kaseya was supposed to do.

Kaseya didn't pay the ransom. They called the FBI, who apparently sprang right into action. The FBI actually explained what happens next. Here's the director of the FBI, Christopher Wray, in a press briefing explaining what happened. When Kaseya realized that some of their customers' networks were infected with ransomware, they immediately took action.

They worked to make sure that both their own customers, managed service providers, and those MSP's customers downstream quickly disabled Kaseya's software on their systems. They also engaged with us early. The FBI then coordinated with a host of key partners, including CISA and foreign law enforcement and intelligence services, so Kaseya could benefit from all of our expertise and reach as it worked to put out the fire.

Kaseya's swift response allowed the FBI and our partners to quickly figure out which of its customers were hit, and for us to quickly share with Kaseya and its customers information about what the adversaries were doing, what to look for, and how the companies could best address the danger.

Here, we were able to obtain a decryption key that allowed us to generate a usable capability to unlock Kaseya's customers' data. We immediately strategized with our interagency partners and reached a carefully considered decision about how to help the most companies possible, both by providing the key and by maximizing our government's impact on our adversaries who were continuing to mount new attacks.

When the FBI is engaged early, we can provide victims more and better support. We can get them intelligence and technical information they need faster. And we can work quickly back from the intrusion to follow and seize the criminal's money before it can jump through wallet after wallet and exchange after exchange.

Hmm. He makes it sound like they're willing to help anyone with ransomware. I mean, listen to the Deputy Attorney General, Lisa Monaco, in the same press briefing. To Americans watching today, to those who own small businesses...

to those who run Fortune 500 companies, who manage hospitals and oversee school districts. This case is the reason you want to work with law enforcement. Know that if you pick up the phone and if you call the FBI, this team is waiting for you on the other end of the line.

I just wonder if that's a little misleading. I mean, people email me all the time telling me about how they were extorted or scammed or hit with ransomware and just want some advice. Is the proper advice that I should give them is that they should call the FBI, just skip the police altogether and go straight to the FBI?

you would think the FBI would have some kind of threshold for how big something should be before we call them. Like, maybe they only care about larger extortions or attacks on national infrastructure, not small-scale stuff like my local barber's website getting their WordPress site taken over, right? Or the question is, how bad of a computer problem does it need to be before you call the FBI? There's a big difference between your whole network being ransomed versus one user account being compromised.

Listen, I'm curious now. If you've ever called the FBI over a computer problem you've had, I want to hear from you. Send me a note. Tell me how it worked out. Did they get back to you right away or wait six months or no reply at all? I just imagine the FBI must be flooded with calls and problems that there's no way they can get back to all the people who report computer problems to you.

Anyway, sorry, a little rant there. Okay, yeah, what FBI Director Wray said was really interesting. They obtained a decryption key? What? How? That's amazing. Did they reverse engineer the malware? Did they join the chat and pressure the R-Evil gang to provide a key or else kind of thing? I'm really curious how they obtained that. You know, rumor has it the FBI were able to

compromise the REvil servers after, during the Kaseya incident. The FBI is allegedly, because I don't know if this is proven or not, but they were able to compromise the system

or the REvil systems following this. And soon after they post about Kaseya, the REvil servers all go offline. What we do know is REvil went quiet just after the Kaseya hack, and it stayed quiet for months. Then, out of the blue, the FBI gave a press briefing

Here's the U.S. Attorney General Merrick Garland. Today we are announcing that we are bringing to justice an alleged perpetrator of a significant, wide-reaching ransomware attack. On July 2nd, the multinational information software company Kaseya and its customers were attacked by one of the most prolific strains of ransomware, known as R-Evil. To date, R-Evil ransomware has been deployed on approximately 175,000 computers worldwide.

with at least $200 million paid in ransom. Six weeks later, on August 11th, the Justice Department indicted Jaroslav Vasiński, also known by the online moniker Robotnik. The indictment, which was previously under seal, charges him with conspiring to commit intentional damage to protected computers and to extort in relation to that damage, causing intentional damage to protected computers, and conspiring to commit money laundering.

The indictment charges that Vyshynsky and co-conspirators authored our evil software, installed it on victims' computers, resulting in encryption of the victims' data, including in the July 2nd attack, demanded ransomware payments from those victims, and then laundered those payments. Two months after the indictment, on October 8th, Vyshynsky crossed the border from Ukraine into Poland.

There, upon our request, Polish authorities arrested him pursuant to provisional arrest warrant. We have now requested that he be extradited from Poland to the United States pursuant to the extradition treaty between our countries. In addition to securing the arrest of Wyszynski, the Justice Department has seized $6.1 million tied to the ransom proceeds of another alleged "our evil ransomware attacker,"

Russian national, Yegeni Polyanin. As set forth in the public filings related to the seizure, Polyanin, whom he also charged by indictment, is alleged to have conducted approximately 3,000 ransomware attacks. Polyanin's ransomware attacks affected numerous companies and entities across the United States, including law enforcement agencies and municipalities throughout the state of Texas.

