WEBVTT

00:00:00.000 --> 00:00:05.560
JACK: Yeah, scams going on out there today are getting wild. There was this one I read about;

00:00:05.560 --> 00:00:11.000
let me tell you about it. [MUSIC] Okay, so there’s this guy named Gustavo. He’s from Brazil,

00:00:11.000 --> 00:00:16.680
but he was in the US just visiting. He wanted to drive for a rideshare company like Uber but

00:00:16.680 --> 00:00:21.840
he was just visiting, so he didn’t have a US driver’s license. Now, as you can imagine,

00:00:21.840 --> 00:00:28.360
a requirement to drive for Uber in the US is that you need a driver’s license in the US.

00:00:28.360 --> 00:00:35.240
Gustavo thought about it and decided to try to use someone else’s driver’s license to register

00:00:35.240 --> 00:00:41.520
to drive with Uber. I’m not exactly sure how he borrowed someone’s identity, but I imagine it’s

00:00:41.520 --> 00:00:46.160
not all that hard to find someone’s information online these days. I mean, I’ve seen people post

00:00:46.160 --> 00:00:51.200
pics of their driver’s license to social media. So, maybe he just took one of those and sent it

00:00:51.200 --> 00:00:57.720
to Uber to pass verification. Anyway, however he forged the driver details, it worked. He was

00:00:57.720 --> 00:01:02.480
approved to drive for a rideshare company, and he had it set up so he’d get paid for the work

00:01:02.480 --> 00:01:08.360
he did. It was great for him to earn money while staying in the US, and the money was

00:01:08.360 --> 00:01:12.320
a whole ‘nother scheme he was working on. I don’t really know how, but he had to move

00:01:12.320 --> 00:01:16.920
it around in such a way that it didn’t look like he earned it through rideshares or something. I

00:01:16.920 --> 00:01:22.560
don’t know, but he was laundering the money. Well, his girlfriend was also interested in all this,

00:01:22.560 --> 00:01:29.280
and she wanted in. But again, she was from Brazil and not a US citizen, so no driver’s license,

00:01:29.280 --> 00:01:35.000
either. But not a problem for Gustavo; he just repeated what he did for himself and set her up

00:01:35.000 --> 00:01:39.560
with a fake driver account, too. Then three more of his Brazilian friends wanted in, and

00:01:39.560 --> 00:01:45.760
before they knew it, this was a five-person team. Then someone on the team was like [MUSIC] hey,

00:01:45.760 --> 00:01:52.200
I found a spot online that people are willing to buy Uber driver accounts, because apparently there

00:01:52.200 --> 00:01:57.360
are quite a few people who want to drive for Uber but can’t for some reason. Either they don’t have

00:01:57.360 --> 00:02:03.840
a license or insurance or something makes them ineligible, so they might be interested in buying

00:02:03.840 --> 00:02:09.800
someone else’s account so they can make some extra cash, or even rent one out from someone.

00:02:09.800 --> 00:02:14.800
So, these five Brazilians started posting rideshare driver accounts up for sale on these

00:02:14.800 --> 00:02:20.920
forums and they were actually selling, making money from just selling driver accounts made from

00:02:20.920 --> 00:02:26.040
stolen identities. But then the pandemic hit and rideshare usage went way down, but that wasn’t a

00:02:26.040 --> 00:02:31.320
problem. This team just shifted focus and worked on food delivery apps like Grubhub. They started

00:02:31.320 --> 00:02:36.120
making all kinds of driver accounts for this now using stolen identities again, and sometimes there

00:02:36.120 --> 00:02:40.280
was this waitlist to get verified and stuff, but eventually they would get verified and then

00:02:40.280 --> 00:02:46.600
sell or rent out those accounts. Gustavo and his four other friends made over one hundred phony

00:02:46.600 --> 00:02:51.920
driver accounts on these apps and sold them on forums. I don’t know how much these things

00:02:51.920 --> 00:02:57.280
go for or how much he made, but somehow the authorities got wind of this and investigated,

00:02:57.280 --> 00:03:01.600
and ended up arresting all five of them. Stolen identities and money laundering were the main

00:03:01.600 --> 00:03:12.297
charges they faced, and I think all of them got two years in prison for this wild scam.

00:03:12.297 --> 00:03:21.800
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider.

00:03:21.800 --> 00:03:37.960
This is Darknet Diaries. [INTRO MUSIC ENDS] JACK:

00:03:37.960 --> 00:03:42.160
So, why don’t we start out with what you – what’s your name and what do you do?

00:03:42.160 --> 00:03:49.320
WILL: My name is Will. I work for the Equinix Threat Analysis Center.

00:03:49.320 --> 00:03:53.000
I’m a threat intelligence analyst. JACK: I wanted to talk with Will because

00:03:53.000 --> 00:03:58.120
as a threat intelligence analyst, he’s been studying a certain kind of malware called REvil,

00:03:58.120 --> 00:04:04.920
and I want to hear all about it. WILL: So, REvil first sort of appeared in

00:04:04.920 --> 00:04:12.080
– I think it was about April 2019, and I got my first job in summer of 2019.

00:04:12.080 --> 00:04:18.320
I just graduated university and I got my job in summer of 2019, so I’ve been tracking them ever

00:04:18.320 --> 00:04:22.400
since I began my career, basically. JACK: Okay, so you might be wondering what

00:04:22.400 --> 00:04:26.400
is REvil? Well, to answer that, let’s back up a bit [MUSIC] and

00:04:26.400 --> 00:04:32.160
look at what came just before it. WILL: So, REvil first came out of another

00:04:32.160 --> 00:04:39.320
variant called GandCrab, and the sort of – GandCrab is – it was basically the group that

00:04:39.320 --> 00:04:45.800
pioneered what we call big game hunting. JACK: So, GandCrab is the name of some malware,

00:04:45.800 --> 00:04:50.080
and specifically it infects machines and encrypts the whole hard drive and then says

00:04:50.080 --> 00:04:55.960
pay us some money and we’ll give you the key to unlock this machine. GandCrab is ransomware, and

00:04:55.960 --> 00:05:01.800
a particularly effective one, too. I think this GandCrab ransomware was developed and deployed by

00:05:01.800 --> 00:05:06.400
a group of criminals who kept it close to their chest. It wasn’t passed around for just anyone

00:05:06.400 --> 00:05:11.440
to use. At least, not the whole thing. One piece of it did just the encryption for the machines,

00:05:11.440 --> 00:05:14.920
and then there were servers that were set up for handling incoming payments and to chat with

00:05:14.920 --> 00:05:20.640
victims and to generate decryption keys. It kept updating over time, adding new features,

00:05:20.640 --> 00:05:26.320
and it became its own brand. Like any brand, the name of it started to refer to the people

00:05:26.320 --> 00:05:30.920
behind it, too. Like, when I say Google, do you think of the search engine or the

00:05:30.920 --> 00:05:36.880
company or the people at the company? Google refers to all these things. So, GandCrab was

00:05:36.880 --> 00:05:42.040
both the name of the ransomware and the group who were running it, and Will says it was this

00:05:42.040 --> 00:05:48.120
group that pioneered big game hunting. WILL: So, big game hunting is a type of ransomware

00:05:48.120 --> 00:05:57.440
attack. So, it’s – imagine you have the Savanna and you’ve got all the companies on the landscape.

00:05:57.440 --> 00:06:02.680
Instead of going for just small companies and going for the small game, just trying to get

00:06:02.680 --> 00:06:08.840
like $5,000 or $10,000, they want to go for the biggest company they can and unlock all their

00:06:08.840 --> 00:06:15.400
systems and try and steal millions from them, try and extort them, fall back for their files that

00:06:15.400 --> 00:06:21.360
are locked for as much money as they can. JACK: Mm-hm, I get it. So, if I got hit with

00:06:21.360 --> 00:06:25.960
ransomware or you got hit with ransomware on our home computer and that hard drive was encrypted

00:06:25.960 --> 00:06:30.600
and locked, whoever did it might only charge us a few hundred dollars to unlock it, ‘cause it’s just

00:06:30.600 --> 00:06:36.440
one person. This could scale up if you infect thousands of people’s home computers at once,

00:06:36.440 --> 00:06:41.560
and that does add up for criminals. But it sounds like this GandCrab group wasn’t trying to hit

00:06:41.560 --> 00:06:47.120
regular people like you or me. They were focused on infecting big companies or companies that had

00:06:47.120 --> 00:06:52.200
a lot of money at least, because those companies might just pay a million bucks to get their

00:06:52.200 --> 00:06:58.080
machine unlocked. [MUSIC] But there’s a bit of a problem with this whole plan; security. Infosec

00:06:58.080 --> 00:07:03.000
teams everywhere know about ransomware, and they put methods in place to stop their company from

00:07:03.000 --> 00:07:08.200
getting hit with it. So, even though GandCrab was great at encrypting machines, it still needed

00:07:08.200 --> 00:07:14.040
that initial access into the network. So, how does a criminal get access into a big company’s

00:07:14.040 --> 00:07:21.280
network? Well, they buy their way in. WILL: So, there’s a whole ecosystem of – that

00:07:21.280 --> 00:07:30.080
ransomware works with called initial access brokers, and there’s entire underground markets

00:07:30.080 --> 00:07:33.440
that you can buy access into certain companies.

