REvil Ransomware (Sodinokibi) operation deposited $1 million on a Russian-speaking hacker forum to attract potential experienced hackers to join its cybercrime activities. The ransomware gang sought candidates who had experience in penetration testing using popular exploit toolkits in the market. Individuals who had skills but could not secure employment were invited to apply. Experts believe that the ease with which the cybercrime gang floated the offer reflected the profitability of the ransomware business.
Organization of REvil ransomware gang
REvil Ransomware gang operates on a ransomware-as-a-Service (RaaS) basis and is composed of two teams. The development team manages the ransomware and payment site development process. The second team consists of affiliates whose main job is to breach and encrypt organizations’ computer systems. REvil ransomware operators split the profits earned between the two groups – ransomware developers receive 20-30% while the affiliate gets 70-80% of the ransom payments they generate. The potential affiliates are vetted and interviewed before they could join the program.
REvil Ransomware deposits $1 million on a hacker forum
REvil has deposited 99 bitcoins, or approximately $1 million, on a Russian-speaking hacker forum with the aim of recruiting new affiliates. The deposit was made by a REvil ransomware representative called “Unknown.”
The gang had announced that it was looking for teams of skilled hackers at penetration testing or experienced individuals as part of this recruitment drive. Potential candidates should have Metasploit Framework (MSF) skills, Cobalt Strike (CS), and Koadic open-source penetration testing tool and windows post-exploitation rootkit.
Other skills include the operation of Network Attached Storage (NAS) or tape, which is used for backing-up data by organizations. Ransomware operators encrypt or delete these storage devices to prevent organizations from restoring data through backup. The ransomware operators also desired candidates with experience in Hyper-V virtualization technology.
The hacker forum allows participants to deposit bitcoin into a wallet managed by the site administrators. The hacker forum operates transparently and allows its members to see transactions made by other site users. Such deposits could be used to buy illicit products on the hacker forum.
Ransomware operations are extremely profitable
Surprisingly, REvil ransomware operators were not afraid of the hacker forum administrators pulling an exit scam and stealing the money. This is because Ransomware operations have become very profitable, allowing cybercriminals to spend money worry-free.
Another cybercrime gang, GrandCrab, shut down its operations after making a good retirement out of encrypting computer systems. The group disclosed that it earned an average of $2.5 million per week and over $150 million per year. The ransomware gang used to charge $2,500 to decrypt each device and $5000 after four days. The same group is possibly operating REvil ransomware.
As long as organizations keep paying millions of dollars to recover their encrypted files, cybercriminal gangs will continue getting richer and upgrading their criminal activities. Experts advise organizations to reject payment demands to avoid funding the criminals.
The fact that ransomware gangs are recruiting top talent at competitive rates will transform the industry, making it as prestigious and competitive as working for major tech firms such as Google and Facebook. Some major tech top talents may cross over due to temptation or job loss. It is likely that many users on the hacker forum already fit this description.
Commenting on the news, Ilia Kolochenko, the Founder & CEO of the web security company, ImmuniWeb, said that current cybercrime operations had shifted towards organized crime.
“The modern cybercrime industry is exceptionally well-organized compared to the cybersecurity industry. While most cybersecurity startups have access to venture funding while losing money, cybercriminals need to be profitable from day 1 so have no time for mistakes.”
He added that cybercriminals were continually working to defeat organizations’ cybersecurity experts occupied with other business concerns.
“Ransomware extortion tactics, which are now successfully expanding into the cloud and IoT, are a virtually riskless and highly reliable way to make victims pay. Crypto-currencies preclude most of the investigations and provide a fairly easy way to cash out the loot.”
Kolochenko said that working from home opened an attack surface that cybercriminals were eager to exploit. He pointed out that cybercriminals were opportunists who chose the route of least resistance, “They need no 0day or expensive APT tactics; they just pick up an easy target from a myriad of low-hanging fruit.”
Kolochenko also pointed out that many experienced cybersecurity professionals may be switching sides because of the economic hardships, especially during the coronavirus pandemic.