The criminal group behind the REvil ransomware operation has deposited bitcoin worth $1 million on a Russian-speaking hacker website, as part of a drive to recruit more members.
Posting to a forum on the dark web, the group announced that it had deposited the $1 million to prove that it had the financial means of employing new recruits. It also announced that it’s specifically looking for new “affiliates,” who would be responsible for hacking organisations with ransomware.
The REvil ransomware group operates as part of a new breed of ‘Ransomware-as-a-Service’ (Raas) enterprises. Their core team of developers design the ransomware, while the so-called affiliates infect devices with the malware. The developers receive a 20-30% cut of the proceeds of any successful ransomware attack, while affiliates receive a 70-80% payout.
As the gang’s post explains, it’s currently looking for people with “experience and skills in penetration testing.” In other words, it’s looking for hackers.
Ransomware On The Rise
The use of ransomware has grown exponentially in recent years. One September report from cyber-security firm Bitdefender found a 715% increase over the past 12 months alone.
The impact of ransomware has also been heightened since the beginning of the coronavirus pandemic, with one recent attack targeting a firm that sells software used in clinical trials. Another ransomware attack, in Germany, resulted in a patient dying last month after she had to be moved to a hospital in another city.
The $1 million deposit provides clear insight into just how lucrative this business of disrupting computer systems really is. The REvil gang deposited bitcoins worth $1 million in an electronic wallet hosted by the website on which it posted. This left it vulnerable to being stolen by the owner of the site, but apparently the group weren’t too bothered by this possibility.
According to Chad Anderson, a senior security researcher at Domain Tools, the $1 million deposit also reveals just how professional ransomware gangs are becoming. They represent a growth industry, which will likely grow and attract recruits the more the world’s organisations undertake digitalisation.
“Cybercriminals have become highly organised, and this move on the part of REvil further goes to show that they, too, invest in human resources and research and development,” he says.
In the face of potential recruitment competition from ransomware gangs, Anderson advises legitimate IT and cybersecurity companies to make extra efforts to improve their own recruitment.
“The next best thing security companies can do is expand and diversify the pool of candidates they tap into. Cybercriminals come from all backgrounds, which is why it is important to build security functions that are as heterogeneous as the groups whose efforts they are there to counteract,” he says.
This isn’t the first time the REvil have been the subject of news. In June, cybersecurity researcher Brian Krebs reported that it had begun auctioning stolen data, belonging to a Canadian agricultural firm that had refused to pay a ransom. Krebs suggested that REvil’s use of an auction may have indicated a decline in revenues for the group. But given its ability to deposit $1 million with a shady hacking website, it clearly hasn’t run out of funds just yet.