00:07:33.440 --> 00:07:37.840
JACK: Yeah, I actually know about this. I’ve seen underground forums where people are selling

00:07:37.840 --> 00:07:43.520
access into companies. In fact, I interviewed a guy who did sell a login to his ex-employer’s

00:07:43.520 --> 00:07:49.720
network. That’s Episode 108, called Mark. He was a disgruntled ex-employee, but there are

00:07:49.720 --> 00:07:53.760
also people who are out there just playing around, trying to find a way into a company. Maybe they’re

00:07:53.760 --> 00:07:58.920
just curious or like the challenge, but they poke and prod until they find a way in. But they have

00:07:58.920 --> 00:08:03.360
no idea what to do once they get in, so that’s where they see others are selling access into

00:08:03.360 --> 00:08:10.080
networks on forums and decide to just sell their access. It’s a weird and strange market. So,

00:08:10.080 --> 00:08:15.120
this is how the GandCrab group would infect companies; they’d buy access into a company,

00:08:15.120 --> 00:08:19.760
then put ransomware on all those systems, and ask for a huge payment to unlock all

00:08:19.760 --> 00:08:25.920
those systems. But how much do you demand, and what companies should you hit? Well, to

00:08:25.920 --> 00:08:30.040
figure that out, GandCrab did some OSINT. WILL: [MUSIC] I mean, this thing’s like – there’s

00:08:30.040 --> 00:08:35.400
a website called ZoomInfo, I think. I’ve seen them on the underground forums literally mentioning

00:08:35.400 --> 00:08:43.060
linking to the websites; here’s how much they have in daily – in yearly profit and turnover.

00:08:43.060 --> 00:08:49.400
JACK: Oh man, what a mess, huh? Publicly-traded companies have to disclose their profits to

00:08:49.400 --> 00:08:53.840
shareholders so they can see what’s going on. But of course, criminals are taking a look

00:08:53.840 --> 00:09:00.360
at that too, and they’re like oh, this company had a stellar year. That’s a nice juicy target.

00:09:00.360 --> 00:09:05.640
Anyway, so this is what GandCrab focused on, companies with lots of money that they could

00:09:05.640 --> 00:09:09.800
get into. They’d get in, encrypt the systems, and demand ransom to unlock

00:09:09.800 --> 00:09:14.420
everything. And guess what? Companies were paying this ransom hand over fist.

00:09:14.420 --> 00:09:20.520
WILL: Yeah, if you can believe these criminals, they claim they earned $2 billion,

00:09:20.520 --> 00:09:25.240
roughly two-and-a-half million a week. JACK: I, for one, don’t believe that number at

00:09:25.240 --> 00:09:30.040
all. I mean, they posted these numbers themselves, and I think they just posted big numbers to look

00:09:30.040 --> 00:09:34.920
like they were doing great. I’m guessing it’s more like $2 million that they made,

00:09:34.920 --> 00:09:40.440
not $2 billion. But that’s still amazing profits, though. Now, GandCrab wasn’t just ransomware,

00:09:40.440 --> 00:09:45.800
but it evolved into ransomware as a service. If you wanted, you could pay to use this ransomware

00:09:45.800 --> 00:09:51.120
to infect a company, but you’d have to first get access into that company in order to deploy

00:09:51.120 --> 00:09:56.080
GandCrab into it and infect it. But then the GandCrab team would handle it all from there,

00:09:56.080 --> 00:10:01.120
working with victims to collect money and supply a decryption key. Then you’d get paid

00:10:01.120 --> 00:10:06.320
if the victim paid up. Some of these people who used GandCrab as a service got arrested

00:10:06.320 --> 00:10:11.640
in different places in the world because as you could imagine, extorting people and companies

00:10:11.640 --> 00:10:17.000
is illegal. But as GandCrab grew, they needed to recruit more people to their team.

00:10:17.000 --> 00:10:24.600
WILL: On the forums that they recruited cust – where they got customers from, they all speak

00:10:24.600 --> 00:10:32.000
Russian. These are all Russian-speaking threat actors. There’s a number of countries that speak

00:10:32.000 --> 00:10:38.800
Russian, but there’s only so many countries that allow cyber-criminals to operate with

00:10:38.800 --> 00:10:46.220
almost impunity except a very small margin – marginal amount, and that’s Russia.

00:10:46.220 --> 00:10:51.040
JACK: Okay, so yeah, there’s not much you can do to stop cyber-criminals operating out

00:10:51.040 --> 00:10:56.280
of Russia. The US has no jurisdiction or way to work with Russian to arrest these people,

00:10:56.280 --> 00:11:01.560
and Russia doesn’t seem to care too much if it’s not attacking Russian companies. So,

00:11:01.560 --> 00:11:07.480
it seemed like GandCrab was living large. It had all the people, malware, victims, and customers

00:11:07.480 --> 00:11:13.960
all set up, and the cash flow was pouring in, and no trouble from the police. [MUSIC] But then it

00:11:13.960 --> 00:11:20.600
all suddenly stopped. GandCrab posted on a forum saying they’re retiring. You know what? I get it;

00:11:20.600 --> 00:11:27.320
it makes sense. They earned $2 billion. I’d retire, too. But they didn’t retire. They

00:11:27.320 --> 00:11:33.400
spent time retooling, innovating, and improving their ransomware as a service business. They

00:11:33.400 --> 00:11:40.120
created a new ransomware malware. This time they called it REvil, and victims started

00:11:40.120 --> 00:11:47.440
seeing what this could do firsthand. WILL: So, REvil first appeared in April 2019,

00:11:47.440 --> 00:11:54.520
and it sort of began with – in the first zero to two months, it did the things that most

00:11:54.520 --> 00:12:01.680
ransomware does, which deletes backups, changes the wallpaper, does – they actually do a language

00:12:01.680 --> 00:12:09.600
check, so before a ransomware is executed, it will check the language that your computer is set to,

00:12:09.600 --> 00:12:17.320
and if it’s set to a list of countries that are members of the – what you call the Commonwealth

00:12:17.320 --> 00:12:24.120
of Independent States, the CIS – so if it’s a member of the CIS, then the ransomware will not

00:12:24.120 --> 00:12:35.240
execute and it will just exit. So, whoever is behind REvil doesn’t want to target countries

00:12:35.240 --> 00:12:40.040
that are basically ex-Soviet Union. JACK: So, REvil came on the scene, which again

00:12:40.040 --> 00:12:43.960
is the name of both the ransomware and the group operating it.

00:12:43.960 --> 00:12:49.040
WILL: I call them REvil because they – I’m pretty sure that’s what they called themselves. It’s

00:12:49.040 --> 00:12:57.560
based on Resident Evil. They called themselves R Ransomware Evil, short for REvil. I mean,

00:12:57.560 --> 00:13:04.560
GandCrab, there was about five versions of it. So, it was sort of like an experiment until they

00:13:04.560 --> 00:13:11.600
came out with REvil, which was basically the crown prince of ransomware. [MUSIC] It was so

00:13:11.600 --> 00:13:18.640
perfectly developed for what it was designed to do. It just sort of – every – all their

00:13:18.640 --> 00:13:22.540
entire work had sort of – this was like their magnum opus of ransomware.

00:13:22.540 --> 00:13:29.480
JACK: But here’s the thing; the group behind REvil saw how much money GandCrab made as a service

00:13:29.480 --> 00:13:34.080
that they realized that’s what they should focus on. Offering ransomware as a service

00:13:34.080 --> 00:13:39.000
was more profitable than putting ransomware on systems themselves. The idea here is that other

00:13:39.000 --> 00:13:43.600
criminals in the world would get access into the networks, and then they could use REvil to infect

00:13:43.600 --> 00:13:49.320
that network with ransomware. Then REvil does the rest; collecting payments, decrypting systems,

00:13:49.320 --> 00:13:54.120
helping victims get themselves sorted, and then they’d split the ransom with whoever deployed

00:13:54.120 --> 00:14:00.440
it on that company. So, criminals all over were using REvil to infect systems with ransomware,

00:14:00.440 --> 00:14:04.840
and they called their customers affiliates. WILL: It would all start with the affiliate

00:14:04.840 --> 00:14:11.840
wanting to launch an attack. They can either do it by going to REvil first and becoming an

00:14:11.840 --> 00:14:21.760
affiliate and have a plan to use their malware, or the affiliate can launch an attack and then go

00:14:21.760 --> 00:14:29.960
and physically buy access to one of these – this – these ransomware platforms and then deploy it. So,

00:14:29.960 --> 00:14:38.240
it’s different stages of when REvil would be introduced. It would start with the OSINT, it

00:14:38.240 --> 00:14:43.160
would start with picking a target, it would start with going to the underground forums looking for

00:14:43.160 --> 00:14:52.440
a way in, because you can buy RDP credentials. You can buy cookies. You can buy just e-mail account

00:14:52.440 --> 00:15:00.960
credentials and then start from there, or you can do that sort of initial exploitation yourself.

