Case Study: A REvil Ransom NegotiationSecurity Firm Elliptic Illustrates How Group Was Willing to Reduce Its Demands
The blockchain analysis firm Elliptic says much can be learned from studying how the REvil ransomware gang, whose online infrastructure went down last week, conducted its operations.
On Monday, Elliptic posted a research paper describing step by step a REvil attack conducted against what appeared to be a smaller business. The security firm says these details could potentially help law enforcement officials and others follow the money in ransomware attacks and potentially freeze the funds or identify the individuals behind the attacks.
"This research gives us unique insights into the entire lifecycle of a ransomware attack - from the initial malware infection and ransom demand, through the negotiation and payment process and finally the laundering of the funds," Elliptic says.
In the case study describing an early June attack, Elliptic noted that the REvil gang was willing to negotiate the size of the ransom it demanded as well as the payment price and manner of payment.
Elliptic says its research is based on information gathered using proprietary software designed to monitor and investigate cryptocurrency payments. The company says it also gained access to the negotiation process through a sample of the malware it had obtained. "This gave us access to the website used by the victim to communicate with REvil," says Tom Robinson, founder and chief scientist at Elliptic.
The company's software is designed to help law enforcement officials trace payments to cryptocurrency wallets. In the case study, the company monitored the wallets REvil used to receive a ransom from one victim. Further information was derived when company researchers obtained access to the ransom note as well as details on negotiations and bitcoin payments for the ransomware attack that proceeded REvil's July attack on the software firm Kaseya, Robinson says.
In the gang's attack on Kaseya, it used a zero-day vulnerability to deliver a malicious update to remote monitoring and management software, VSA, compromising about 60 of Kaseya's managed service provider customers and up to 1,500 of their clients.
REvil's online infrastructure went offline July 13. It remains unclear whether the disappearance was due to law enforcement action, an internal struggle within the gang or a technical issue
In its case study of an attack on one victim, which it did not identify, Elliptic did not describe how REvil gained access to the systems. But once its malware was downloaded and files encrypted, the malware left a text file containing the ransom note. The note explained the attack is "just a business. We absolutely do not care about you and your deals, except getting benefits."
The victim was directed to the "victim portal," where the ransom demand was displayed. The initial demand was $50,000 in monero to obtain a decryptor, but the attackers said this figure would double if it was not paid within a specified period of time, Elliptic reported. The ransomware gang provided instructions on how and where to buy monero.
REvil's victim portal offered a customer support chat function for victim to contact the attackers. In the case studied, one of the first conversations focused on the ransom amount.
The victim claimed the $50,000 ransom demand was more than it could afford, citing that its revenue was down due to COVID-19. The REvil gang immediately reduced the price by 20%, Elliptic reported.
The security firm said it could not determine if the victim company used a professional negotiator to get the ransom reduced. Many companies with cyber insurance have turned over negotiations to someone supplied by the insurer.
At this point, Elliptic indicated that the victim appeared willing to pay because it asked for proof that decryptor keys the gang would supply would actually work. The victim sent a few encrypted files to the gang, which it decrypted and returned as evidence that the decryptor worked.
At this stage, the type of cryptocurrency to be used to make the payoff became an issue, the security firm says.
"Many ransomware victims find it difficult to obtain the monero required to pay a ransom (not many exchanges support, especially in the U.S.), or do not want to pay in monero due to concerns about violating sanctions. Most of the ransomware response companies that negotiate and pay on behalf of victims simply refuse to pay monero ransoms," Elliptic says.
This victim followed this pattern, asking to pay in bitcoin, to which REvil consented, but it demanded the 10% surcharge, the security firm said. "This higher amount reflects the increased risk faced by REvil when accepting bitcoin payments due to its traceability," Elliptic said.
Once the victim and the attackers settled on payment using bitcoin, the victim asked for a lower ransom. The victim claimed the most it could pay is $10,000. But REvil quickly rejected that figure, and the victim offered to pay $20,000.
REvil came back with a $25,000 final offer. Elliptic said the victim made the payment, and REvil confirmed receiving it and then sent the decryptor key.
Once REvil received ransoms, it laundered the money so the cryptocurrency could be cashed out in a more easily used currency, Elliptic said. The gang's main goal was to obfuscate the trail so authorities could not follow the money.
"REvil must therefore attempt to launder the funds and break the transaction trail," Elliptic said. "They attempted this by "layering" the funds - splitting them and passing them through many different wallets, and by mixing them with bitcoins from other sources."
Money laundering for the ransom paid in the case study Elliptic provided is still ongoing a month after the attack, the security company says.