REvil Ransomware Affiliates Enterprise Intruders Alliance

REvil Ransomware

Experienced network intruders and ransomware groups have formed an alliance to help one another by spreading malware into client networks.

One access-as-a-service company partners with several ransomware collectives, including REvil / Sodinokibi.

Symbiotics relationship

High-profile ransomware players such as REvil concentrate on businesses and need new victims to keep business going.

Experts in the violation of corporate networks are the perfect partner for their skills in underground markets or in secure messenger communication.

Intruders hack a company’s network, then lease or sell access to a ransomware group. This mutually beneficial cooperation allows for even more secure networks to spread file encryption malware.

Advanced Intelligence (AdvIntel) research reveals that the two forms of cyber-crime operations are closely related.

As shown in the picture above, corporate network access is available for several disruptive organizations, including the vulnerability of business email and spam.

Since August 2019, one particular hacker-TMT-has been operating with REvil operators. Yelisey Boguslavskiy, director of security research at AdvIntel, writes a report today, as they worked with other Ransomware teams before that.

Lalartu, a prominent member of an underground forum that practically guaranteed for REvil developments when they picked up where GandCrab left, was able to engage in the REvil aggregate.

Lalartu previously specialized in admin panel compromises and knew the expertise and resources of other access providers, found Boguslavskiy.

Lalartu and TMT also realized the advantages of dealing with the ransomware groups and provided their services to high-profile unions.

“By June 2019, this was “truniger” collective for -TMT-, and REVil group for Lalartu. Eventually, Lalartu facilitated the connection between -TMT- and REvil, as -TMT-‘s attack skills were in high demand by such collectives.”

According to AdvIntel intelligence,-TMT-was reported in May at a major hacker site, but sources indicate that it has a history of working with stable messengers for at least one year.

Thousands of corporate hosts have exposure

Across June, July, and August,-TMT-reported compromises on their corporate network without naming any plaintiff.

Prices ranged between $3,000 and $5,000 to hundreds of hosts and servers from companies across different vertical sectors:

    • Latin American house goods company operating in Chile, Bolivia, and Peru-1069 hosts, 105 servers compromised.
    • Meta fabricator from Taiwan-388 hosts,15 servers affected. Provider of Colombian financial services-623 hosts affected.
    • Global suppliers of maritime logistics services-668 hosts have been compromised.
    • The US University and Education Network–875 users, 87 servers compromised.
    • Danish milk maker-1 host, 72 servers compromised Company in the energy sector in Bolivia-270 hosts, 12 servers affected.
    • The prices were dependent on the type of access offered and lower prices were more easily identifiable for Remote Desktop (RDP) connections.
    • One target, however, -TMT-could have complete access to administrative boards, client host, and corporate VPN networks. All of this was priced at $20,000 for entry.

AdvIntel received extensive proof of violations and discovered in private discussions with the hacker that they “recovered administrative credentials and can navigate the Internet securely and, if necessary, improve their access privileges.”

A server from the financial division stores important business data is a key goal of this agreement.

For full access, purchasers don’t have to pay. The hacker told AdvIntel that they were willing to install malware or open a single database access session at a lower cost. This is also a deal he gives ransomware classes.

The research by Advintel also describes tactics, techniques, and procedures employed by TMT, which include the use of Metasploit and the pentest platform Cobalt Strike.

This symbiotic relationship demonstrates the business skills of both affiliates and intruders in the network. Both REvil and TMT are players in the big league who thrive on the talents of each other.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.