00:15:00.960 --> 00:15:08.200
One of the most common ways that REvil used to arrive inside the network was via exploiting a

00:15:08.200 --> 00:15:16.720
vulnerability in a public-facing server. So, once the vulnerability had been exploited,

00:15:16.720 --> 00:15:24.560
they would deploy a web shell or some – launch some power shell codes on the server,

00:15:24.560 --> 00:15:29.200
establish that initial foothold, and then do some reconnaissance inside the network

00:15:29.200 --> 00:15:34.840
and then spread around as best they can, and as well as escalate privileges. [MUSIC]

00:15:34.840 --> 00:15:41.160
Then once they are spread around enough and they’ve escalated their privileges to domain

00:15:41.160 --> 00:15:48.200
administrator level, then they will introduce the ransomware. One of the most – the common

00:15:48.200 --> 00:15:56.640
way they deploy it is via scheduling a task on all the computers in the network via using the

00:15:56.640 --> 00:16:03.480
domain administrator credentials. So, then everything is rebooted and you have about –

00:16:03.480 --> 00:16:08.120
you could have thousands of machines at any one time. I believe – I think it was one – a telecom

00:16:08.120 --> 00:16:17.760
company in South America had 15,000 workstations locked up overnight, and each one had the – had

00:16:17.760 --> 00:16:24.280
an – a blue background saying, ‘You have been attacked by REvil. Open for – open the note for

00:16:24.280 --> 00:16:29.400
instructions on how to pay the ransom.’ JACK: Early on when REvil was first coming up,

00:16:29.400 --> 00:16:34.720
Will got to see the impact of them firsthand. He was traveling out of London and had to go through

00:16:34.720 --> 00:16:39.680
the Heathrow Airport to fly somewhere. WILL: In Heathrow you have these currency

00:16:39.680 --> 00:16:46.440
exchanges run by a company called Travelex. When I went into the currency exchange, I saw everything

00:16:46.440 --> 00:16:53.800
was extremely hectic. People were shouting, it was an extremely long queue, and I was like,

00:16:53.800 --> 00:16:59.280
what the hell’s going on? Then I realized; I was like oh, I remember reading a report

00:16:59.280 --> 00:17:05.960
not too long ago that Travelex had been hit by REvil ransomware. I took a pic – I basically

00:17:05.960 --> 00:17:12.000
took a picture on my phone ‘cause I could see all the employees were using pens and

00:17:12.000 --> 00:17:20.280
paper and clipboards and things because none of the computers worked. Everything was down

00:17:20.280 --> 00:17:25.800
for weeks. This was about three weeks after the attack had happened, and Travelex reportedly

00:17:25.800 --> 00:17:32.680
paid a $2.3 million ransom, I believe. JACK: [MUSIC] Whoa, what a payday. I mean,

00:17:32.680 --> 00:17:38.240
you can put ransomware on a lot of systems, but if nobody ever pays to get their stuff unlocked,

00:17:38.240 --> 00:17:45.560
then it’s all for nothing. But when someone pays $2.3 million to have their computers unlocked,

00:17:45.560 --> 00:17:51.040
then that’s the fuel that makes REvil ransomware crew keep going. Some people think this whole

00:17:51.040 --> 00:17:56.600
ransomware thing can just all go away if we all agree to never pay the ransom ever again. But the

00:17:56.600 --> 00:18:05.040
truth is, companies are still paying in a big way, which incentivizes ransomware crews to keep at it,

00:18:05.040 --> 00:18:09.160
and there’s no guarantee these companies won’t get re-infected the next day and have to pay it

00:18:09.160 --> 00:18:14.920
all again. Clearly, the best idea if you get infected is to have good backups that you can

00:18:14.920 --> 00:18:21.240
restore rapidly. But REvil knew this, so they purposely looked for how systems got backed up,

00:18:21.240 --> 00:18:26.720
and then they went and wiped those backup servers first. This is probably why it was so effective.

00:18:26.720 --> 00:18:31.960
If the company had their backups wiped out and no path of rebuilding, it’s a lot cheaper to

00:18:31.960 --> 00:18:37.040
pay a few million dollars to get things back up and running. I mean, three weeks of being down

00:18:37.040 --> 00:18:43.160
could cost the company over $2 million in losses anyway. Surely it’s a tough spot for any company

00:18:43.160 --> 00:18:50.120
to be in. After a while, researchers started to notice a guy named Unknown who kept making posts

00:18:50.120 --> 00:18:57.920
on the forum claiming to be part of REvil. WILL: So, he used to post to two Russian-speaking

00:18:57.920 --> 00:19:07.200
underground forums. One of them was called Exploit and another one was called XSS. So,

00:19:07.200 --> 00:19:12.600
kind of typical names for hacker forums, but these two forums have been going for like,

00:19:12.600 --> 00:19:21.440
about fifteen years and they’re basically the two most popular hacking forums for Russian – like,

00:19:21.440 --> 00:19:28.160
hardened Russian cyber-criminals. [MUSIC] He was basically saying – boasting how REvil was

00:19:28.160 --> 00:19:35.280
the best ransomware. So, it was competing with several other strains at the time,

00:19:35.280 --> 00:19:43.280
including Maze and Ragnar Locker, I think, as well. He basically became the frontman of the

00:19:43.280 --> 00:19:50.240
whole operation. Everyone – it was like his net – his alias was basically synonymous with REvil,

00:19:50.240 --> 00:19:59.440
and yes, he went on to do interviews with several people online. They’d interview him,

00:19:59.440 --> 00:20:06.320
say how did you decide to get into the business of ransomware, or how much money have you made – make

00:20:06.320 --> 00:20:15.720
doing ransomware? Those sort of questions. Yeah, it sort of – it just makes it sound like it’s a

00:20:15.720 --> 00:20:22.080
huge – it’s a big order – it’s basically a big organization of cyber-criminals. I would probably

00:20:22.080 --> 00:20:29.040
say there’s anywhere between ten and twenty individuals actually connected to the running

00:20:29.040 --> 00:20:35.100
of the REvil core business, the core ransomware as a service business.

00:20:35.100 --> 00:20:41.840
JACK: Another thing this Unknown guy was saying was how REvil was doing more to extort

00:20:41.840 --> 00:20:47.320
people than just demanding ransom. WILL: They would then step it up a notch by

00:20:47.320 --> 00:20:54.240
leaking – stealing data and then leaking it with – to a Tor website. Because it’s on Tor, you can’t

00:20:54.240 --> 00:21:00.920
get it taken down. It’s like a wall of shame. That’s what they call it. It’s there forever. Then

00:21:00.920 --> 00:21:04.600
you know, a few months later, they’d add another level of extortion. So, that’s what we – they

00:21:04.600 --> 00:21:10.760
used to call double extortion, was encrypting your files and then leaking your data. They had a third

00:21:10.760 --> 00:21:16.840
level; they would now begin to DDoS you or your partners, and they would DDoS your websites until

00:21:16.840 --> 00:21:21.680
you actually began negotiations with them. JACK: Whoa, wait? What? They’re DDossing you,

00:21:21.680 --> 00:21:25.840
too? This is where they flood your website or service with so much traffic that your

00:21:25.840 --> 00:21:31.880
website is just completely unusable. It’s a low blow to hit you while you’re down.

00:21:31.880 --> 00:21:36.920
WILL: If you still haven’t entered the chat with them – because in the ransom notes they have a

00:21:36.920 --> 00:21:43.160
link to the chat – if you haven’t entered the chat with them to negotiate paying the

00:21:43.160 --> 00:21:50.200
ransom or anything like that, they basically believe oh, you’re able to recover. Like,

00:21:50.200 --> 00:21:58.160
no – if you’re a big company, like international company, then you will basically have backups,

00:21:58.160 --> 00:22:05.640
you’ll be able to restore files, you’ll be able to basically carry on after a few weeks of recovery,

00:22:05.640 --> 00:22:11.040
rebuild the network, whatever. So, REvil didn’t like that, when companies can recover on their

00:22:11.040 --> 00:22:16.520
own, so they will DDoS your website. If you have – say if you’re – you have a – you’re

00:22:16.520 --> 00:22:23.200
a retail company; you have customers coming to your website. Every hour is money, so if

00:22:23.200 --> 00:22:27.880
they’re DDossing you, taking it down, they’re still costing you more and more money.

