In the fall of 2019, threat intelligence researchers with McAfee Advanced Threat Research received an interesting email after writing about how Sodinokibi ransomware affiliates boasted about the money they were making from the attack.

The sender behind the email was a “disgruntled internal source” upset with how other hackers bragged about earning while they hadn’t been paid. This “insider” when on to help researchers understand the inner workings of the ransomware gang that turned out to be REvil. REvil began making headlines after they attacked beef producer JBS.

Russian authorities arrested several REvil members in January, and officials praised it as a sign of “cooperation” between Washington and Moscow. However, due to Russia’s invasion of Ukraine, cooperation between the two counties have disappeared according to U.S. officials and it’s currently unclear how the prosecutions are proceeding, if at all.

Interactions with the insider were revealed by John Fokker, head of threat intelligence at Trellix – and formerly of McAfee ATR. Fokker notes that the insider shared screenshots of REvil’s back end pane that helped confirm earlier theories on how REvil tracked its associates. The screenshots also detail how the operations worked.

The disgruntled source also shared “TTPs, internal relationships, information on the group’s operations,” according to Fokker. “The tools, tactics and techniques they used ranged from infostealer logs, RDPBrute, ADFind, Mimikatz, WinPEAS, Cobalt Strike and PowerShell scripts.”

The interactions also showed where affiliates would access the actual panel, which led Fokker’s team to find the actual IP address of it.

“This unprecedented finding was surprising, and we immediately packaged these findings together with additional analysis on individual members and the organization’s communication channels in a 55-page report for global law enforcement,” Fokker wrote.

In an interview with CyberScoop, Fokker declined to name any specific law enforcement groups that used this information. However, back in November, Europol credited the team for its help in leading to the arrests of two REvil suspects as part of the GoldDust cooperative that involved 17 countries coming together to fight ransomware.

The Europol announcement came the same day that U.S. authorities announced the seizure of $6 million in ransomware payments connected to REvil activity. Charges against Yevgeniy Polyanin, a Russian National, and Ukrainian Yaroslav Vasinsky for their roles in REvil extortions were also announced.

Fokker said that the access he received was similar to that of the Conti leaks. In that case, a Ukrainian researcher with access to Conti’s back end leaked reams of data, including chat logs, after they declared their support of the Russian government after the invasion. Insiders can do a lot of damage if they’re wronged, John said.

“You can call them a snitch if you want, but there was somebody disgruntled and unhappy, and that happened way before the Conti leaks. It shows that if you’re not paying your people, you’re not paying what people think they’re owed, the loyalty goes out the door,” said Fokker.

The revelation comes as signs of REvil, or someone with access to REvil infrastructure, is once again extorting victims for money despite being forced offline in October of 2021, according to The Washington Post.

The new iteration could have possibly been “some members of REvil, but it wasn’t, as far as we know, the original leader,” said Allan Liska, an intelligence analyst with Recorded Future. “It seems like it was a few of the developers who tried to take over and continue operations.”

REvil’s “Happy Blog” posts about one to two victims each month. This is way lower than the original REvil highs. Their last post was September 1. “My guess is there is more happening beneath what we see on the extortion site, but broadly they are still lower tier since their re-resurrection,” Liska added.

No matter what is happening with REvil, ransomware is still a major problem.

“There’s very large organizations that continue to be vulnerable, and they’re a profitable target for ransomware actors, so the victims are there,” Fokker says. “For a lot of these actors, they’re quite comfortable hacking into these systems and gaining access, and then it’s a matter of negotiation.”

Story via CyberScoop