REvil Ransomware Hackers Get a Taste of Their Own Medicine. Is It Too Little, Too Late?

11/24/21

Max Sheridan


A month ago, Yaroslav Vasinskyi was taking a short vacation after a week of heavy work when Europol agents arrested him at the border of Poland. It was baffling for Vasinskyi, a 22-year-old hacker from the Ukraine with over 2,500 ransomware attacks under his belt. It almost didn’t seem fair.

International cybersecurity agencies turn the tide on ransomware attacks with arrests in four countries

International cybersecurity agencies turn the tide on ransomware attacks with arrests in four countries.

Vasinskyi was a member of one of the world’s most notorious ransomware hacker collectives, REvil, aka Sodinokibi, a well-heeled criminal outfit with a lucrative side business in Ransomware as a Service (or RaaS). Up until the arrest, Vasinskyi and his crew had been untouchable. They just weren’t the kind of people who got stopped at borders and thrown in jail.

Something was wrong, and for the first time in his career Yaroslav Vasinskyi wasn’t the one pulling the strings.

Say Hello to REvil, Your Neighborhood Ransomware Service Provider

Ransomware as a Service isn’t a typo. It’s a criminal variant of SaaS (Software as a Service), one where criminal coders create and sell programs to carry out ransomware attacks to grass league grifters who don’t have the brains to do it themselves.

Imagine a software service like Google Drive. Instead of paying Google a monthly fee for cloud storage, you’d pay an RaaS provider like REvil in crypto and they’d “lease” you the software you needed to, say, break into Nike and extort millions from them. In return for their services, REvil would take a 20-30 percent cut of your haul.

On the flip side, if you fell victim to REvil or any of its affiliates, you were in for a double whammy. Not only would the hackers lock down your data, they’d threaten to leak it on their website, Happy Blog, if you didn’t pay them their “ransom” by their zero hour. Which is exactly what they did to their first big victims in May 2020, the media law firm Grubman Shire Meiselas & Sacks.

Ransomware Fact: Even if you do pay a ransomware hacker to get your data back, chances are you’ll lose up to 45 percent of it by the time you finally free yourself from their clutches.1

A Path of Destruction From Business to Home

Up until Vasinskyi’s arrest last month, REvil had been doing well for itself as both a distributor and agent of ransomware hacks; it racked up an impressive resume of high-profile targets and a grand total of $200 million in ransom.

JBS Foods USA, the gigantic meat producer, and Kaseya, a producer of IT management software, had been prominent targets. REvil had even wormed their way onto the network of Tawainese Apple supplier, Quanta.

But even at the height of their crime spree, REvil was hacking on borrowed time. U.S. Cyber Command (CYBERCOM) had already infiltrated their network by September 2021, the tailend of a years-long stakeout by the forensics unit at cybersecurity company Bitdefender, who had been tracking REvil since they first popped onto our radars in 2019. Europol was now poised to strike.

The rest is history. Along with the arrest of Vasinskyi and fellow REvil grifter Yevgeniy Polyanin, a Russian national, more arrests followed in Kuwait, Romania, and South Korea, the hardest hit country on the list. South Korea was a particularly difficult case because REvil had targeted thousands of households there, not just businesses.

And that may be the most troubling fact to emerge from the Europol sting.

The Next Wave of Ransomware Attacks May Be Personal

The damage ransomware hackers have done to businesses and critical infrastructure around the world has been catastrophic, with the average payout jumping by 82 percent in the first half of 2021 to $570,000, according to a report by cybersecurity experts Palo Alto.2

But if the rash of personal attacks in South Korea is any indication, a new wave of “domestic” ransomware attacks — masterminded by REvil lieutenants in Russia and carried out by thousands of invisible operatives around the globe — may be on the way.

And it isn’t clear, even after the latest crackdown, if the international cybersecurity community is in any position to stop them.

Ransomware Fact: In May 2020, REvil hackers tried to extort $42 million from President Donald Trump, claiming they’d found Trump’s data among the trove they’d swiped from the entertainment law firm Grubman Shire Meiselas & Sacks earlier in the month. Their attempt was unsuccessful.

You’ve Been Attacked by a Ransomware Hacker. What Now?

Despite all their success, most of REvil’s “affiliates” are two-bit grifters that play the odds. The more malware they spread, the higher the chances they’ll get a nibble.

But these days the nibbling is good. Phishing emails and SMS have gotten fiendishly sophisticated. Hackers can pretend to be your bank, the post office, even the IRS. And nothing is off-limits anymore, as we’ve seen with 2021’s stomach-turning wave of COVID scams.

So, no matter how tight your digital hygiene game is, you should still be prepared for the worst-case scenario. Here are four ways to ensure you don’t get in over your head.

1. Don’t pay

If a thief sneaks onto one of our devices, it’s scary. We get emotional. For a lot of us, our first reaction is to reach for our wallets. Don’t do that (or at least think twice about paying the ransom). There’s no guarantee you’ll get anything back anyway. Instead, focus on step two.

2. Shut your router down and disconnect

Going off-line will stop the ransomware on your device from talking to the hacker who put it there. If you’re outside the house, toggle off your Wi-Fi. Hopefully, you’ve been practicing good digital hygiene and you’ve got your important files backed up in the cloud or on an external hard drive.

3. Document the hack

Take a picture of the “ransom note,” the bad link you clicked or tapped to trigger it, and any Bitcoin payout address the thieves sent. Don’t screenshot if you’re on a laptop or tablet; use a virus-free phone.

4. Report and get help

If you know your way around your network and your OS, you can try visiting No More Ransom and decrypting your device yourself. Conveniently, No More Ransom has links to the reporting websites of 40 countries.

Otherwise, you can report the hack directly to CISA (Cybersecurity and Infrastructure Security Agency).

Then get help from a local cybersecurity or IT specialist.

The Bottom Line

Hacking the hackers is sending an important message to cybercriminals. But REvil’s affiliate network is widespread and agile. As long as the feds have got their eyes on the big game, there’s nothing to say that smaller hacker cells won’t be happy to prey on bite-sized victims, like households, as they did in South Korea. And as long as they are, households everywhere should be on high alert.

Citations
SafeHome.org only uses high-quality sources to support the facts within our articles. Read our editorial guidelines to learn more about how we fact-check and keep our content accurate, reliable, and trustworthy.
  1. Schiappa, Daniel. (2021, July 13). With Ransomware Costs On The Rise, Organizations Must Be More Proactive. Forbes.
    https://www.forbes.com/sites/forbestechcouncil/2021/07/13/with-ransomware-costs-on-the-rise-organizations-must-be-more-proactive/?sh=1ecbb8fb2dd5

  2. Baylor, Ramarcus. (2021, Aug 9). Extortion Payments Hit New Records as Ransomware Crisis Intensifies. Palo Alto Networks.
    https://www.paloaltonetworks.com/blog/2021/08/ransomware-crisis/