Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand
More than three years ago, in February 2018, the Bitdefender DRACO Team released the first of many decryptors for a family of ransomware called GandCrab. Published just one month after the emergence of the first samples of this extremely powerful ransomware-as-a-service (RaaS) offering, this marked the beginning of a complex partnership with law enforcement agencies around the world on a strong commitment to curb ransomware.
Now, Romanian authorities have arrested two affiliates of the Sodinokibi/REvil ransomware family responsible for 5,000 infections. Since February 2021, law enforcement officers have arrested three other affiliates of Sodinokibi/Revil, bringing the total of Sodinokibi arrests to five, as well as two suspects connected to GandCrab. These are among the results of Operation GoldDust, a coordinated effort involving 19 law enforcement organizations (local LEAs in Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom and the United States, as well as Europol, Interpol and Eurojust).
REVil (a.k.a. Sodinokibi) in 30 seconds
Short for Ransomware Evil, REvil is a private RaaS operation that first emerged in 2019. Deeply tied with the now-defunct GandCrab RaaS group, REvil leverages affiliates to infect companies and extort money. Since 2019, REvil has made a name and became the most common ransomware variant in the second quarter of 2021.
REvil has managed to compromise thousands of businesses around the world and was known to extort much larger payments from victims than the average market price. Companies that did not pay and attempted to restore from backups were blackmailed with the publication of their stolen confidential information.
In collaboration with a trusted law enforcement partner, Bitdefender released a free universal decryptor for REvil attacks that occurred before July 13, 2021. Since mid-September this year, the Sodinokibi / REvil decryptor has helped more than 1,400 companies in 83 countries recover their files and save over $550 million in unpaid ransom. The average ransom demands about $393,000, much higher than GandCrab’s average ransom of between $800 and $2400.
The Bitdefender DRACO Team provided cybersecurity consulting and guidance especially in areas of cryptography, forensics, and investigations that helped the law enforcement consortium in this operation minimize the impact of successful ransomware attacks, and eventually led to arrests. This collaboration with law enforcement is a prime example of the public and private sector working together to significantly disrupt cybercriminal activities.
Existing victims can download the REvil decryptor and take their data back. If you have fallen victim to a ransomware attack, we advise that you do not pay the ransom and inform your local law enforcement organization about the incident.
Ransomware best practices
- Ransomware attacks usually start with email phishing and social engineering. Educate and continuously train employees on the dangers of clicking links and opening attachments from unknown sources.
- Make sure security platforms such as endpoint detection and response (EDR) and extended detection and response (XDR) are updated with indicators of compromise (IOCs) to look for REvil and other popular ransomware families.
- Consider the managed detection and response (MDR) model to supplement an in-house security teams’ ability to perform active threat hunts.
- Minimize your attack surface and ensure legacy services or other unneeded services (such as RDP) are not exposed to the Internet.
If you are a law enforcement agency in need of technical expertise in ransomware cases, please connect with us at firstname.lastname@example.org
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021
How We Tracked a Threat Group Running an Active Cryptojacking Campaign
July 14, 2021
A Note from the Bitdefender Labs Team on Ransomware and Decryptors
May 26, 2021
New Nebulae Backdoor Linked with the NAIKON Group
April 28, 2021
Good riddance, GandCrab! We’re still fixing the mess you left behind.
June 17, 2019