Fraud Management & Cybercrime
Affiliate-Driven Approach and Regular Malware Refinements Are Key, Experts Say
Just as cloud services have taken the business world by storm, the same can be said for ransomware, including one of today’s most notorious strains: REvil. Also known as Sodinokibi and Sodin, REvil is a ransomware-as-a-service offering, which means a core group develops and maintains the ransomware code and makes it available to affiliates via a portal.
Those affiliates and the core group of operators share in any profits that result from victims paying a ransom. Recent victims that have made payments include meat processor JBS, which paid $11 million in bitcoins.
Many security experts rank REvil among the most damaging and prevalent RaaS operations, alongside Conti, DoppelPaymer (aka DopplePaymer), Maze offshoot Egregor, and Ryuk.
A key to REvil’s success has been its use of skilled affiliates and their ability to successfully access and traverse increasingly large victims’ networks, infect endpoints – now including both Windows and Linux systems – and demand larger ransoms. REvil’s operators also maintain a data leak portal and can assist affiliates with ransomware negotiations. All of this has one goal: to get victims to pay.