Several ransomware attacks with high publicity, such as the attack on Las Vegas-based University Medical Center, meat supplier JBS and software firm Kaseya, have all been linked with the infamous hacker group REvil.
REvil is a mash of the words "ransomware" and "evil." The group is also known as Sodinokibi and is thought to have roots in Russia, according to a July 7 Fortune report.
Cybersecurity experts have linked REvil to the malware authors of GandCrab, which first emerged in 2018. GandCrab got its start targeting healthcare organizations, such as the revenue cycle management vendor Doctor's Management Service. In 2019, the hacker group said it would retire after collecting $2 billion in ransom payments in the first year. Their retirement came prematurely when the Minister of Internal Affairs of Belarus arrested a hacker linked to the group.
Tony Cook, ransomware negotiator and head of threat intelligence at GuidePoint Security, said REvil seems to be inspired by GandCrab since they use similar hacking techniques and tools. They both found success targeting vendors, which also gives them access to data pools of protected health information.
REvil also sells tools to third-party hacker groups. REvil takes about a 20 percent cut for using its services to launch an attack. It also has a dark web portal where it runs its operations.
Unlike nation-state hacker groups, REvil's motives are purely financial, Fortune reported. After the attack on Kaseya, a REvil member told The Wall Street Journal that they "don't need a lot of noise. Only money."
The negative publicity brought on by public attacks has had negative effects on hacker groups. After Netwalker launched a series of high-profile attacks on healthcare providers and universities, the FBI seized its website and arrested key members. Shortly after DarkSide's attack on the Colonial Pipeline, federal officials drained millions of dollars from its virtual wallet.
Hacking groups that are financially motivated, such as REvil, can be more dangerous than nation-state hacking groups because they are more willing to launch attacks that cause harm to citizens, such as "[shutting] down hospitals," Jack Cable, a cybersecurity expert at Krebs Stamos Group, told Fortune. Nation-state hacking groups are more likely to operate by a code of conduct and typically avoid attacks that could kill people.
Like terrorist organizations, REvil takes credit for ransomware attacks. After an attack on New York law firm Grubman, Shire, Meiselas & Sacks, REvil said it obtained documents relating to former President Donald Trump when he was still in office. Shortly after, the Trump administration designated REvil as a terrorist organization, among the likes of ISIS and al-Qaida, Fortune reported.
FBI officials have tied the need to confront rising cyber threats to the post-9/11 efforts against international terrorism. Like with terrorism, federal officials have tried to develop international partnerships to put pressure on hacker groups. However, these groups have also strained international correspondence, such as the relationship between the United States and Russia — an effect that goes beyond the intentions of REvil, a group in it just for the money.