00:22:27.880 --> 00:22:32.800
JACK: Okay, up until this point I’ve been referring to REvil as a ransomware group,

00:22:32.800 --> 00:22:39.600
but at this point, this is mean. This is more like street gang behavior, going around hurting

00:22:39.600 --> 00:22:44.920
people and robbing them without any remorse. So, I’m gonna now start referring to them as

00:22:44.920 --> 00:22:50.600
the REvil cyber-gang, because these guys were ruthless. Here, let me play something for you.

00:22:50.600 --> 00:22:56.080
This is a voicemail that a ransomware gang member left on an employee’s phone, a victim’s

00:22:56.080 --> 00:23:01.520
phone. It’s not from the REvil cyber-gang; it’s a different one called SunCrypt, but I

00:23:01.520 --> 00:23:05.580
think it’s worth playing here just to give you an idea how cold-blooded these guys can be.

00:23:05.580 --> 00:23:11.360
SUNCRYPT: This message is to authorized IT specialist or to company management

00:23:11.360 --> 00:23:18.280
representative. We are SunCrypt group. We hacked your company yesterday and now we

00:23:18.280 --> 00:23:24.400
have around 80 gigabytes of your company data encrypted to new servers as well as downloaded

00:23:24.400 --> 00:23:32.120
to our servers. We have personal information, partner data, financial and accounting data of

00:23:32.120 --> 00:23:38.880
your company, and much more. You need to start negotiations with us about decrypting your IT

00:23:38.880 --> 00:23:45.880
servers and bringing your company data back. Negotiate with us and you will get a decrypter,

00:23:45.880 --> 00:23:54.440
together with all your data back, within one day. No one in the world will know about this leak,

00:23:54.440 --> 00:24:02.160
but in case of your refusal to cooperate, we will run a great damage to your business. You will lose

00:24:02.160 --> 00:24:10.400
ten times more in courts due to violation of the laws on GDPR and your partner’s data leak. We will

00:24:10.400 --> 00:24:18.360
inform your employees, partners, government, about this leak. Your data will be published

00:24:18.360 --> 00:24:26.120
in public blogs and told to competitors. We will inform media about this successful cyber-attack

00:24:26.120 --> 00:24:34.800
to your company, and backdoor access to your company data will be sold to other hacker groups,

00:24:34.800 --> 00:24:42.680
and this will be the last day of your business. We don’t want to do that for sure, and we will not do

00:24:42.680 --> 00:24:49.840
that if you will negotiate successfully. So, we are waiting for you in the chat. Think about your

00:24:49.840 --> 00:24:58.120
future and your families. Thank you. Bye. JACK: Think about your future and your families?

00:24:58.120 --> 00:25:04.520
Whew, that’s so ominous. I mean, what would you do with a threat like that? Now, sometimes the

00:25:04.520 --> 00:25:10.040
REvil cyber-gang would just go infect targets themselves, and if they did, they’d get to keep

00:25:10.040 --> 00:25:15.000
100% of the ransom they make from that. But in most cases, they worked with their customers or

00:25:15.000 --> 00:25:20.600
affiliates to infect the targets for them. WILL: So, it is known that they would – they

00:25:20.600 --> 00:25:27.320
basically split the ransom with the affiliate. They’d say, if you hit a company and you’re

00:25:27.320 --> 00:25:34.520
able to get them to basically agree to pay a $10 million-ransom, it’s – we’ll keep $60 million,

00:25:34.520 --> 00:25:42.240
you’ll get $40 million. Like a 60/40 or a 70/30 split, because they’re – at the end of the day,

00:25:42.240 --> 00:25:49.600
REvil, the RaaS, the ransomware as a service, would provide not only the malware but also

00:25:49.600 --> 00:25:54.800
the decryption, functionality, which was one of the – is one of the best,

00:25:54.800 --> 00:26:02.680
most complex decryption systems of any of the ransomware families at the moment, even. Then

00:26:02.680 --> 00:26:09.400
they would – they add all the infrastructure for darknet chats, darknet payment sites, money

00:26:09.400 --> 00:26:18.080
laundering. They fried a lot of back ends. So, it’s a worthwhile split for both parties.

00:26:18.080 --> 00:26:21.400
JACK: So, it was on the affiliate to figure out a way into the networks

00:26:21.400 --> 00:26:25.760
to deploy REvil as a service. WILL: So, I believe the affiliates are

00:26:25.760 --> 00:26:30.960
choosing the targets. They’re basically getting into these companies, doing the – they basically

00:26:30.960 --> 00:26:38.080
do the legwork, as I’d like to describe it. Like, somewhat – it’s a whole ecosystem. You

00:26:38.080 --> 00:26:43.800
have someone who gets an initial foothold in the network. They’re called the initial access broker.

00:26:43.800 --> 00:26:50.160
They will sell that – however small it is or big it is, they’ll sell that to someone else, the

00:26:50.160 --> 00:26:57.000
REvil affiliate. The REvil affiliate will spread around the network and escalate privileges and

00:26:57.000 --> 00:27:05.240
steal data. Then they will deploy REvil. JACK: [MUSIC] It’s just nasty, like all of it. For

00:27:05.240 --> 00:27:11.160
REvil to make it a turnkey solution so it’s easy for anyone to commit crimes with, and then people

00:27:11.160 --> 00:27:16.280
are just buying their way into these companies, sometimes through disgruntled ex-employees. Then

00:27:16.280 --> 00:27:21.200
REvil comes in and destroys backups and encrypts everything and then DDosses you and then taunts

00:27:21.200 --> 00:27:27.280
the victim until they pay; it’s awful. But we’re just getting started. You gotta hear what they

00:27:27.280 --> 00:27:31.920
do next and what happens at the end of all this. We’re gonna take a short break here, but stay with

00:27:31.920 --> 00:27:43.320
us. REvil continued to infect companies and make millions of dollars from these ransoms. I believe

00:27:43.320 --> 00:27:47.680
there are lots of companies that we’ll never know about that got hit with this, but there are

00:27:47.680 --> 00:27:53.880
some companies we do know that got hit with this, because it made the news. One of them was in 2019,

00:27:53.880 --> 00:27:58.440
and the victim was the Texas government. WILL: Yeah, so the Texas government one

00:27:58.440 --> 00:28:06.880
was interesting because it sort of started a trend that REvil liked to – it was – it ended up being

00:28:06.880 --> 00:28:14.800
deployed at what you call a managed service provider, which is an IT company that handles

00:28:14.800 --> 00:28:23.760
the IT of other organizations. So, the Texas government, they actually paid a single company

00:28:23.760 --> 00:28:30.920
to just manage the IT of all their institutions. Each institution doesn’t have to have an IT

00:28:30.920 --> 00:28:36.320
department then; it’s just one company that does it all for them. So, one of the REvil affiliates

00:28:36.320 --> 00:28:43.160
managed to get into the Texas government and deploy – I think it was twenty-two different

00:28:43.160 --> 00:28:49.800
governments that ended up being – entities ended up being attacked in this one instance.

00:28:49.800 --> 00:28:53.960
JACK: This one made the CBS news. HOST1: In Privacy Watch now, government

00:28:53.960 --> 00:28:59.320
computers in twenty-two Texas towns are being held hostage by ransomware. The state’s

00:28:59.320 --> 00:29:05.400
Department of Information Resources said that the coordinated attack happened on August 16,

00:29:05.400 --> 00:29:10.386
and many of the local governments still have not been able to get back online.

00:29:10.386 --> 00:29:13.760
JACK: [MUSIC] See, when so many government facilities have a computer outage all at

00:29:13.760 --> 00:29:17.880
the same time, it makes the news because it’s a noisy problem. It’s not something

00:29:17.880 --> 00:29:23.840
you can easily cover up quietly or make it go away quickly. Of course, REvil was saying hey,

00:29:23.840 --> 00:29:29.600
all these problems can go away if you pay us $2.3 million. But the Texas government did not

00:29:29.600 --> 00:29:38.200
enter the chat and did not pay a single cent. They recovered all on their own somehow. In May 2020,

00:29:38.200 --> 00:29:44.580
a company called GSM Law was the victim to this cyber-gang. Here’s CNBC news.

