- Joined
- May 15, 2016
- Messages
- 10,422
- Likes
- 2,620
- Points
- 1,730
Information security specialists from the Danish provider KPN applied sinkholing to the REvil ransomware servers (Sodinokibi) and got an idea of one of the biggest extortion threats today.
Let me remind you that REvil works under the “ransomware as a service” (RaaS) scheme, that is, the malware is leased to various criminal groups. Due to the fact that there are a lot of groups, as well as because of the high customizability of REvil, it is extremely difficult to monitor all the operations of the encryptor and numerous partner campaigns for its distribution.
However, KPN experts managed to apply syncholing and intercept the messages exchanged by the ransomware infected computers with the REvil management servers. Researchers write that they have collected unique information about REvil operations, including the number of active infections, the number of infected computers per attack, and even found out the order of the amounts that hackers require from their victims as a ransom.
Analysts watched REvil for about five months and found more than 150,000 unique infections worldwide. These 150,000 infected machines were linked to only 148 REvil samples. Apparently, each of these samples represents a successful infection of a network of a company. Moreover, some attacks are huge, encrypting more than 3,000 unique systems. Researchers note that only a few of these attacks were discussed in the media, while many companies were silent about compromise.
Attacks REVil
According to KPN, in recent months REvil operators have requested ransoms totaling more than $ 38,000,000, and, on average, extort $ 260,000 from victim companies. In some cases, the ransom amount was $ 48,000, which is less than the average REvil level, but still much more than the usual $ 1,000- $ 2,000 that other extortionists demand from home users.
If REvil manages to infect several workstations in the company’s network, the average ransom amount rises to $ 470,000, and in many cases, the demands of attackers altogether exceeded the mark of $ 1,000,000.
It is not clear how many compromised companies agreed to pay a buyback to REvil operators, but the KPN study sheds light on the fact that the amounts that other information security experts previously wrote about seem to be far from reality.
Let me remind you that REvil works under the “ransomware as a service” (RaaS) scheme, that is, the malware is leased to various criminal groups. Due to the fact that there are a lot of groups, as well as because of the high customizability of REvil, it is extremely difficult to monitor all the operations of the encryptor and numerous partner campaigns for its distribution.
However, KPN experts managed to apply syncholing and intercept the messages exchanged by the ransomware infected computers with the REvil management servers. Researchers write that they have collected unique information about REvil operations, including the number of active infections, the number of infected computers per attack, and even found out the order of the amounts that hackers require from their victims as a ransom.
Analysts watched REvil for about five months and found more than 150,000 unique infections worldwide. These 150,000 infected machines were linked to only 148 REvil samples. Apparently, each of these samples represents a successful infection of a network of a company. Moreover, some attacks are huge, encrypting more than 3,000 unique systems. Researchers note that only a few of these attacks were discussed in the media, while many companies were silent about compromise.
Attacks REVil
According to KPN, in recent months REvil operators have requested ransoms totaling more than $ 38,000,000, and, on average, extort $ 260,000 from victim companies. In some cases, the ransom amount was $ 48,000, which is less than the average REvil level, but still much more than the usual $ 1,000- $ 2,000 that other extortionists demand from home users.
If REvil manages to infect several workstations in the company’s network, the average ransom amount rises to $ 470,000, and in many cases, the demands of attackers altogether exceeded the mark of $ 1,000,000.
It is not clear how many compromised companies agreed to pay a buyback to REvil operators, but the KPN study sheds light on the fact that the amounts that other information security experts previously wrote about seem to be far from reality.