Paul Yanin ultimately extorted approximately $13 million from his victims. Whoa, so they caught one guy who they said was the author of the R-Evil malware and seized funds from another guy. This ultimately disrupted R-Evil. They weren't active at all after this.

Now, along with these indictments, they released photos of these people. And here is where Will could look into the eyes of the people behind this malware that he spent years following and investigating. The indictment dropped and it had, you know, the names of these two REBEL affiliates. These were the first two names we had for any of them.

And I immediately, and shout out to my team in Curators Intelligence, we joined the voice chat and Discord and we were all just talking about it and basically celebrating. And then we quickly were like, oh, using these usernames and names and things, we can find all their social media profiles because we can use OSINT to find them. And we found his VK account

and we found his other social media profiles. We found he ran an Instagram account which used to sell DDoS attacks with number spoofing, like phone call DDoS attacks and things. And he even had a certificate for Microsoft. And there was a picture of him at his college and him on holiday and things. And yeah, he just looked like a normal guy

young guy that was, you know, obviously good at IT. And it was kind of, yeah, it was surreal just to see him, you know, in the flesh. Now, it seems like the bulk of the people involved with our evil were somewhere in Russia. And the US authorities don't really have a way to arrest people in Russia or even get Russian authorities to arrest them. But something very particular happened next. Yeah, so it was a very interesting timing.

In January, on the January 14th, I believe it was, the Russian FSB released a press release that said they had arrested 14 members of our evil from Moscow and St. Petersburg.

The FSB said they seized more than 426 million rubles, $600,000 and half a million euros, along with cryptocurrency wallets and 20 expensive cars.

It made news globally that the gang had finally been arrested. Our evil is over. His videos of the FSB busting down the door, putting them on the ground and taking them away, seem justice has been served. Here's an Al Jazeera news clip.

The scene was not uncommon. Russian police and intelligence agents harshly taking down more than a dozen men all played out on television. But the reason was extraordinary. The Russian government tells the Biden administration the operation dismantled a group of hackers inside Russia on behalf of the United States.

Security agents took down alleged hackers from the ransomware group R-Evil at over two dozen addresses, seizing millions of rubles, vehicles, and technology. Among those arrested, alleged ringleader Roman Moromsky, appearing in court in a cage, and Andrei Bisonov, both wanted by the U.S. Huh. That's it, then. Case closed? Story over? It's all nicely wrapped up with a bow at the end, and all the criminals are caught.

Well, I'm not sure. Here, let me show you what I mean. The exact same day of these arrests, on January 14th, 2022, CBS News reported this. And Ukrainian officials are assessing the damage done by a massive cyber attack on government servers.

The US has condemned the attack and vows to help with the investigation. The hack comes as Ukraine faces a potential invasion by Russia. Some Ukrainian officials feared this type of cyber attack prior to Russian military action. A cyber attack on the Ukrainian government? Gosh, who would possibly do that? But is this somehow related?

I should admit that I've officially put on my conspiracy theory hat here, and I'm just guessing at stuff from here on out, but there are some weird questions that arise from all this. Like, for instance, if Russia comes out with news that they've arrested the R-Evil cyber gang and did it as a favor to the United States, is that an attempt to control the news cycle of the day? This way, less news is on the Ukraine cyber attack, and more news is on how great Russia is for capturing these criminals.

And what's all this talk about doing favors for the U.S.? Russia doesn't typically arrest criminals on behalf of the U.S. And we've seen how Russia lies to control the narrative.

So is any of this real? Did they really arrest anyone? I mean, there are so many more ransomware gangs walking freely in Russia today, like the Evil Corp ransomware gang. They've been identified and indicted, yet Russia hasn't touched them. Why just our evil? And they didn't extradite these criminals. No, they were just processed in Russia, and we have no idea what punishment they got.

I mean, shoot, for all we know, this arrest might have just been a way for them to recruit those hackers to go work for the Russian government and not actually bring these criminals to justice. It's extremely cloudy and suspicious what any of these arrests mean. Well, whatever happened, it did mean the end of our evil as we knew it.

They were around for about two years, and after the FBI indictment, they just fizzled out. But with this group being gone, it created space for new ransomware gangs to step up and fill the gap. There's the Evil Corp ransomware gang. There's Conti. There's Lockbit. These are all doing the same exact thing that our evil did. And we don't know what the end of their stories are, but they are certainly attracting a lot of attention from authorities.

So I can only imagine those stories will probably end in a wild and crazy way. A big thank you to Will for coming on the show and telling us about what he's been so laser focused on for the last few years. You can follow Will on Twitter. His name there is Bushido Token. Or follow the Equinix Threat Analysis Center to see more information about malware they are tracking.

This show is made by me, the ticket jockey, Jack Recider. Original music by the spaghetti coder, Garrett Tiedemann. Editing help this episode by the linguistic analyst, Damien. Mixing done by Proximity Sound. And our theme music is by the super snoozer, Breakmaster Cylinder. What blood type is your computer? Mine is definitely type O. This is Darknet Diaries.