00:29:44.580 --> 00:29:49.720
HOST2: An entertainment law firm run by Allen Grubman confirming its computer systems were

00:29:49.720 --> 00:29:54.800
hacked. The hackers say they have sensitive information about several big-star clients, and

00:29:54.800 --> 00:30:02.480
those hackers want $42 million in ransom. JACK: [MUSIC] Whoa, $42 million? That’s the

00:30:02.480 --> 00:30:07.800
largest ransom payment ever demanded at the time. They must have stumbled

00:30:07.800 --> 00:30:13.680
upon something spicy in that network. WILL: So, some of GSM Law’s clients include

00:30:13.680 --> 00:30:21.800
Madonna, Elton John, Lady Gaga, and probably most famously, Donald Trump. It’s a big New York law

00:30:21.800 --> 00:30:30.080
firm, so Donald Trump, he’s lived in New York his whole life. So, REvil managed to get into

00:30:30.080 --> 00:30:39.640
GSM Law and steal – allegedly steal hundreds of gigabytes of data from them; 756 gigabytes, they

00:30:39.640 --> 00:30:48.800
claimed. They threatened to basically disclose Donald Trump’s solicitors’ information, like

00:30:48.800 --> 00:30:58.800
from his lawsuit. Everyone knows Donald Trump has like, thousands of lawsuits on the go. So, REvil

00:30:58.800 --> 00:31:03.960
was basically able to go through them all. JACK: Huh, that’s interesting. REvil is presumed

00:31:03.960 --> 00:31:09.240
to be operating out of Russia. I wonder if they had to stop for a moment and think about

00:31:09.240 --> 00:31:17.320
what to do with Trump’s legal documents. WILL: It became a whole thing. Everyone was saying

00:31:17.320 --> 00:31:25.360
oh, this is like cyber-terrorism or whatever. How can Russia allow this to happen? This is meddling

00:31:25.360 --> 00:31:34.520
with the presidency or whatever, ‘cause he was still president at the time. Yeah, it – basically

00:31:34.520 --> 00:31:39.960
REvil said – they had to come out and make a statement, like we are apolitical, we’re just

00:31:39.960 --> 00:31:51.520
financially-motivated criminals. We don’t want to cause any problems. They actually seemed to – I

00:31:51.520 --> 00:31:55.760
mean, it’s kind of a weird thing to say, but they actually seemed to like Donald Trump, I think

00:31:55.760 --> 00:32:02.320
‘cause they were – they thought of themselves as these ultra-rich, super-smart cyber-criminal

00:32:02.320 --> 00:32:10.462
masterminds, and they sort of admired Donald Trump as he was really rich as well.

00:32:10.462 --> 00:32:15.360
JACK: [MUSIC] Hm, research into this is a little murky. REvil had released a little bit of what

00:32:15.360 --> 00:32:20.840
they stole to prove they had something from one of GSM Law’s clients, and then they said the next

00:32:20.840 --> 00:32:26.200
person we’re gonna dump records on will be Trump. One news agency looked into this and said Trump

00:32:26.200 --> 00:32:32.400
isn’t even a client of GSM Law. So, we think Trump probably wasn’t a client and just mentioned in

00:32:32.400 --> 00:32:37.280
some lawsuit. But you might wonder what happened next with GSM Law? Did they pay the ransom or

00:32:37.280 --> 00:32:44.560
what? Well, we don’t know. Nothing happened. We never saw REvil release any data on Trump or

00:32:44.560 --> 00:32:50.400
dump a bunch of legal documents, so that makes me think that either they never had the data, which

00:32:50.400 --> 00:32:56.560
they did lie sometimes, or GSM Law negotiated the ransom. I’m not exactly sure what happened with

00:32:56.560 --> 00:33:01.840
that. Now, ransomware at this point was looking like a very lucrative way for criminals to make

00:33:01.840 --> 00:33:07.000
money. If you think about it, suppose you hack into a company and you were a criminal and you

00:33:07.000 --> 00:33:11.840
wanted to profit off this access. What are your options? Okay, well, you could sell your access

00:33:11.840 --> 00:33:16.560
that you have, but I can’t imagine this making very much money; maybe a thousand bucks.

00:33:16.560 --> 00:33:20.640
You could try to install some cryptominers on there, but that’s such a slow process to make

00:33:20.640 --> 00:33:24.920
money from. You could try to look around for some database to steal and then maybe sell that

00:33:24.920 --> 00:33:29.640
database to someone, but that’s a tough market to be involved with. You could do a business e-mail

00:33:29.640 --> 00:33:34.280
compromise attack and try to figure out what’s going on in the finance department and see if you

00:33:34.280 --> 00:33:38.320
can get them to send you some money, or you could look around to see if there’s anything valuable in

00:33:38.320 --> 00:33:44.200
the company to steal, like money, right? In fact, there was another group at the time called FIN7,

00:33:44.200 --> 00:33:48.840
which focused on hacking into banks and stealing credit cards. Well, you would think that that’s

00:33:48.840 --> 00:33:55.280
a very good way to make money illicitly, and it is, but FIN7 was seeing how much easier it

00:33:55.280 --> 00:34:00.440
is to just put ransomware on a computer and just leave it at that, because there’s a lot

00:34:00.440 --> 00:34:05.360
of work to dealing with thousands of credit cards or trying to launder money and make it

00:34:05.360 --> 00:34:11.760
clean. But it’s so much easier to just wait for a single ransomware payment in Bitcoin and then

00:34:11.760 --> 00:34:18.160
move on. Since FIN7 was already pretty good at breaking into networks, this really turned them

00:34:18.160 --> 00:34:25.680
on to a whole new revenue stream. WILL: Yeah, so DarkSide was FIN7’s first

00:34:25.680 --> 00:34:32.280
ransomware project. They had tried out REvil for a few times. Their infrastructure had been

00:34:32.280 --> 00:34:40.680
connected to REvil attacks via pivoting on IP addresses and things from known attacks. FIN7

00:34:40.680 --> 00:34:47.160
basically realized okay, every time we use an – every time we launch an attack using REvil,

00:34:47.160 --> 00:34:53.200
we have to give them a cut. Isn’t it just easier if we develop our own ransomware and then launch

00:34:53.200 --> 00:34:59.760
our own attacks? Then we don’t have to give a cut to anyone. We can keep it all for ourselves.

00:34:59.760 --> 00:35:07.520
So, after a time they realized okay, it’s actually – you make even more money if you begin ransomware

00:35:07.520 --> 00:35:12.760
as a service, because then you just rent out the ransomware to multiple groups and begin

00:35:12.760 --> 00:35:16.360
making money your own way. JACK: Wow. So, at that point,

00:35:16.360 --> 00:35:22.840
FIN7 had totally quit robbing banks and turned into a ransomware as a service business because

00:35:22.840 --> 00:35:28.200
of how profitable they saw REvil was. WILL: [MUSIC] Ransomware is the most valuable

00:35:28.200 --> 00:35:33.420
way to make money when you’re inside any network, anywhere in the world.

00:35:33.420 --> 00:35:38.800
JACK: FIN7 was one of the most profitable criminal groups out there, so it’s just crazy to hear how

00:35:38.800 --> 00:35:43.680
they switched from robbing banks to ransomware. But at this point they became competitors, and I’m

00:35:43.680 --> 00:35:49.240
not going to go into any more details about FIN7 or DarkSide in this episode, but rest assured,

00:35:49.240 --> 00:35:54.720
that’s a really interesting story all by itself, and I’ll have to cover that in an episode someday.

00:35:54.720 --> 00:35:59.720
Now, when REvil gets a ransomware payment, they typically receive it in Bitcoin, and then

00:35:59.720 --> 00:36:03.600
they’re actually pretty good at laundering that money by typically converting it into Monero,

00:36:03.600 --> 00:36:08.240
which is much more secure and I think untraceable, and then they’d be able to cash it out without it

00:36:08.240 --> 00:36:14.800
leading back to whoever is behind REvil. But I have to imagine how insane of a chat it must be

00:36:14.800 --> 00:36:21.200
when a company does want to pay a million-dollar ransom in Bitcoin. These ransomware negotiation

00:36:21.200 --> 00:36:27.080
chatrooms must be the wildest thing ever. WILL: I’ve heard from ransomware negotiators and

00:36:27.080 --> 00:36:32.960
incident response people that these ransomware teams have much better customer service than

00:36:32.960 --> 00:36:41.280
most companies do. They will guide you step-by-step the whole way on how to pay

00:36:41.280 --> 00:36:47.280
a ransom, how to get the cryptocurrency, how to store it, how to send it to them,

00:36:47.280 --> 00:36:51.120
all the checks, all the balances. JACK: I mean, can you imagine being the

00:36:51.120 --> 00:36:55.800
IT admin and all your computers are encrypted, and your management has given you the go-ahead

00:36:55.800 --> 00:37:02.320
to pay the ransom? So, you get on Tor and enter the ransomware negotiation chatroom. You might

00:37:02.320 --> 00:37:08.600
say okay, look, we’re willing to pay, but we don’t have any Bitcoin. Can we just wire you the money?

00:37:08.600 --> 00:37:14.680
REvil ransomware negotiators are like LOL, no, that’s traceable. You need to send us Bitcoin.

