October 23, 2022

TSD #012: Ghosts of REvil.

A big thank you to our sponsors who keep this newsletter free to the reader:

This week's edition is brought to you by CultureAI. CultureAI goes beyond traditional security awareness to help companies monitor and respond to every human cyber risk and behaviour. With automated attack simulations and coaching programmes, CultureAI easily connects your workplace apps to spot risky employee security behaviours as and when they happen.

Hello friend 👋

Let's talk about ransomware. If you don't know, ransomware is a type of malware that encrypts your data and/or systems and demands payment in order to decrypt everything. It's a big business: billions of dollars per year. One of my first videos is about ransomware, check it out below.

Several high-profile gangs have been operating in this space: REvil is one such gang. They launched some huge attacks throughout 2021: Acer, JBS meat supplies, and Kaseya are of note. But in January 2022, the Russian government made a string of arrests, stating that they'd swept up the REvil ransomware gang based on intelligence provided by US agencies. However, Palo Alto's Unit 42 recently reported that these arrests might not have been as successful as they could have been. If you're looking to get into Cyber Threat Intelligence, this report is something you should get comfortable with.

Unit 42's report states:

Ransom Cartel is ransomware as a service (RaaS) that surfaced in mid-December 2021. This ransomware performs double extortion attacks and exhibits several similarities and technical overlaps with REvil ransomware. REvil ransomware disappeared just a couple of months before Ransom Cartel surfaced and just one month after 14 of its alleged members were arrested in Russia. When Ransom Cartel first appeared, it was unclear whether it was a rebrand of REvil or an unrelated threat actor who reused or mimicked REvil ransomware code.

Unit 42 has conducted an analysis of Ransom Cartel attacks and compared them to REvil attacks. Throughout their analysis they've concluded the following:

Based on the fact that the Ransom Cartel operators clearly have access to the original REvil ransomware source code, yet likely do not possess the obfuscation engine used to encrypt strings and hide API calls, we speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point, before starting their own operation.

If tracking these groups and investigating attacks such as these make your inner detective come out, consider a career in Cyber Threat Intelligence, Forensics, or Incident Response.

This week's podcast recommendation is also on REvil, check it out below 👇

You can get in touch with me by simply hitting reply. I respond to every email that hits my inbox.

Until next week,

Gary ✌️

Fun Things This Week

📽 My New Video

THIS is What Pro Hackers Drink: I received a little surprise package from my friends at CultureAI. It was so cool that I just had to make some sort of video. It was good fun trying to shoot and edit this little video with my wife wielding the camera.


The latest episode of Darknet Diaries is all about tracking REvil through the eyes of a CTI analyst at Equinix named Will.

📘 Books

I pre-ordered Andy Greenberg's new book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, which is being released on November 15th, just in time for some winter reading! Andy's last book, Sandworm, about Russian government hackers, was a fantastic read and has a permanent spot on my bookshelf.

👾 Cool Tools

CyberUskasha released a nice little Python-based MAC address changer for Linux. If you're inspired to learn Python and make some tools, check out his source code.

MHDDoS is an interesting one. I haven't tested this one out yet but it appears to be an open-source DDoS tool! It should go without saying: "don't point it at servers you don't own!".

If you've written a tool and you'd like me to see it, just drop me an email!

P.S. Some of the links in this newsletter are affiliate links and help support my content. Thank you for your support! ✌️

More Articles
Subscribe to The Sunday Download

Receive weekly news and insights in your inbox. Don't miss out!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.