REvil Ransomware: Linux server encryption variant available

May 17, 2021 · frtg · 2 min read

One of the leading groups in the extortion attack business is the group developing the REvil Ransomware, known by the names Gold Southfield (GS), Pinchy Spider.
This group has rapidly evolved and organized to attack organizations through multiple methods, including system encryption (Ransomware), exfiltration of corporate data (Double-Extortion), and leasing its entire infrastructure to affiliates (Ransomware-as-a-Service).

To date, the REvil ransomware was available to its affiliates exclusively for Microsoft Windows systems. Recently, availability of the version for Linux systems and NAS has been published on several underground forums:

Once GS focuses on a potential victim, the attack transitions to a more operationally complex phase executed by Ransomware program affiliates who navigate through compromised networks to locate data, exfiltrate it, and initiate ransomware attacks across as many devices as possible. Our Managed Detection and Response operations have tracked this progression across multiple victim environments.

THREAT ACTOR:
Gold Southfield

According to X-Force data from 2020, the estimated total victim count stands at approximately 250 organizations. Conservative estimates place total ransom revenue from Sodinokibi at 123 million USD in 2020.

Of 19 estimated victim organizations with total annual revenue of 1 billion USD or more, at least 15 have likely paid multimillion-dollar ransoms to this group.

REvil operators have actively recruited additional affiliates. One method to attract new members to collaborate is to display their wealth by depositing 1 million USD in a Russian-language underground forum, assuring members that the operation is trustworthy and that those who join will be compensated.

The types of skills required to access the affiliate program:

“Groups that already possess experience and expertise in penetration testing, working with MSF (alias Metasploit Framework) / CS (alias Cobalt Strike) / Koadic (a Windows post-exploitation framework and penetration testing tool), NAS / Tape (corporate data storage and archival), Hyper-V and analogues of the listed software programs … “

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

THREAT ACTOR: Gold Southfield

Cookie & Privacy

THREAT ACTOR:
Gold Southfield