00:37:14.680 --> 00:37:20.160
Go to an exchange and buy some. [MUSIC] Here’s the problem; you can’t just show up to Coinbase

00:37:20.160 --> 00:37:24.960
or Gemini or Binance or whatever and be like uh, yeah, I’d like to buy $2 million in Bitcoin,

00:37:24.960 --> 00:37:30.000
please. No, they have daily limits set up. You can only buy a few thousand dollar’s worth at a time,

00:37:30.000 --> 00:37:36.040
so you call up customer support at an exchange and you tell them listen, I want to buy $2 million

00:37:36.040 --> 00:37:40.840
worth of Bitcoin. The exchange might be like whoa, that’s a lot of money. What’s that for? You’re

00:37:40.840 --> 00:37:48.600
like oh, it’s to pay a ransom. That’s a red flag for the exchange. I think by law, exchanges can’t

00:37:48.600 --> 00:37:53.240
sell you Bitcoin if they know you’re going to use it to pay a ransom with. So, it becomes a huge

00:37:53.240 --> 00:37:58.240
ordeal just to secure that much Bitcoin. WILL: You have to remember that when

00:37:58.240 --> 00:38:04.080
millions of dollars are involved here, like if a company, it says okay, yeah,

00:38:04.080 --> 00:38:13.160
we plan to pay $5 million in a ransom, they will hire a expert to help them with it. So, there are

00:38:13.160 --> 00:38:20.680
ransomware negotiation firms now that their whole job is to help companies get through when they’ve

00:38:20.680 --> 00:38:25.760
been hit by a ransomware attack. So, these negotiators know all the ways to pay a ransom,

00:38:25.760 --> 00:38:30.280
basically. They know – they even know – they keep track of all the wallets, they keep track of all

00:38:30.280 --> 00:38:38.440
the contact details of each ransomware group, so they know – sometimes if these negotiators

00:38:38.440 --> 00:38:43.480
respond to multiple incidents, they will be able to recognize the person on the other end

00:38:43.480 --> 00:38:48.680
of the ransomware negotiation portal. JACK: What? There’s a whole industry out there

00:38:48.680 --> 00:38:54.520
helping people negotiate and pay ransom? This is madness. I mean, think about it;

00:38:54.520 --> 00:38:59.120
imagine if you’re in the chat with REvil and you’re like, how do I do this? They’re like okay,

00:38:59.120 --> 00:39:03.320
well, you could just call this company and they’ll help you walk through it. It’s just

00:39:03.320 --> 00:39:10.560
so zany to think about this. I wonder, do these ransomware negotiators offer any sort of referral

00:39:10.560 --> 00:39:17.160
program? So, if REvil refers them and they hop on the chat and like oh, hey Dmitri, how’s it going?

00:39:17.160 --> 00:39:23.680
Thanks for referring me. I’ll make sure to get you that referral bonus. Or take it a step further;

00:39:23.680 --> 00:39:30.720
imagine REvil refers you to a quote, unquote “expert service” who’s just another criminal,

00:39:30.720 --> 00:39:36.080
and you give them $2 million to buy Bitcoin and they just take off with the money.

00:39:36.080 --> 00:39:43.400
WILL: Well, there are legitimate companies, but as you say, this could easily be taken

00:39:43.400 --> 00:39:52.400
advantage of and has been by companies that really do some really shady stuff. Like,

00:39:52.400 --> 00:39:59.000
say if a company gets hit by ransomware, sometimes they’ll come in and – the company will come in,

00:39:59.000 --> 00:40:03.760
like the response company will come in, and say yeah, yeah, we can deal with it all for

00:40:03.760 --> 00:40:10.280
you. How much did the ransomware gang tell you it was gonna cost? Oh, $4 million. Well,

00:40:10.280 --> 00:40:15.400
actually it’s gonna cost $5 million. Then they’ll pay the ransom, decrypt the files,

00:40:15.400 --> 00:40:21.720
clean the network, and then be like yep, here’s your – here’s your bill; $5 million.

00:40:21.720 --> 00:40:28.160
But you just used the decryption key. JACK: [MUSIC] If you turned on NBC News,

00:40:28.160 --> 00:40:33.920
on June 1, 2021, you would have saw this. HOST3: It’s another attack on critical

00:40:33.920 --> 00:40:39.400
infrastructure, this time the food supply. The world’s biggest meat producer, JBS, forced to

00:40:39.400 --> 00:40:46.040
curtail operations after a ransomware attack. At least six plants in the US shut down. Operations

00:40:46.040 --> 00:40:51.640
also affected in Australia and Canada. WILL: That was a huge international incident.

00:40:51.640 --> 00:40:55.740
Everyone said that was the one step too far.

00:40:55.740 --> 00:41:02.040
JACK: JBS is the largest meat supplier in the US. I think they produce over 20% of the meat

00:41:02.040 --> 00:41:07.360
for the US, with locations in Canada and Australia. Because it was so big,

00:41:07.360 --> 00:41:12.840
it was deemed critical infrastructure. If the food supply chain is unable to deliver food,

00:41:12.840 --> 00:41:18.440
well, that can be a really big problem. HOST4: The meat-packing firm JBS USA paid a

00:41:18.440 --> 00:41:24.720
ransomware equivalent to $11 million after it fell victim to a cyber-attack. The company’s US CEO

00:41:24.720 --> 00:41:29.960
said on Wednesday they made the payment to protect their customers. Last week’s cyber-attack led to

00:41:29.960 --> 00:41:36.240
the suspension of cattle slaughtering at all of JBS’s US plants for a day. The company produces

00:41:36.240 --> 00:41:44.440
nearly a quarter of America’s beef. JACK: $11 million paid up. That’s a lot of

00:41:44.440 --> 00:41:50.080
Bitcoin to send over to someone that you hope will fulfill their end of the deal and give

00:41:50.080 --> 00:41:55.760
you an encryption key. What a nail-biter that’s gotta be when you click Send and

00:41:55.760 --> 00:42:02.834
you’re just sitting there in chat, waiting for the criminal to give you a key. Whew.

00:42:02.834 --> 00:42:11.280
WILL: There was another company that was another, in quotes, “step too far”. They’ve done it now.

00:42:11.280 --> 00:42:25.280
They hit a company called Sol Oriens, which was a nuclear weapons contractor for the US. This is

00:42:25.280 --> 00:42:33.040
like, okay, now you’re affecting the nuclear triad or something like that, you know? How can this

00:42:33.040 --> 00:42:38.920
ransomware group get away with all of this? JACK: But still, we haven’t gotten to REvil’s

00:42:38.920 --> 00:42:43.800
biggest hits yet. Over this period of years, REvil was getting into hundreds of companies

00:42:43.800 --> 00:42:48.380
and putting ransomware on them. The ones who didn’t pay would get posted to their blog.

00:42:48.380 --> 00:42:58.520
WILL: Their leak site had 282 leaked companies’ data published to it. So,

00:42:58.520 --> 00:43:06.400
that’s how many companies didn’t pay, because they were leaked onto the leak site. Some of the stats

00:43:06.400 --> 00:43:17.880
coming out of Europol said that they had launched thousands of attacks. [MUSIC] Probably one of the

00:43:17.880 --> 00:43:27.800
smartest things REvil ever did was they went into a – what we’d call a cyber insurance company. So,

00:43:27.800 --> 00:43:33.720
because ransomware is such a huge thing, companies – like, when they get hit by a ransomware attack,

00:43:33.720 --> 00:43:40.600
it can cost them not only X-number of million dollars for the ransom, but to actually clean

00:43:40.600 --> 00:43:47.000
up the network and restore it or rebuild it could cost them hundreds of millions. So,

00:43:47.000 --> 00:43:54.160
they need insurance to be able to cover that cost for ransomware specifically. So, what REvil did

00:43:54.160 --> 00:44:01.440
was they went into an insurance company and they looked at all of the insurance company’s clients

00:44:01.440 --> 00:44:07.560
and they hit each target one by one, ‘cause they know how much they were gonna get paid out for

00:44:07.560 --> 00:44:13.100
from the insurance cost. Then they hit the insurer themselves as well, for good measure.

00:44:13.100 --> 00:44:17.620
JACK: Here’s a clip from CBS News that tells us about the next victim.

00:44:17.620 --> 00:44:22.600
HOST5: FBI investigating what may become one of the world’s largest ransomware attacks on

00:44:22.600 --> 00:44:26.080
companies – get back to work following the holiday weekend. A Russia-based

00:44:26.080 --> 00:44:31.360
cyber-criminal group called REvil is demanding a $70 million-ransom. Hackers

00:44:31.360 --> 00:44:41.000
hit IT software company, Kaseya, Friday. WILL: [MUSIC] Wow, where do I begin? The Kaseya,

00:44:41.000 --> 00:44:50.400
that was basically one of the biggest supply chain incidents since NotPetya. Kaseya are the

00:44:50.400 --> 00:44:59.040
manufacturers of a software called – Kaseya VSA is their software. Companies, like I mentioned

00:44:59.040 --> 00:45:06.560
before, managed service providers, will buy Kaseya VSA and use it to do administration on their

00:45:06.560 --> 00:45:14.840
customers’ networks. So, by going into the Kaseya software, REvil basically had a foothold into all

00:45:14.840 --> 00:45:23.200
of the MSP’s customers. So, by exploiting the Kaseya software to deploy REvil, they were able

00:45:23.200 --> 00:45:36.200
to hit 1,500 networks in one go overnight. JACK: Whoa, 1,500 different companies hit with

00:45:36.200 --> 00:45:44.480
the REvil ransomware in one day? That’s a massive amount of damage. This is what’s called a supply

00:45:44.480 --> 00:45:50.280
chain attack, because REvil was able to get into all of Kaseya’s customers, which were sort of

00:45:50.280 --> 00:45:54.960
like tech support companies who had access into other companies, and those companies were hit

00:45:54.960 --> 00:46:02.820
with REvil, too. This was a crazy event, perhaps one of the biggest ransomware attacks ever.

