REvil member says gang targets organisations with cyber insurance for ransomware attacks

Pharmaceutical firms are also good payers, claims gang member 'Unknown'

An alleged member of the notorious ransomware gang REvil has divulged details about the group's activity, including the fact they target companies with cyber insurance, prefer to remain apolitical, and (allegedly) have access to nuclear power plants and ballistic missile launch systems.

The REvil representative, who uses the alias 'Unknown' on dark web forums, talked to Recorded Future expert Dmitry Smilyanets, in an interview conducted in Russian and translated to English. The interview was also edited for clarity, according to Smilyanets.

REvil, also known as Sodinokibi or Sodin, is a ransomware gang that breaches company networks using spam, exploits, exposed remote desktop services and hacked managed service providers (MSPs).

Like many other ransomware groups operating today, REvil also runs a ransomware-as-a-service (RaaS) operation, in which developers sell malware to affiliates who use it to encrypt the devices of the target organisations.

In the interview with Smilyanets, 'Unknown' said that the business of ransomware (or cybercrime) has always been lucrative - even when there were only winlockers and SMS.

The REvil member said that targeting organisations with cyber insurance is "one of the tastiest morsels" for REvil operators. They disclosed that the gang likes to hack insurers first, then, after working through their customer list, return to hit those insurers with a destructive attack.

'Uknown' acknowledged that the Covid-19 pandemic has impacted their operations to some extent, with most targeted firms paying less than before.

Pharmaceutical firms are the exceptions, however, as they are doing good business during the pandemic.

"I think it is worth paying more attention to them. They are doing just fine," 'Unknown' said.

The gang member also had some advice for corporate negotiators: don't come in with too low an offer. If that happens, "We understand that the conversation with him is meaningless and we start publishing the data so that the owners of the network smack him upside the head for negotiating like that. And of course, after those kinds of tricks, the price tag only goes up."

The group avoids getting into politics, but also excludes targets in countries deemed too poor to pay and those in the old Eastern Bloc. Geopolitics, laws and patriotism are the primary reasons why REvil members avoid targeting entities in the post-Soviet CIS region, 'Unknown' said.

When asked about the possibility of ransomware being used as a weapon for cyberwar, 'Unknown' boasted that associates do have the capability to attack military hardware and essential infrastructure, but that any such attacks would be counterproductive.

"I know at the very least that several affiliates have access to a ballistic missile launch system, one to a U.S. Navy cruiser, a third to a nuclear power plant, and a fourth to a weapons factory. It is quite feasible to start a war. But it's not worth it - the consequences are not profitable."