Interview with a hacker from REvil: "I rummaged through the garbage ... now I'm a millionaire"
Editor's Note: It cannot be denied that ransomware is currently generating huge profits for cybercriminals.
Some groups seeking to get rich are aggressively pushing boundaries. They are raising their claims to seven or eight figures, threatening to publish data online if payments are not made, and targeting hospitals and other vulnerable organizations.
One such group known for their daring and lucrative tactics is REvil, also known as Sodinokibi. The group provides ransomware as a service. Developers sell malware to partners who use it to block an organization's data and devices.
In addition to publishing casualty data on the Internet in cases where companies do not meet the requirements, REvil attracts attention with its
attempts to extort from then President Donald Trump and claims to receive $ 100 million in revenue from its activities. The group has big plans for 2021, according to a spokesperson for REvil, who uses the pseudonym Unknown.
Some of Unknown's claims, such as the existence of affiliates with access to ballistic missile launch systems and nuclear power plants, seem incredible - until you read the
reports that make them seem eerily
plausible.... Reord cannot verify the veracity of these statements. Unknown recently spoke with Recorded Future threat analyst Dmitry Smilyants about the use of ransomware as a weapon, non-interference in politics, experimenting with new tactics, and more. The interview was conducted in Russian, translated into English by a professional translator and revised for clarity.
Dmitry Smilyanets: Unknown, how did you decide to engage in blackmail?
UNK: To be honest, it was a long time ago. Since 2007, when winlockers and sms appeared. Even then, it brought a good profit.
DS: You deposited $ 1 million on a hacker forum and mentioned a $ 100 million income - given that you receive payments in cryptocurrency, you probably have half a billion dollars today. How Much Is Enough to Make You Ditch Ransomware?
UNK:You counted everything correctly. The deposit was withdrawn precisely because of the course. For me personally, there is no amount ceiling. I just love doing it and making a profit from it. There is never too much money, but there is always the risk of not having enough money. Although, speaking of advertisers, one thought that $ 50 million was enough and retired. However, after four months he returned - there was not enough money. Think about it.
DS: Earlier you said that you remain apolitical and you have purely financial motivation. But if you decide that you have made enough money, can your point of view change and you decide to influence geopolitics?
UNK:I really don't want to be a bargaining chip. We swung at politics, and nothing good came of it - only losses. With the current geopolitical relationship, we are making good money without any interference.
DS: What makes REvil so special? The code? Affiliates? Media attention?
UNK:I think it all works together. For example, this is an interview. It seems, why is it necessary at all? On the other hand, we will give it better than our competitors. Unusual ideas, new methods and brand reputation all produce good results. As I said, we are creating a new ransomware development branch. If you look at the competitors, then, unfortunately, many simply copy our ideas and, most surprisingly, the style of the text of our messages. This is good - they try to show that they are not worse than us, they try to reach our level and even strive to surpass in something. For example, with these versions of Linux and so on. But this is temporary. Of course, we are also working on all this, but with one caveat - everything will be much better. Therefore, a little slower.
REvil uses its "Happy Blog" on the darknet to advertise auctions for unpaid ransomware victims.
JS: Elliptic Curve Cryptography (ECC) was a really good choice [editor's note: ECC has a smaller key size than RSA-based public key system, which makes it attractive to affiliates] what else are you proud of, which part of the code? How do you decide when to add new features to your code?
UNK: IOCP search, reverse connection borrowed from crabs [carders], server side protection - many advantages, better read reviews. Personally, I really like the encryption system. It turned out almost perfect.
DS:I was impressed by the variety of packers and ransomware that I found in your malware. Are you selling them to others? I once saw one of them being used in a sample of the Maze malware. Are you selling them or did one of your employees go to a competitor?
UNK: Partners often switch, and because of that, there is such a variety.
DS: Pavel Sitnikov said that you bought the GandCrab code from Maxim Plakhtiy, is that true?
UNK : It's true that we bought it, but we don't know the names and stuff.
DS: Do you believe that ransomware is the perfect weapon for cyber warfare? Aren't you afraid that one day a real war might start?
UNK:Yes, these weapons can be very destructive. Well, I know from that a number of affiliates have access to a ballistic missile launch system, one to a US Navy cruiser, one to a nuclear power plant, and one to an arms factory. It is quite possible to start a war. But it's not worth it - the consequences are bad.