00:46:02.820 --> 00:46:09.869
HOST6: In Michigan Saturday, President Biden said intelligence officials are investigating.

00:46:09.869 --> 00:46:13.160
BIDEN: The director of the intelligence community is gonna be doing a deep

00:46:13.160 --> 00:46:16.400
dive on what’s happened. HOST6: Last month, he warned the Russian

00:46:16.400 --> 00:46:21.400
president to rein in cyber-criminals or face a strong US response.

00:46:21.400 --> 00:46:28.240
BIDEN: If it is, these are – with the knowledge of and/or consequence of Russia,

00:46:28.240 --> 00:46:34.080
then I told Putin we will respond. JACK: So, this happened in July 2021. Biden was

00:46:34.080 --> 00:46:39.720
president by then. It’s hard to hear, but he said in this impromptu interview in a grocery store in

00:46:39.720 --> 00:46:46.680
Michigan that if Russia is in any way involved, then he told Putin he’s going to respond. It’s

00:46:46.680 --> 00:46:53.960
wild to me when the president of the US is able to just jump into a discussion about ransomware

00:46:53.960 --> 00:47:01.080
off the cuff like that. I felt like such a geek all my life, head down in a computer, learning

00:47:01.080 --> 00:47:06.840
about the most geeky things you can imagine, and to look up from the screen and see it talked about

00:47:06.840 --> 00:47:13.480
on the world stage like that is just a trip. Oh, look, there’s the president fueling a question

00:47:13.480 --> 00:47:19.680
about the REvil ransomware. Far out. So, what were the ransomware demands for Kaseya?

00:47:19.680 --> 00:47:28.840
WILL: Well, it was actually one of the highest ransom demands ever in history. They demanded $70

00:47:28.840 --> 00:47:39.440
million in Bitcoin. After the attack took place, one of the – it popped up on the REvil blog,

00:47:39.440 --> 00:47:49.600
which was called the Happy Blog, by the way. The Kaseya attack popped up and it said – this is what

00:47:49.600 --> 00:47:55.720
REvil wrote; they said ‘On Friday, we launched an MSP – we launched an attack on MSP providers. More

00:47:55.720 --> 00:48:01.480
than a million systems were infected. If anyone wants to negotiate about a universal decrypter,

00:48:01.480 --> 00:48:07.160
our price is $70 million in Bitcoin.’ JACK: I gotta say, this is a situation that Kaseya

00:48:07.160 --> 00:48:12.000
probably didn’t plan for. [MUSIC] I mean, suppose they have a don’t-pay-the-ransom policy. Okay,

00:48:12.000 --> 00:48:17.720
that’s fine. It’s a good policy to have. But they aren’t the only victims here, and it was their

00:48:17.720 --> 00:48:24.080
fault that caused hundreds of other companies to be infected with ransomware. Do you owe it to all

00:48:24.080 --> 00:48:30.200
of them as sort of an apology? Like, sorry for getting you ransomwared; here’s the decryption

00:48:30.200 --> 00:48:37.680
key. Hope you stay as a customer. This was a preventable problem. There was a vulnerability on

00:48:37.680 --> 00:48:43.760
Kaseya’s servers that gave REvil the foothold to take over a server. At least one person reported

00:48:43.760 --> 00:48:48.600
this to Kaseya before the attack, too, and I think they were working on fixing it when all

00:48:48.600 --> 00:48:56.880
this happened. So, Kaseya must have looked at this $70 million-ransom demand and took a deep breath,

00:48:56.880 --> 00:49:01.680
and had a long think about it. WILL: Again, it’s that old thing of,

00:49:01.680 --> 00:49:10.960
we don’t want to be the company that’s paid the biggest ransom in history. So,

00:49:10.960 --> 00:49:19.520
to give credit to Kaseya, they went straight to the FBI for help, and the FBI are very, very

00:49:19.520 --> 00:49:25.560
well-experienced with these types of ransomware attack. So, they guided them and were basically

00:49:25.560 --> 00:49:30.440
with them by their side the whole time. At the end of the day, it basically – the decisions

00:49:30.440 --> 00:49:37.440
became the FBI’s decisions at the end of the day, from – for what Kaseya was supposed to do.

00:49:37.440 --> 00:49:42.000
JACK: Kaseya didn’t pay the ransom. They called the FBI, who apparently sprang right

00:49:42.000 --> 00:49:47.160
into action. The FBI actually explained what happens next. Here’s the director of the FBI,

00:49:47.160 --> 00:49:50.100
Christopher Wray, in a press briefing explaining what happened.

00:49:50.100 --> 00:49:55.160
WRAY: When Kaseya realized that some of their customers’ networks were infected with ransomware,

00:49:55.160 --> 00:50:00.520
they immediately took action. They worked to make sure that both their own customers,

00:50:00.520 --> 00:50:06.960
managed service providers, and those MSP’s customers downstream quickly disabled Kaseya’s

00:50:06.960 --> 00:50:14.240
software on their systems. They also engaged with us early. The FBI then coordinated with a host

00:50:14.240 --> 00:50:19.320
of key partners, including CISA and foreign law enforcement and intelligence services so

00:50:19.320 --> 00:50:27.640
Kaseya could benefit from all of our expertise and reach as it worked to put out the fire.

00:50:27.640 --> 00:50:32.200
Kaseya’s swift response allowed the FBI and our partners to quickly figure out

00:50:32.200 --> 00:50:37.680
which of its customers were hit, and for us to quickly share with Kaseya and its customers

00:50:37.680 --> 00:50:42.440
information about what the adversaries were doing, what to look for, and how the

00:50:42.440 --> 00:50:49.440
companies could best address the danger. Here, we were able to obtain a decryption key

00:50:49.440 --> 00:50:56.800
that allowed us to generate a usable capability to unlock Kaseya’s customers’ data. We immediately

00:50:56.800 --> 00:51:01.720
strategized with our inner agency partners and reached a carefully-considered decision

00:51:01.720 --> 00:51:07.960
about how to help the most companies possible, both by providing the key and by maximizing our

00:51:07.960 --> 00:51:13.200
government’s impact on our adversaries, who were continuing to mount new attacks.

00:51:13.200 --> 00:51:19.680
When the FBI is engaged early, we can provide victims more and better support. We can get

00:51:19.680 --> 00:51:26.720
them intelligence and technical information they need faster, and we can work quickly back from the

00:51:26.720 --> 00:51:31.280
intrusion to follow and seize the criminal’s money before it can jump through wallet

00:51:31.280 --> 00:51:36.240
after wallet and exchange after exchange. JACK: Hm, he makes it sound like they’re willing

00:51:36.240 --> 00:51:40.800
to help anyone with ransomware. I mean, listen to the Deputy Attorney General, Lisa Monaco,

00:51:40.800 --> 00:51:43.920
in the same press briefing. MONACO: To Americans watching today,

00:51:43.920 --> 00:51:49.280
to those own small businesses, to those who run Fortune 500 companies,

00:51:49.280 --> 00:51:56.600
who manage hospitals and oversee school districts, this case is the reason you want to work with law

00:51:56.600 --> 00:52:02.880
enforcement. Know that if you pick up the phone and if you call the FBI, this team is waiting

00:52:02.880 --> 00:52:07.640
for you on the other end of the line. JACK: [MUSIC] I just wonder if that’s a little

00:52:07.640 --> 00:52:12.040
misleading. I mean, people e-mail me all the time telling me about how they were extorted

00:52:12.040 --> 00:52:17.240
or scammed or hit with ransomware and just want some advice. Is the proper advice that I should

00:52:17.240 --> 00:52:21.840
give them is that they should call the FBI? Just skip the police altogether and go straight to

00:52:21.840 --> 00:52:26.320
the FBI? You would think the FBI would have some kind of threshold for how big something

00:52:26.320 --> 00:52:31.320
should be before we call them. Like, maybe they only care about larger extortions or attacks on

00:52:31.320 --> 00:52:36.000
national infrastructure, not small-scale stuff like my local barber’s website getting their

00:52:36.000 --> 00:52:41.040
WordPress site taken over, right? Or the question is, how bad of a computer problem

00:52:41.040 --> 00:52:45.560
does it need to be before you call the FBI? There’s a big difference between your whole

00:52:45.560 --> 00:52:52.120
network being ransomed versus one user account being compromised. Listen, I’m curious now;

00:52:52.120 --> 00:52:58.400
if you’ve ever called the FBI over a computer problem you’ve had, I want to hear from you. Send

00:52:58.400 --> 00:53:03.680
me a note. Tell me how it worked out. Did they get back to you right away or wait six months,

00:53:03.680 --> 00:53:08.720
or no reply at all? I just imagine the FBI must be flooded with calls and problems,

00:53:08.720 --> 00:53:13.480
but there’s no way they can get back to all the people who report computer problems to. Anyway,

00:53:13.480 --> 00:53:19.960
sorry, a little rant there. Okay, yeah, what FBI director Wray said was really interesting.

