March 31, 2021 By David Bisson 2 min read

The threat actors behind the REvil ransomware strain claim they bring in annual revenues of over $100 million.

Inside the Lucrative REvil Gang

A spokesperson for Sodinokibi REvil ransomware disclosed the haul in an October interview on a YouTube and Telegram channel called Russian OSINT.

Flashpoint analyzed the Q&A and learned several factors had helped contribute to REvil’s purse.

First, the spokesperson revealed that the people they represented were not the original coders of REvil. They clarified that the latter had sold the ransomware’s source code to the former. Those threat actors had then added their own code on top of the existing REvil package. The second gang used certain encryption algorithms that set the improved REvil apart from other ransomware strains circulating in the wild.

Second, REvil’s adopted owners had moved to a Ransomware-as-a-Service (RaaS) model to boost profit.

What Is Ransomware-as-a-Service?

A RaaS scheme is exactly what it sounds like. Ransomware authors create a hierarchical system in which users can pay to add the ransomware into their own attack campaigns. They offer customizable dashboards and exploit generation tools.

This setup benefits the ransomware authors, too. It allows them to create more attack campaigns and claim a broader swath of users as victims. From there, they can increase profits.

RaaS deployments open up the world of ransomware. They enable people who might not have the technical acumen to code a new ransomware strain from scratch. They also let affiliates keep a percentage of the ransom payments from the additional attack campaigns.

Besides REvil, some other ransomware-as-a-service examples include NetWalker, LockBit and Smaug.

A Look Back at REvil Ransomware’s Recent Threat Activity

Back in June, KrebsonSecurity reported the ransomware enterprise had used their dark web data leaks site to announce their first-ever auction of a victim’s stolen data. The auction stated that buyers could receive three databases and over 22,000 files stolen by REvil from an agricultural company. Bids ran in increments of $5,000 with an initial bid of $50,000.

Next, the owners of REvil renewed their efforts to improve their ransomware. The first move came in September 2020. According to Sophos, REvil’s owners deposited $1 million into a payment pot as part of a blitz designed to hire more affiliates and ramp up activity. Less than two months later, ZDNet reported that the REvil gang had acquired the source code for KPOT infostealer in an online auction.

A researcher familiar with the auction said REVil’s users had likely acquired KPOT with the intention to “further develop” the malware and possibly add it to their growing list of digital crime tools.

How to Defend Against REvil Ransomware

Organizations can defend against a REvil infection by following anti-ransomware best practices. These guidelines include running (and often testing) data backups as well as creating a plan to prevent data theft.

A key part of this process involves using access controls to restrict the files and folders to which users maintain access. With these types of measures in place, ransomware actors won’t be able to use an employee’s compromised account credentials to steal data.

More from News

ONCD releases 2024 Report on the Cybersecurity Posture of the U.S.

4 min read - On May 7, the Office of the National Cyber Director (ONCD) released the 2024 Report on the Cybersecurity Posture of the United States. This new document is a report card on how well cyber policy followed the guidelines set by the National Cybersecurity Strategy, introduced in March 2023. Here’s what you need to know about the newly released report. Fundamental shifts in cyber roles Over the past year, the U.S. national cybersecurity posture was driven by the 2023 National Cybersecurity…

CISA wants private industry to publicly commit to Secure by Design

4 min read - The tech industry has the power to protect the world from nation-state threat attacks, cyber crime and those wanting to compromise data and manipulate critical infrastructure. But with this power comes great responsibility, which, to be honest, the tech industry has not been that interested in holding. But at the RSA Conference (RSAC) in San Francisco, the cybersecurity and tech communities took steps to exert some power and take responsibility. They took the Secure by Design pledge, a promise to…

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today