Modern Australian
The Times

What do we know about REvil, the Russian ransomware gang likely behind the Medibank cyber attack?

  • Written by Andrew Goldsmith, Matthew Flinders Distinguished Emeritus Professor, Flinders University

Australian Federal Police Commissioner Reece Kershaw on Friday confirmed police believe the criminal group behind the recent Medibank cyber attack is from Russia. Kershaw said their intelligence points to a

group of loosely affiliated cyber criminals who are likely responsible for past significant breaches in countries across the world.

Kershaw stopped short of naming any individuals or groups.

But experts suspect the attackers belong to, or have close links to, the Russian-based ransomware crime group, REvil.

The attack so far involves a multimillion-dollar ransom demand made to the medical insurer for data on individual clients stolen in the earlier stages of the attack. The attackers originally threatened to release sensitive personal medical records, and then on Wednesday released hundreds of records onto the dark web.

Such attacks cause enormous personal stress for those whose data is exposed, as well as considerable reputational damage to the entities holding the data.

At the time the Medibank attack was publicly announced, Home Affairs Minister Clare O’Neil described the illegal action as a “dog act”.

Since then, our cyber security agencies, including the Australian Federal Police and the Australian Cyber Security Centre, have been scrambling to respond.

Gaining a better understanding of the groups behind these activities is therefore vital, but challenging.

So what do we know about REvil?

Hackers for hire

The group’s name is said to be a contraction of the words “ransom” and “evil”. It’s based in Russia, although its network of “affiliates” extends into Eastern Europe.

The view that the attack is the work of REvil is based partly on links observed between existing REvil sites on the dark web and the extortion site now hosting some of the stolen Medibank data. Further information will undoubtedly come to light in the coming weeks to confirm or alter this assessment.

But the nature of this attack is consistent with the approach and motivations shown previously by REvil.

The group emerged in early 2019, having evolved from an earlier “ransomware as a service” (RaaS) group known as GandCrab.

According to one scholar, Jon DiMaggio, under the RaaS model REvil relied on

hackers for hire, known as affiliates, to conduct the breach, steal victim data, delete backups and infect victim systems with ransomware for a share of the profits.

As we have also seen in the Medibank case, another tactic of this group is to engage in double extortion, whereby failure to pay the ransom leads to the stolen data being leaked or sold in underground forums on the dark web.

REvil was particularly active in 2021. This included the highly damaging ransomware attack in the United States on Kaseya, a managed services provider. REvil posted a ransom of US$70 million for a universal decryption key to restore victims’ data.

Australia was also touched by REvil in 2021. The group attacked JBS Foods, a major producer with operations in Australia as well as Brazil. The impact on Australian meatworks operated by JBS seems not to have affected supplies of meat, thus drawing less public attention than we have seen in the Medibank case.

Unstable and slippery

Shortly after the Kaseya attack, in late 2021, REvil appeared to shut up shop, following leakages of information from their hacked data site and increased pressure from law enforcement.

However ransomware groups such as REvil are notoriously unstable and slippery. Various factors contribute to this instability, including law enforcement pressure and greed. There’s little honour among this species of cyber “thieves” when personal survival and enrichment are at stake. The RaaS model also relies upon loose networks of associates that inevitably change over time.

Further evidence REvil was in retreat came in January 2022, just a month before Russia’s invasion of Ukraine. Russian law enforcement authorities announced they had arrested some 14 alleged members of REvil.

For a brief time, Western observers hoped the Russian action might be effective in constraining future ransomware attacks by the group.

But since the invasion in February this year, any pretence of cross-border cooperation in tackling these Russian groups has evaporated. Moreover, those arrested are believed now to likely be free and back in business.

Read more: Holding the world to ransom: the top 5 most dangerous criminal organisations online right now

Russian ransomware groups have close informal links to Russian security agencies such as FSB, the Russian internal security agency. These links provide the group (and other Russian cybercrime groups) a degree of licence to carry on their activities on the strict understanding their targets must lie outside Russia.

In some cases, although not so clearly in the case of REvil, these groups have expressed geopolitical motivations, directing cyber attacks against Ukrainian targets and those of countries seen to be supporting Ukraine. The Conti ransomware group is an example here of a group that publicly declared its support for Russia over Ukraine.

In the Medibank example, the group behind it appears simply driven by financial gain. Medical facilities such as hospitals have proven popular targets for ransomware groups because of their sensitive information holdings and hence vulnerability to pressure to pay.

