For a long time the World has been hearing the ransomware word a lot since Wannacry and still today many hosts for different reasons are compromised or still having remnants of very old ransomware infections such as Cryptowall, Wannacry, Petya and even HiddenTear variants. However the ransomware ecosystem has changed a whole lot.
Ransomware malware has switched from automated crap code containing publicly available or tailored leaked exploits like EternalBlue(MS17–10) to lock and spread through the victim network’s to a fully new scenario where Ransomware operates using a very complex model formed by developers, pentesters, mules and a full system of money-laundry to transform the extortion into thousands and even millions of dollars.
Some weeks ago, the Russian blogger and journalist Sergey Redkhant owner of the channel Russian OSINT uploaded a full interview of 20 minutes to a ransomware operator that is part of the development group for REvil aka Sodinokibi ransomware.
This impressed many people because (at least as far as I know), is the first interview to a threat actor involved in the RaaS (Ransomware As A Service model) and for different reasons it was very interesting to watch and to listen to understand a bit more specially for researchers about how they operate, their insights and opinions. Since the interview is in Russian I decided go hands-on and to transcript and translate the podcast interview the best I could due to the personal interest that just like me other people may have.
Even though my Russian skills are not as good as I would like, I used my own language abilities and the Russian autogenerated subtitles to help me here and also to avoid possible distortions that auto-translate tools do.
That said I did my best to do this and I will keep it fixed and updated. This transcription is also available in PasteBin. Link: https://pastebin.com/YBXgiGSS
Enjoy!
- REvil developers made a million deposit on a hacker forum, this is how loud is the headline of an article on the website of Hacker magazine. The journalist "Maria Nefedova" wrote in the article, hackers want to prove to potential partners that they are serious. Myself as a normal blogger along with the audience are interested in finding out what is REvil or how is also called "Sodinokibi" and of course to understand how the ransomware program is used to get the ransom in case of a successful attack.
- REvil or as it is called by vendors Sodinokibi is a ransomware written in C, the program encrypts user files thereby losing access to them for a successful attack you also need to eliminate backup copies, for example NAS and TAPE storages. Very often they pay not for the fact of the encryption, but for the fact that these files are not publicly available.An example of how not to do I have in my memory is Travelex. As a result of our attack, they simply went bankrupt due to a drop in their shares.
- According to the journalists, REvil operates on the Ransomware-As-a-Service model. Services under this agreement, affiliates and developers of ransomware share the received incomes from the ransom payment. However is it true that with this division of work, malware developers receive a 20% to 30% share while distributors are left with 70-80% of the total amount?
- Yes, that's correct. The main work is done by software distributors, but I think is fair.
- What's different in REvil compared to other ransomware programs such as Wannacry?
- REvil is not designed for mass(distribution). Wannacry was many groups of experiments, and unmanageable. It's too noisy and get less than 100k dollars, very funny. A least we do not have an "exploit" RCE (Remote Code execution) like Wannacry did, thus it does not automatically infect other computers like a worm. In the external Internet, inside the network of course the software itself connect external devices and the systems for maximum effect.
- How REvil appeared?
- Used such software before it dissappeared. We just bougth its source code and wrote our product for our objectives.
- How are the main competitive advantages of your product in comparison with other top 5 ransomware? Why do your partners choose you?
- The encryption system. You can't do it without logics, no elliptic cryptography, no triple scheme. Key per file, key per system, key per affiliate . But they are more likely due to our competent work on receiving payments and technologies. Maze and we basically set the direction vector of the ransom as a whole as branches. We treat competitors quite neutral and are always ready for a dialogue very often this happens when one company is simultaneously encrypted by two lockers. If the agreement is not reached both will be left without money
- What does the first letter R mean? the word "REvil" is for the word reborn meaning rebirth?
- Is not that. REvil is an abbreviation of Ransom Evil. The idea came from Resident Evil.
- When getting ready for release we need to admit that they fully realized how serious ransomware business is and in particular REvil is involved in a number of high profile scandals. What are the top 3 publications REvil consider the most relevant?
- Travellex, Grubman and the 23 municipal districts of the State of Texas I guess. There will be another one noisy attack but we won't advertise it yet. I can only say that it is associated with a very large game development (company).
- Some media (eg. dailystorm.ru) wrote that in May 2020 you demanded US President Donald trump 42 million dollars. What did you decrypt that the firm used to protect its data the story ended did the US authorities make a deal with you
- No, no. It was us who wished good luck to the NSA, FBI and US secret service in decrypting data. Not Trump but Allen Grubman paid money for the data. I won't tell you for how much money. The data was related to tax evasion schemes by companies affiliated with the Trumps.
- One million dollars deposit is approximately seven hundred and seven million rubles at the current exchange rate. It seems to me that for you it is no secret what's approximately the annual revenue for 2019 and 2020 compared.
- More than a hundred million dollars a year. If we talk about rubles, it is already far over a billion.