DS: What other regions besides the CIS [mostly post-Soviet republics] do you try to avoid? Which organizations never pay?
UNK: All CIS countries, including Georgia and Ukraine. Primarily because of geopolitics. Secondly, because of the laws. Third, we avoid some because of patriotism. Very poor countries don't pay: India, Pakistan, Afghanistan and so on.
DS:You mentioned earlier that you and your partners understand the risks of going abroad and do not travel. Do you think the "wind of change" can blow and local law enforcement agencies will pay attention to your operations?
UNK: If we get into politics, then yes. If we look at the CIS countries, then yes. In all other respects, we remain neutral.
DS: Are the old school criminals causing any problems?
UNK: No.
DS: What is your usual reaction when you see a gang of extortionists or their affiliate get charged or arrested? Netwalker and Egregor reduced their operations after the raids, how do you feel about that?
UNK:Neutral. This is a normal workflow. Due to the closure of Maze, we have only increased the number of partners. So for us, I would say, in a sense, it is positive.
DS: What is the maximum number of affiliates working with you at the same time?
UNK: 60.
JS: Are they quitting because they get involved with ransomware, or because they start working with other programs to get better rates? Do you face a problem when a partner goes to a competitor?
UNK:There are two options. 30% leave because they have earned enough. But, naturally, they always return sooner or later. In the second case, yes, they go to competitors who are dumping (up to 90%, etc.). Of course, this is unpleasant, but it is competition. This means that we must make sure that people come back. Give them what others do not.
DS: Some bands donate a percentage of their earnings to charity. What is your opinion on this? Who would you like to donate a million to?
UNK: Free projects to develop anonymization tools.
DS: How has your interaction with victim organizations changed since the beginning of the pandemic?
UNK:A lot has changed. The crisis is felt, they cannot pay the amounts that were before. Except for pharmaceutical companies. I think they should be given more attention. They are all right. We need to help them.
DS: Are your operators targeting organizations that have cyber insurance?
UNK: Yes, this is one of the most delicious dishes. Especially if you first hack insurers - get their client base and work purposefully. And after going through the list, you can take on the insurer itself.
DS: How do you feel about the ransomware negotiators? Is it easier to deal with professionals? Do they help or complicate the task?
UNK:70% is needed just to bring down the price. They often complicate the task. Well, for example, the company has $ 1 billion in revenue. They are extorted $ 1 million. A negotiator comes and says: we don't care, we won't give more than $ 15,000. Reducing the price to $ 900,000. He offers $ 20,000. Well, then we realize that talking to him is meaningless, and we start publishing data so that the owners of the network will kick him in the head for such negotiations. And, of course, after such tricks, the price only increases. Instead of $ 1 million, they will pay one and a half. Nobody likes hucksters, especially with show-offs. So more often than not, they do more harm. They only help when buying BTC or Monero. Everything else is harmful.
DS:Do you recommend any specific negotiators to compromised companies, or are they looking for one on their own? Not everyone has 100 BTC to buy back data, and it is not easy to get them in a short time.
UNK: We write to decent intermediaries so that they know the purpose and can establish a dialogue. We give good resellers good discounts so that they get a small profit and companies pay less. As for the timing, we can always allocate additional time. In general, if there is an understanding that you have to pay, but not so much, we will find a common language. But if we get crazy messages like "No money" or "We'll pay one tenth," you have no one to blame but yourself.
Links to REvil attacks are compiled from private and clandestine sources. Courtesy of Recorded Future.
DS: You said that you want to apply additional pressure with DDoS. How effective is this scheme?
UNK: We don't use it often, unlike calls. Calling calls gives a very good result. We call each target, as well as their partners and journalists - the pressure increases significantly. And after that, if you start posting files, well, that's just great. But ending DDoS is killing the company. Literally. I think we will take on the prosecution of CEOs and / or founders of companies. Personal OSINT, bullying. I think this will also be a very interesting option. But victims must understand that the more resources we spend before the ransom is paid, the more we will have to pay.
DS: Tell me a secret.
UNK:As a child, I rummaged through garbage cans and smoked cigarette butts. I walked 10 km one way to school. I wore the same clothes for six months. In my youth I did not eat in a communal apartment for two or three days. Now I am a millionaire.