REvil’s Huge Apple Ransomware Gambit Looks to Pay Off

REvil is an ambitious criminal ransomware-as-a-service (RAAS) enterprise. It first came to know widely in April 2019, after the demise of GandCrab which was another ransomware gang. The REvil group is also known by other names like Sodin and Sodinokibi. The REvil ransomware gang is quite famous as it has been setting attacks on the world’s biggest organizations. It also claims huge ransoms.

Apple is about to launch its new products and the gang has targeted Apple just at the peak time. At first, the attack was intended for Quanta, which is a Global Fortune 500 manufacturer of electronics. Apple is claimed to be one of the customers. The Taiwanese-based company was contracted to assemble Apple products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad, from an Apple-provided set of design schematics.

REvil has recently ruptured the Quanta servers to steal the files and later hold them for ransom. According to a published report, a statement was posted on its dark web; dubbed as “Happy Blog”, in which it said Quanta refused to pay the original ransom for the attack. After Quanta refused to pay ransom to get all the files back, REvil began to further threaten the company by leaking a set of blueprints of some products. It further increased the pressure that it would be leaked every day if the ransom would not be paid.

To increase more pressure, the gang played a more evil innovation. REvil started leaking the ripped-off files just hours before Apple’s Spring Loaded event on Tuesday, including schematics for some new iMacs it debuted there. The company took the wraps off a host of new products at the event.

According to REvil’s blog post, the report said;

In order not to wait for the upcoming Apple presentations, today we, the REvil group, will provide data on the upcoming releases of the company so beloved by many, “Tim Cook can say thank you Quanta. From our side, a lot of time has been devoted to solving this problem.”

These events have become extremely important to the brand. It was formerly led by Apple founder Steve Job. They are now being presented with big hype and fanfare from Cupertino. REvil demands $50 million by May 1 from Apple to give the files back. And REvil just does not say these things for fun, if the gang says it has files from victims and intends to post them if not granted ransom, they would surely do that.

Ivan Pittaluga, CTO of enterprise security firm ArcServe, said;

“The REvil ransomware gang doesn’t make false promises, They’re notoriously known for leaking data if their demands aren’t met.”

REvil’s pressure on Apple;

Recorded Future said someone claiming to be the group’s spokesperson hinted last Sunday on a forum the group was prepping for its “loudest attack ever.” REvil knows the best time to leak the files. And through ransoms or whatnot, REvil is definitely growing. Last fall, the person claiming to be the group’s leader said it expected to make $100 million by the end of 2020.

REvil operates a ransomware-as-a-service business, which offers material support to other “affiliates” who handle the technical details of the attack. According to the gang’s policy, REvil affiliates get 70 to 80 percent of the ransom. The affiliate partners must take care of the initial defects like wiping out backups and exfiltrating the files. REvil handles ransom negotiations, payment, delivery of the encryptor and develops the software. It was all explained by the REvil leader last fall.

REvil’s leader also teased a “big attack coming…linked to a very large video game developer” in last fall’s published interview. An international-headline-grabbing caper against Apple would be just the kind of thing that might attract other would-be ransomware attackers to partner up with REvil, whose proof of concept is all over the news. Not only is this likely to provide a big payday, but the Apple attack is also turning out to be a publicity coup for their brand.

Chandra Basavanna, CEO of endpoint security firm SecPod in an email, said;

“It’s clear from these recent attacks that REvil has perfected its approach to extorting companies for large amounts of money with ease.”

REvil claimed to hit nine organizations across Africa, Europe, Mexico, and the United States last month. The group said that they stole many files and documents in the attacks that came upon review to be legit, according to those who saw the documents. The demand on Apple also is not a new or unusual experience for REvil as it has commanded such a heavy sum from a tech leader. The group demanded $50 million in ransom from computer maker Acer last month.

Even if Apple doesn’t pay up, the cyberattack could lead to good financial things for REvil. Oliver Tavakoli, CTO at Vectra told about REvil’s possible motivations. Quanta was likely a target of opportunity and was likely pursued not because it would pay a large ransom, but because it held confidential data belonging to many of its customers and those customers could be extorted for ransoms, Once the data had been extracted from Quanta Computer, the data was likely classified regarding its potential value and whether opportune dates loomed on the calendar which would help create more pressure on the target organization to pay. Apple met the criteria of deep pockets plus an upcoming product launch date. Growing tensions between the U.S. and Russia were probably a side benefit”.

REvil’s might be connected with the Russian government and its high-profile attack on America’s largest tech company should be viewed as another act of aggression by Vladimir Putin to send a signal to the new Biden Administration.

“This attack is a direct challenge to the Biden administration from Russia, “When the largest U.S. supplier of consumer technology and products is hit by this type of attack, the message from Russia to Western companies and governments is loud and clear: We can control you.”

Apple’s attack follows the catastrophic Solar Winds breach,  the U.S. government has attributed to Russian-backed nation-state actors.

He further said;

“Russia is telling the United States that it can steal our blueprints and our IP – and that these types of attacks will continue bigger than ever with higher ransom demands, “Putin will use the plausible deniability excuse and claim that the hacking group associated with the attack is not connected to Moscow.”

As if almost on cue, the U.S. Department of Justice announced on April 21, the day following the Apple leaks, that it was launching a new ransomware task force, which will focus on “takedowns of servers used to spread ransomware to seizures of these criminal enterprises’ ill-gotten gains,” according to Acting Deputy Attorney General John Carlin. But no one can be sure of the success of those efforts especially against gangs like REvil.

Tavakoli said;

“I have made it a policy not to guess what goes on in Putin’s mind – but the fact that there would be tense relations between the Biden and Putin administrations was easy to predict, and each side is likely to deploy its vast array of pressure tactics which come up just short of a military confrontation,”

Schrader said;

“The ever-growing dependence on digital technology will further increase this and the impact any ransomware case has on the society, “State-sponsored cybercrime actors, or those actors who have a preference for a certain government or regime, will use their growing might to ‘support’ a certain policy position by that regime. Addressing this complex should be a priority task for any government, where the difficulty is to find the right combination of enforcement and encouragement, given that cybersecurity is still seen as a cost, not as an enabler of business resilience by many.”

He advised;

“To avoid a similar fate, companies should actively patch any vulnerabilities in their network, frequently back up data to a separate location offsite or in the cloud, and conduct threat analyses continuously,” he advised.


Source: The Hack Today

Leave a Reply