- Aren't you afraid that you will lose one million dollars if the forum is hacked or private keys are leaked, because as you yourself hint in your posts, Western intelligence agencies are after you.
- We'll earn more. Money comes and goes.
- Does a team need more than 10 people to serve a complex product like REvil?
- If we talk about a development group, less than ten will be enough, but if we are talking about a group of pentesters then we need more than 10 guys.
- Why do you work in the Ransomware As A Service model? They do everything themselves from beginning to end, hacking do not require the use of encryption.
- We work this way and according to the model the market has grown and the service is more profitable work, more profit is obtained in the end.
- As I understand it, this model allows you to scale your business faster
- Definitely
- Are these the types of services you provide to your partners currently?
- Negotiations pressure on the organization well and the software itself. Getting the ransom through encryption.
- When you are contacted by a partner with a request to provide a service, you provide the REvil software for rent. In other words, the partner does not manage the ransomware and does not know how it works. He only uses a ready-made product, right?
- We provide software and our own negotiation services. The partner's task is to infect to destroy backups and download files. Everything else is out work.
- If the organization pays the ransom the money goes to you first and then you distribute it among the partners?
- The money is immediately automatically distributed by the system, but the wallet is of course ours.
- If you had a conflict with partners that you don't need to name, could you provide one example and how it was resolved?
- To be honest I don't remember. We have our own closed system, the selection is very strict and we don't even add inadequate personalities to our communications.
- Who is today behind you, CIA, FBI, Secret Service..?
- Secret Service of the United States, Europol and infosec companies around the World. It's normal, the project was developed under a lot of pressure.
- Have there ever been cases when that masqueraded as partners, agents of the secret service, NSA or the CIA tried to gain your trust?
- Yes but they post on General politics and social issues of the CIS countries but when we talk about concrete and specialized work the guy refuses.
- If you have a funny story from the experience when they tried to recruit you to solve an interesting case
- recruit recruit I don't know, we are apolitical I doubt the practical use of us as a special apparatus. If you remember Trump there is purely money no politics we do not care who will be President. We worked, we work and will work.
- Did your partners tried to hack using phishing [...] or some other idea for a complex schema?
- Partners don't, but infosec experts yes. The most rare example you will see on your screen is trying to break it every day. It's hard to actually break something you don't know. I'm an expert and I don't even know what OS builds are on the servers and which web server is just attacked thu a shell.exe. Separate respect was created for such a scale and is able to hold such a defense.
- How do you feel about the infosec journalist Brian Krebs writting about you?
- I've read him. I'm neutral.
- Early in September, 2020 BancoEstado, one of the three largest banks in Chile had to close all its branches after the ransomware attack, was written that the incident occurred because one of the employees of the Bank opened a malicious office document received by mail, allegedly installed a backdoor in the network of the Bank in the night from Friday to Saturday, hackers took control and spread encryption on the network of the financial institution. Reported that initially, the experts of the Bank hoped to quickly cope with the attack but the damage was more serious than they thought.
Since the ransomware encrypted the vast majority of internal servers and workstations of employees details were not disclosed but a source close to the investigation did not report that the Bank's internal network was attacked by REvil.
is this story true or is it made up?
- Indeed, it was our work. Very often companies conceal the source of the attack for the company's reputation as is important. This can especially cause a fall of their stocks.
- Recently a large ransomware was paid by Tyler Technologies company for approximately 10 million dollars, do you know other interesting cases when ransomware took advantage of vulnerabilities in the system of large technology companies can you bring specific examples when saving on infosec resulted in large losses.
- Grubman & Travelex were both hacked via the old Pulsar and Citrix. So it is actually stupid to get access to the entire network in 3 minutes simply because of the vulnerability that is being treated for repairs.
- How many percent of cases do large companies pay a secret deal with you to avoid media publication and they are not threatened due to a negligent attitude to security.
- One third of the cases.
- How honestly do you negotiate with companies in the event of a successful attack, and if the company pays the ransom in good faith, how can it be sure that you will not double the amount and will not demand the ransom again
- Our reputation is important to us, it affects the conversion rate of boards as a percentage. There have never been any deceptions on our part and this will not be the basis, there will be a bad envelope people will lose their reputation in such a case is number one.
- You have had cases from practice when it was not possible to decrypt the encrypted files after receiving the ransom? What went wrong and what coudln't do by yourself.
- Yes, if you have previously tried to use third-party software to restore data if you modify at least one byte of the file the key will be lost, especially this happens often due to the antivirus as it just deletes the notes and the keys within them. I say openly such cases are extremely rare I remember only 12 for all the time and we never took money. In the note there is a warning to victims. If they don't read will be difficult for them.
- What industries are now the more attractive for ransomware attacks? where is the most profit?
- IT providers, insurance, law firms and specially oddly the agro-industrial companies.
- You do not personally engage in hacking and building the infrastructure this is done by your partners, right?
- We have our own flying squad(fast response team) and also have partners doing this and that.
