The ransom note was both mocking and threatening: “Today we, the REvil Group, will provide data on the company’s upcoming releases that will be loved by many,” wrote the criminal hackers.
In the note posted on the dark internet, the group told the world that they had hacked an Apple supplier named Quanta Computer and wanted a $ 50 million ransom or they would release confidential internal documents. “Tim Cook can thank Quanta,” REvil wrote.
The blackmail attempt earlier this week marked a significant escalation for a well-known hacker collective. And experts tell CNBC that it could usher in a new era of encouraged ransomware attackers, protected and empowered to take over the world’s largest companies by Russian leader Vladimir Putin.
Cyber security experts in the US say the group has a long list of criminal activities against Western companies. Your analysis suggests that REvil – pronounced like the letter “R” followed by the word “wicked” – consists largely of native Russian speakers and is likely located in a former Soviet state. Whoever they are, they have a penchant for dark humor: REvil publishes its stolen documents on a website on the dark internet it calls “Happy Blog”.
“We know they are most likely protected by Russian intelligence or the Russian government, as are most of the ransomware groups that have allowed them to flourish in the past 18 months,” said Marc Bleicher of Arete Incident Response, one Cyber security companies negotiate with criminal hackers. According to Bleicher, his company has looked at REvil 32 times in the past 90 days.
“I think you know, based on what we’ve seen so far, this may only be the tip of the iceberg for the past few months, and you’ll see that organizations are the same size and stature as Apple,” said Bleicher.
That means more CEOs will have to adjust to the impact of ransomware and REvil’s shockingly direct intimidation tactics. Bleicher said a signature from the group stole a CEO’s personal cell phone number from the company’s computers and repeatedly called that CEO to personally mock him about the data loss and demand huge payouts.
Bleicher’s company has analyzed 173 previous REvil attacks and says they can see some patterns in how the gang works. One thing becomes clear: The name attack on Apple – and the $ 50 million demand – is vastly different from what REvil has done in the past. Thirty-one percent of the companies attacked by the group were professional services, not technology, Arete said. Nineteen percent were in healthcare and 16 percent in manufacturing.
According to Arete, the average ransom demand in the past has also been much lower at just under $ 728,000. After negotiating the price, the average ransom actually paid is even lower: just over $ 129,000.
It’s a remarkably business process with customer service desks, software support teams, and even a Craigslist-style marketplace to bring in new hackers to the company.
Bleicher provided CNBC with a job advertisement for REvil that he found on the dark Internet. In Russian it says: “We have 1 position for a person who gets access to networks that already have active access. On Monday we will announce one of our biggest attacks. We work around the clock. We are stable. We deserve.” Money.” – lot of money. We are waiting for you in our direct message. “
Charles Carmakal, senior vice president at cybersecurity firm FireEye, said his rough estimate is that the gang has raised a total of $ 100 million to date. That means a $ 50 million ransom would be a huge step for the group.
But everything in this criminal underworld is negotiable.
“I’ve seen other organizations ask for $ 50 million,” said Carmakal. “Nobody realistically pays that much money. They’ll try to negotiate on a number that is a bit more reasonable and feasible if they choose to pay.”
Carmakal said the huge ransom demand and high profile target in this case might be more aimed at getting attention – and scaring future victims – than this one case. One possibility is that the high-profile mockery and ransom note was only released after a private negotiation, which from the hacker’s point of view did not end well. Now they are using that for advertising and intimidation.
“These groups tend to amplify their messages and force victims, usually after they don’t feel the victim is ready to pay,” said Carmakal.
But why are companies sending these huge payments to criminal gangs in the first place? According to Carmakal, companies look at the scale of the potential harm and often conclude that they have no choice.
“A lot of companies feel compelled to pay because they don’t want this data published,” he said. “They feel obliged to their shareholders, partners or customers to prevent this data from reaching the free market.”
The last REvil attack is still in play. The gang requested payment from Apple by May 1, saying it would release more data every day. So far, however, no further Apple data has been stored on the dark internet.
According to experts, this could be an indication that negotiations on ransom payments are already underway.