00:53:19.960 --> 00:53:26.720
They obtained a decryption key? What? How? That’s amazing. Did they reverse-engineer the

00:53:26.720 --> 00:53:33.000
malware? Did they join the chat and pressure the REvil gang to provide a key or else kinda thing?

00:53:33.000 --> 00:53:40.280
I’m really curious how they obtained that. WILL: You know, rumor has it the FBI were able to

00:53:40.280 --> 00:53:50.560
compromise the REvil servers after – during the Kaseya incident. The FBI is allegedly – because

00:53:50.560 --> 00:53:56.760
I don’t know if this is proven or not, but they were able to compromise the

00:53:56.760 --> 00:54:06.200
system, the REvil systems, following this. Soon after they post about Kaseya, the ransom – the

00:54:06.200 --> 00:54:10.200
REvil servers all go offline. JACK: What we do know is that REvil

00:54:10.200 --> 00:54:16.600
went quiet just after the Kaseya hack, and it stayed quiet for months. Then out of the blue,

00:54:16.600 --> 00:54:21.100
the FBI gave a press briefing. Here’s the US Attorney General, Merrick Garland.

00:54:21.100 --> 00:54:25.480
GARLAND: Today we are announcing that we are bringing to justice an alleged perpetrator of

00:54:25.480 --> 00:54:32.000
a significant, wide-reaching ransomware attack. On July 2, the multinational information software

00:54:32.000 --> 00:54:38.960
company Kaseya and its customers were attacked by one of the most prolific strains of ransomware

00:54:38.960 --> 00:54:47.120
known as REvil. To date, REvil ransomware has been deployed on approximately 175,000 computers

00:54:47.120 --> 00:54:55.680
worldwide, with at least $200 million paid in ransom. Six weeks later, on August 11, the Justice

00:54:55.680 --> 00:55:03.880
Department indicted Yaroslav Vasinskyi, also known by the online moniker, Robotnik. The indictment,

00:55:03.880 --> 00:55:08.640
which was previously under seal, charges him with conspiring to commit intentional

00:55:08.640 --> 00:55:14.400
damage to protected computers and to extort in relation to that damage, causing intentional

00:55:14.400 --> 00:55:21.160
damage to protected computers, and conspiring to commit money laundering. The indictment charges

00:55:21.160 --> 00:55:28.280
that Vasinskyi and co-conspirators authorize – authored REvil software, installed it on victims’

00:55:28.280 --> 00:55:34.760
computers, resulting in encryption of the victors’ – victims’ data, including in the July 2 attack,

00:55:34.760 --> 00:55:41.400
demanded ransomware payments from those victims, and then laundered those payments.

00:55:41.400 --> 00:55:48.360
Two months after the indictment, on October 8, Vasinskyi crossed the border from Ukraine

00:55:48.360 --> 00:55:55.240
into Poland. There, upon our request, Polish authorities arrested him pursuant a provisional

00:55:55.240 --> 00:56:01.400
arrest warrant. We have now requested that he be extradited from Poland to the United States,

00:56:01.400 --> 00:56:06.840
pursuant to the extradition treaty between our countries. In addition to securing the

00:56:06.840 --> 00:56:14.360
rest of Vasinskyi, the Justice Department has seized $6.1 million tied to the ransom proceeds

00:56:14.360 --> 00:56:22.960
of another alleged REvil ransomware attacker, Russian national Yevgeniy Polyanin. As set forth

00:56:22.960 --> 00:56:29.080
in the public filings related to the seizure, Polyanin, whom we also charged by indictment,

00:56:29.080 --> 00:56:36.560
is alleged to have conducted approximately 3,000 random – ransomware attacks. Polyanin’s

00:56:36.560 --> 00:56:42.200
ransomware attacks affected numerous companies and entities across the United States, including law

00:56:42.200 --> 00:56:48.440
enforcement agencies and municipalities throughout the state of Texas. Polyanin ultimately extorted

00:56:48.440 --> 00:56:54.160
approximately $13 million from his victims. JACK: Whoa, so they caught one guy who they said

00:56:54.160 --> 00:57:00.840
was the author of the REvil malware and seized funds from another guy. This ultimately disrupted

00:57:00.840 --> 00:57:06.840
REvil. They weren’t active at all after this. Now, along with these indictments,

00:57:06.840 --> 00:57:11.840
they released photos of these people, and here is where Will could look into the eyes of the

00:57:11.840 --> 00:57:17.040
people behind this malware that he spent years following and investigating.

00:57:17.040 --> 00:57:23.160
WILL: [MUSIC] The indictment dropped, and it had the names of these two REvil affiliates. These

00:57:23.160 --> 00:57:32.480
were the first two names we had for any of them. I immediately – and shout out to my guy at my team

00:57:32.480 --> 00:57:38.440
in curated intelligence – we joined the voice chat in Discord and we were all just talking

00:57:38.440 --> 00:57:44.920
about it and basically celebrating. Then we quickly were like oh, using these usernames

00:57:44.920 --> 00:57:50.760
and names and things, we can find all their social media profiles, because we can use OSINT to find

00:57:50.760 --> 00:57:59.080
them. We found his VK account and we found his other social media profiles. We found he ran an

00:57:59.080 --> 00:58:08.960
Instagram account which was used to sell DDoS attacks with number-spoofing, like phone call

00:58:08.960 --> 00:58:17.680
DDoS attacks and things. He even had a certificate for Microsoft and there was a picture of him at

00:58:17.680 --> 00:58:25.640
his college and him on holiday and things. Yeah, he just looked like a normal young guy that was

00:58:25.640 --> 00:58:33.460
obviously good at IT. It was kind of – yeah, it was surreal just to see him in the flesh.

00:58:33.460 --> 00:58:38.000
JACK: Now, it seems like the bulk of the people involved with REvil were somewhere in Russia,

00:58:38.000 --> 00:58:41.240
and the US authorities don’t really have a way to arrest people in Russia or even

00:58:41.240 --> 00:58:46.560
get Russian authorities to arrest them. But something very particular happened next.

00:58:46.560 --> 00:58:57.080
WILL: Yeah, so it was – and very interesting timing. In January, on the January 14, I believe

00:58:57.080 --> 00:59:07.440
it was, the Russian FSB released a press release that said they had arrested fourteen members of

00:59:07.440 --> 00:59:16.320
REvil from Moscow and St. Petersburg. The FSB said they seized more than 426 million Rubles,

00:59:16.320 --> 00:59:27.600
$600,000, and half a million Euros along with cryptocurrency wallets, and twenty expensive cars.

00:59:27.600 --> 00:59:34.120
It was this – it made news globally that this – the gang had finally been arrested,

00:59:34.120 --> 00:59:42.160
you know? REvil is over. Here’s videos of the FSB busting down the door,

00:59:42.160 --> 00:59:46.860
putting them on the ground, and taking them away. It seemed justice has been served.

00:59:46.860 --> 00:59:52.920
JACK: Here’s an Al Jazeera news clip. HOST7: [COMMOTION, SHOUTING] The scene was

00:59:52.920 --> 00:59:58.840
not uncommon. Russian police and intelligence agents harshly taking down more than a dozen men,

00:59:58.840 --> 01:00:04.560
all played out on television. The reason was extraordinary. The Russian government tells

01:00:04.560 --> 01:00:10.680
the Biden administration the operation dismantled a group of hackers inside Russia on behalf of the

01:00:10.680 --> 01:00:17.760
United States. Security agents took down alleged hackers from the ransomware group REvil at over

01:00:17.760 --> 01:00:23.920
two dozen addresses, seizing millions of Rubles, vehicles, and technology. Among

01:00:23.920 --> 01:00:28.640
those arrested, alleged ringleader Roman Muromsky, appearing in court in a cage,

01:00:28.640 --> 01:00:36.000
and Andrei Bessonov, both wanted by the US. JACK: Huh. That’s it, then. Case closed? Story

01:00:36.000 --> 01:00:42.320
over? It’s all nicely wrapped up with a bow at the end, and all the criminals are caught. Well,

01:00:42.320 --> 01:00:47.880
I’m not sure. Here, let me show you what I mean. The exact same day of these arrests, on January

01:00:47.880 --> 01:00:53.880
14, 2022, CBS News reported this.