- A recent report and Microsoft said that an extremely effective attack is brute force RDP. What do you think will the approaches change? will the attack vector change?
- Brute force has been alive for 20 years and will be alive. RDP is the best vector especially if The bluegate vulnerability hits them very hard.
- Does Android and IOS ransomware exist today? is it profitable to do this? for example, encrypt the phone's memory or the CEO's cloud storage? will there be movement in this direction?
- You have to be absolutely repulsed by the person that you do this. I am absolutely against it. Android and especially IOS is ideal for working out the banking sector. I wonder what is encrypting, like the pictures on which you ate matsa(мацa), but yeah, a strong damage to the owner.
- In your post on the forum, you write "our software has been repeatedly checked by Europol Interpol, the FBI, the CIA, the NSA, the US secret service and other law enforcement agencies and special services of countries around the world. our software has been used all over the world and has passed a security audit at the state level. the highest-class teams trust our software and were able to significantly increase their budget and improve the arsenal to work with. Together with us, newcomers who just downloaded the free version of msf, in just a month got the licensed software "Cobalt Strike", after 6 months-they already had 0-day exploits at their disposal for successful work. And there are enough such examples.". Based on your text, I understand that they help and teach newcomers, that is, you have a whole hierarchy of countries and a lot of work. this leads to the question can newcomers earn money so quickly?
- Support will only help in negotiating, the technical details are learnt by themselves. Yes indeed, i've seen with my eyes how fast one team with earnings of 20k/30K US dollars to 7 to 8 million for one goal in six months. This is called competently and division of labor. We do not have the main thing that now I answer purely my personal opinion, all decisions are made collectively. I appreciate and respect a lot.
- So that young people don't go for easy money, I want to ask a question related to the risks of such activities. What are the main challenges for beginners in this activity and how high are the stakes in your game?
- If you take the sphere of extortion seriously, I wouldn't be surprised if I got killed. I understand this, no one from our field will ever fly to the United States and similar countries since the chance of getting caught by justice is not an option. We create serious problems and are virtually elusive. if we talk about terms, then two life sentences.
- Given that you are probably being hunted by the NSA and the CIA for safe communication and communication what do you advise to a paranoid, Tox or jabber?
- To build operating systems and to compile it personally. For example gentoo. Also for paranoid, decentralized software.
- Alternative coins still cannot be tracked by intelligence agencies?
- I believe that yes, on exchanges and I rarely accept a large number of monero on deposit, raises questions, that's why monero can only be considered a transit means of payment.
- Do you do charity work such as putting some of the money from your earnings to various open source software funds like TOR, EFF(electronic frontier foundation) or something like that?
- I will answer briefly, perhaps.
- According to NakedSecurity your favourite attacks on the company's infrastructure are exploit kits, scanning techniques, exploiting RDP servers and installation of backdoors. which type of attack do you think is the most effective of the above.
- I don't know how to get into the infrastructure through a bunch of exploits for example RIG, it is written somehow incorrectly. The best method for me personally is to catch the sysadmin authorization data from a regular Infostealer and get full access to the organisation's MSP. Not from the air I tell you this, was in practice. The organisation was marked with six zeros and RDP attack exploits. For very important purposes, callings with spam distribution.
- How do you think the ransomware market will change in the next two or three years what global movements or changes will be in the market
- Yes, everything is moving in the direction of merge and files, they encrypt them. This is just a nice addition. Personally, the idea of SunCrypt has not been adjusted, infrastructure sites are shared with encrypted files and the threat of their publication is very strong pressure. We are developing this idea at the moment.
- When you earn a lot of money do you think you can personally stop at the right time or is the process associated with a lot of risk and money like a drug.
- Talking for myself, it's time to stop. Money will last for hundreds of years but money is never too much, it's always not enough.
- Give us the funniest resume maybe an autobiography that you have come across from candidate partners for all the time
- There are actually a lot of them the most average is the one who wants to buy and wants to work with you. It's rare for really talented people to actually write. I think everyone has already joined to affiliate programs. Therefore, I personally think to bet on the young ones. Give them a chance to prove themselves they will show their competitors fully. Let them go to them, demand is high, no offense.
- While doing what you do is travel possible?
- Of course not, there's no options.
- well, in the end I want to ask a couple of joking questions can be answered with humour. how to recognize a woodcutter who wants to make friends with you
- He very insistently asks to invade your sweet system with maximum rights. In a word an egoist
- On representation of REvil try to describe your life in one word
- More!
- What does your secret dream look like
- Billion dollars, then two billion, if you are in a good mood then 5 billion
- My subscribers and I are interested in finding out where you live at what metro station, street, and house number.
- Nikita Kubikov or Nariman Namazov somewhere in the middle.
- How did you end up doing this?
- When I was little, I installed Chlenix and liked it everywhere
- Could you advice beginners?
- Eat more often and drink better, but if you are seriously: study, read, try. Everything will work out, everything is real.
