Everything You Need to Know About the REvil Ransomware Gang
Florida IT services provider Kaseya found itself in the headlines recently, as a brazen July 4th weekend attack by the REvil ransomware gang against IT services provider Kaseya immediately thrust the normally anonymous company into prominence.
REvil’s Attack Against Kaseya
Kaseya serves a commercial client base that prefers to outsource their IT services needs. The Kaseya Ransomware Attack occurred during a period of perceived vulnerability, during a major American holiday in the summer.
According to Kaseya CEO Fred Voccola, “While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS (Software as a Service) servers to ensure we protected our more than 36,000 customers to the best of our ability,”
Voccola also added that the SaaS customers were not exposed to any potential danger and that any damages were limited to a very small fraction of Kaseya’s overall customer base.
In the wake of the attack, a message on Kaseya’s website urged victims to disable their Virtual System Administrator (VSA) servers temporarily, warning that attackers will generally look to immediately “shutoff administrative access to the VSA.”
On Saturday, July 3rd, Kaseya issued an update that said the company was advised by experts to advise customers to not communicate with hackers or click on any links provided by REvil, as they run the risk of interacting with weaponized links or other scams.
According to Bloomberg, by last Saturday, the attack had managed to affect over 1,000 businesses in all. The damage was mostly limited to managed service providers, but since those providers offer IT services to other companies, that could potentially enlarge the overall scope of the attack.
What is REvil Ransomware?
REvil ransomware is a ransomware computer virus or form of malware that is similar to the Locky and CryptoWall malware strains. Like most other ransomware strains, after identifying an entry point, it encrypts files on the target system and leaves a ransom note to inform victims of their data's status.
The ransomware uses asymmetric encryption algorithms to encrypt the files, along with RSA-2048 encryption keys to protect their handywork from being cracked by security researchers.
REvil Ransomware scans computers for all files that are non-executable and in use. The malware will then encrypt these files using AES or RSA encryption techniques. Encrypted files are then appended with either the .REvil or .REVIL extension to the original file's name.
The ransomware will then display a ransom note to informing victims that their files are inaccessible. REvil ransomware also alters the created date and time for encrypted files to a more recent date. The size of the encrypted file is also reduced to 0 prior to it’s being renamed.
REvil’s History of Grabbing Headlines
Make no mistake, the REvil ransomware gang loves the attention it gets from attacking some of the more prominent targets globally. Earlier this year, Apple was targeted in a $50 million ransomware attack following a data breach that leaked manufacturing schematics of future products manufactured Apple vendor Quanta.
Additionally, last year, they stole close to 1TB of legal secrets from megastars in the music, film, and political worlds, in an attack that even involved the sitting president. In fact, in their efforts to compel payment, they threatened to release ‘dirty laundry’ on then President Donald Trump if a ransom of 42 million was not paid.
What Happens Now in the Aftermath of REvil’s Latest Attack?
The REvil gang is based in Russia and US President Joe Biden has said that his government is unsure if Russia was involved in this particular attack. “I directed the intelligence community to give me a deep dive on what’s happened, and I’ll know better tomorrow, and if it is either knowledge of and/or consequences of Russia, I told Putin we will respond,” Biden said during a recent trip to Michigan.
For now, Kaseya has delivered ongoing updates about the situation, with new updates published regularly.
Julio Rivera is a business and political strategist, the Editorial Director for Reactionary Times, and a political commentator and columnist. His writing, which is focused on cybersecurity and politics, has been published by websites including Newsmax, Townhall, American Thinker and BizPacReview.