It seems REvil, or at least a close genetic descendant, is back in business. What we’re currently seeing is consistent with prior experience with this group: appearing, disappearing and reappearing, sometimes in a slightly altered shape.

Dealing with it is difficult, a bit like a game of whack a mole – the offenders all too easily disappear and then pop up somewhere else.

The root causes of ransomware today can be political as well as economic, making effective inter-country cooperation against Russian-affiliated groups almost impossible.

This article draws upon work undertaken with my colleague David Wall (University of Leeds) examining the weaponisation of ransomware in relation to the Russia/Ukraine conflict. This work is currently in draft report form with the sponsoring organisation, the Global Initiative against Transnational Crime, Vienna and Geneva.

Authors: Andrew Goldsmith, Matthew Flinders Distinguished Emeritus Professor, Flinders University

Read more https://theconversation.com/what-do-we-know-about-revil-the-russian-ransomware-gang-likely-behind-the-medibank-cyber-attack-194337

Chatswood Tutoring And Its Role In Academic Achievement

Academic success often requires more than classroom attendance alone. Students face increasing expectations as they progress through school, particu...

Why Laser Hair Removal Treatments Continue Growing In Popularity

Managing unwanted hair can become time-consuming and frustrating for many people, especially when shaving, waxing, and other temporary methods requi...

Choosing the Right Devices for a Flexible Workplace

For IT leaders managing large fleets, the device layer is where workforce productivity and security policy meet. The shift towards flexible and hybrid...

How Business Advisory Services Help Companies Achieve Sustainable Growth

Every business owner aims to build a profitable and sustainable organisation. While dedication, innovation, and hard work are important, achieving l...

Why Body Contouring Has Become A Popular Cosmetic Treatment

Many people maintain healthy lifestyles through regular exercise and balanced eating habits but still struggle with stubborn areas of fat that are d...

How to Choose the Right POS Hardware for Your Business in Australia

A lot of Australian business owners spend weeks researching POS software but buy hardware almost as an afterthought. That's a mistake. The wrong har...

Why Material Handling Hose Is Critical for Industrial Efficiency

A high-performance material handling hose is an essential component in industries that transport abrasive, dry, or bulk materials on a daily basis...

How to Choose the Right Lawyer in Melbourne for Your Situation

Choosing legal support can feel difficult, especially when the stakes are personal or business-related. The right lawyer in Melbourne should underst...

Hoteliers Look to Clever Value Adds to Increase Revenue

The Australian hospitality industry is still in recovery mode after a notoriously rough patch in recent years. While there has been a post-COVID tra...

Moving to Queensland? Here’s How to Prep Your Car for the Big Move North

There’s no sign of the northern migration slowing down, with thousands of southerners fleeing from chaotic lifestyles and cooler climates for a brig...

Diesel Shortage to Impact Trades and Contractors

Strait of Hormuz blockage affecting all major parts of trades and construction Trades and construction across residential, commercial and industria...

Why Holiday Home Owners Turn to Rental Management Agents

The Allure — and the Reality — of Renting Out Your Property Owning a holiday home is a dream for many Australians. Whether it's a beachside sha...

Why Finding Reliable Doctors In Bundoora Is Important For Long-Term Health

Access to quality healthcare plays an important role in maintaining overall wellbeing and managing health concerns early. Trusted Doctors in Bundoor...

Understanding the Different Types of Car Services: Minor vs Major

When it comes to car maintenance, one of the most important things every vehicle owner should understand is the difference between a minor and a maj...

How Superannuation and TPD Insurance Work Together

Superannuation is an essential part of financial planning in Australia. It is designed to provide individuals with income during retirement, helping...

Tiny Towns funding granted for Mt Hotham and Mt Buller upgrades

Alpine Resorts Victoria (ARV) has welcomed funding support from the Victorian Government’s  Tiny Towns Fund, with both Mt Hotham and Mt Buller se...

Locksmith Services: Why Professional Security Solutions Matter More Than Ever

Security is a critical concern for homeowners, businesses, and vehicle owners alike. Whether it involves protecting a property, replacing damaged lo...

Why Tooth Fillings Are Important For Protecting Damaged Teeth

Cavities and minor tooth damage are common dental problems that can worsen if left untreated. Professional tooth fillings help restore damaged teeth, ...