REvil recruits affiliates to distribute the ransomware for them. As part of this arrangement, the affiliates and ransomware developers split revenue generated from ransom payments. It is difficult to pinpoint their exact location, but they are thought to be based in Russia due to the fact that the group does not target Russian organizations, or those in former Soviet-bloc countries.

Ransomware code used by REvil resembles the code used by DarkSide, a different hacking group; REvil's code is not publicly available, suggesting that DarkSide is an offshoot of REvil or a partner of REvil. REvil and Darkside use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.

Cybersecurity experts believe REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab. This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.

As part of the criminal cybergang's operations, they are known for stealing nearly one terabyte of information from the law firm Grubman Shire Meiselas & Sacks and demanding a ransom to not publish it. The group had attempted to extort other companies and public figures as well.

In May 2020 they demanded $42 million from US president Donald Trump. The group claimed to have done this by deciphering the elliptic-curve cryptography that the firm used to protect its data. According to an interview with an alleged member, they found a buyer for Trump information, but this cannot be confirmed. In the same interview, the member claimed that they would bring in $100 million ransoms in 2020.

On 16 May 2020, the group released legal documents totaling a size of 2.4 GB related to the singer Lady Gaga. The following day they released 169 "harmless" e-mails which referred to Donald Trump or contained the word 'trump'.

On 30 May, JBS S.A. was attacked by a ransomware which forced the temporary shutdown of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants. A few days later, the White House announced that REvil may be responsible for the JBS S.A. cyberattack. The FBI confirmed the connection on a follow-up statement on Twitter.^[23] JBS paid a $11 million ransom in Bitcoin to REvil.

On 11 June, Invenergy reported that they were attacked by a ransomware. Later, REvil claimed to be responsible.

On 2 July, hundreds of Managed Service Providers had REvil ransomware dropped on their systems through Kaseya desktop management software. REvil are demanding $70 million to restore encrypted data. As consequence the Swedish Coop grocery store chain were forced to close 800 stores. (Wikipedia).

During National Holidays for July 4th, REvil's began its spree Friday by compromising Kaseya, a software company that helps companies manage basic software updates. Since many of Kaseya's customers are companies that manage internet services for other businesses, the number of victims grew quickly. Instead of locking an individual organization, as ransomware gangs usually do, REvil this time locked each victim computer as a standalone target, and initially asked $45,000 to unlock each specific one.

VietPress USA News

www.vietpressusa.us

o00o

The hacker gang behind an international crime spree that played out over the Fourth of July weekend say they've locked more than a million individual devices and are demanding $70 million in bitcoin to set them all free in one swoop.

The gang, the Russia-connected REvil, is best known for previously hacking JBS, one of the world's largest meat suppliers, and briefly halting its operations across much of North America. But this attack's potential scope is unprecedented, according to some cybersecurity experts.

REvil's began its spree Friday by compromising Kaseya, a software company that helps companies manage basic software updates. Since many of Kaseya's customers are companies that manage internet services for other businesses, the number of victims grew quickly. Instead of locking an individual organization, as ransomware gangs usually do, REvil this time locked each victim computer as a standalone target, and initially asked $45,000 to unlock each specific one.

President Joe Biden has "directed the full resources" of the government toward investigating the problem, he told reporters Sunday.

The Swedish grocery chain Coop is the largest known victim, and was forced to close most of its roughly 800 stores all day Saturday. Its registers were all controlled online by Visma Esscom, a Kaseya customer, and locked up and rendered unusable.

Exactly how many systems have been infected is unknown, though the number is likely sizable. The cybersecurity firm Huntress, which is helping Kaseya's response, is aware of more than 1,000 individual businesses that have been affected so far, it said.

REvil's claim that they have compromised more than a million devices in this spree is impossible to prove, given how few victims are speaking publicly and the fact that no government or company has a database of everyone who was hit. But that number is plausible, said Mikko Hypponen⁩, a researcher at the cybersecurity company F-Secure, given that this strain of ransomware infects each device individually.

"Think about a retail chain, like grocery retail," Hypponen⁩ said. "Every single cashier system is an endpoint. Every laptop. Everybody in the sales has a system, multiple servers. 200 stores, 300 stores, they alone would have thousands of endpoints. And if a thousand Coop-like companies were infected, yes, you would have a million endpoints."

Regardless of the actual number of victims, it's extremely difficult to imagine victims banding together to jointly pay $70 million, said Allan Liska, an analyst at the cybersecurity firm Recorded Future.

"Despite the braggadocio in their note, I actually think it is actually a sign they are overwhelmed," Liska said.

A million victims that each paid $45 million would be a profit of $45 billion, he noted.

"They are low balling themselves at $70 million," he said.

====