Large wave of ransomware attacks
The Check Point Research Security Team describes the current wave of ransomware attacks as a ransomware pandemic and warns that this trend will continue to intensify. One of the most dangerous grouping is the Russian hacker association REvil.
REvil is one of the most famous ransomware families. The ransomware family, run by the Russian-speaking REvil group, has been responsible for dozens of major break-ins since 2019. One of the key factors in REvil’s success is the use of Double Blackmail as a tactic. This means that the attackers not only demand a ransom for decrypting the data, but also threaten to publish the previously stolen information if there is no payment.
REvil is also known for its collaboration with partner hackers responsible for breaking into new targets, exfiltration of data and encryption of networks. In turn, the REvil group provides these affiliates with the ransomware itself, the leak site and everything related to money: from negotiation to payment.
In February 2021, the REvil ransomware group announced that it had expanded its double extortion scheme by two stages: DDoS attacks and phone calls to the victim’s business partners and media. The group is now offering DDoS attacks and voice-encrypted VOIP calls to journalists and colleagues as a free service to their partners to put further pressure on the victim company to meet the ransom demands within the given timeframe.
In April 2021, REvil demonstrated the use of a technique we call Triple Blackmail. Here, the gang successfully penetrated into Quanta Computer, a well-known notebook original design manufacturer (ODM) based in Taiwan, which is a prominent business partner of Apple. After the ransomware attack, a payment of around 50 million US dollars (41 million euros) was demanded from the manufacturer, along with a warning that the sum would be doubled if the payment was not made. Since the company refused to communicate with the threat actors, they proceeded to blackmail Apple directly by demanding that Apple buy back the blueprints of their products found on the Quanta Computer network. About a week later, REvil strangely removed Apple’s drawings from their official data leak website.
Interesting development on the sidelines: After the Darkside ransomware attack on Colonial Pipeline in the US and the subsequent international pressure from law enforcement agencies-US President Joe Biden wants the CIA to take action against hacker groups worldwide in the future – large Russian underground communities have banned the promotion of ransomware affiliate projects such as REvil. It remains to be seen how this will affect ransomware operations in the future.
Christine Schönig, Regional Director Security Engineering CER, Office of the CTO at Check Point
Christine Schönig, Regional Director Security Engineering CER, Office of the CTO-Check Point Software Technologies GmbH“With the outbreak of Covid-19, cybercriminals have used this global crisis to launch a cyber pandemic in parallel, i.e. a wave of cyber attacks.
In the meantime, it has emerged that this wave is particularly manifested in the form of ransomware and that we are clearly in the midst of a ‘ransomware pandemic’.
Right now, such attacks dominate the headlines at home and abroad – from the Colonial Pipeline to JBS to the Massachusetts Steamship Authority. Hackers have it especially in the US on everything apart, from gas pipe to hamburgers, but are also in Germany (currently preferred in the middle class) not idle. We suspect it will get worse because the ransomware business is paying off. This is particularly sensitive: the more companies pay the ransom, the more they support the research and development of the hackers to launch even more sophisticated attacks. The triple Blackmail technique, in which hackers blackmail not only their targets, but also the customers and partners of the affected targets, is a good example of this progress. It’s safe to say that ransomware is now one of the biggest national security threats – and for some areas, such as healthcare, it’s probably already the biggest threat.“