Ransomware crim: Yeah, what I do is bad. No, I don't care. Yes, infosec bods are all mouth and no trousers
Claimed REvil contractor badmouths West from anonymous pulpit
Someone claiming to be a former contractor for the REvil ransomware gang has given an interview to a security firm, saying he struggles to sleep at night but isn't ashamed of what he does.
The unnamed person was interviewed by Russian news outlet Lenta as part of a series focusing on the mostly Russia-based scourge of modern times. US infosec firm Flashpoint obtained the full transcript of the interview and translated it into English.
"In the normal world, I was called a contractor – doing some tasks for many ransomware collectives that journalists consider to be famous," said the threat actor, using the handle Antivirus. "Money is being stolen or extorted with my hands. But I'm not ashamed of what I do."
While humblebragging about his work on behalf of REvil and poking fun at Western authorities for charging suspects with criminal offences and attributing ransomware operations to state-backed operations ("But inside the community, everyone guesses that these are simple guys scattered all over the world who even have difficulty communicating among themselves, let alone the government"), Antivirus painted a picture of an average guy knowingly doing bad things for personal gain.
- Ransomware author tracked down, but not nicked
- Ransomware victim Colonial Pipeline paid $5m to get oil pumping again, restored from backups anyway – report
- REvil customers complain ransomware gang uses backdoors to filch ransoms
- Report shines light on REvil's depressingly simple tactics: Phishing, credential-stuffing RDP servers... the usual
"Let's put it this way: this is a very time-consuming job. And if you've earned enough, then you can quit the game. Chronic fatigue, burnout, deadlines – all these words from the life of ordinary office workers are also relevant for malware developers," he told Lenta, adding that he hasn't slept for more than four or five hours a night – while also letting on that he has a (presumably young) family.
Contractorisation and the rise of as-a-service business models in the ransomware world are alarming security companies who have been saying for years that ransomware attacks show no sign of abating any time soon.
A major part of the problem is the Russian state's tacit condoning of ransomware attackers in their territories as long as they don't target any organisation based in an ex-Soviet country – an attitude that dates back more than a decade.
Occasionally even attacks on the West cause the country to sit up and pay attention: the infamous US Colonial Pipeline ransomware attack in May this year was one such occasion, when the global fury caused by the oil pipeline's shutdown was so severe the criminals behind it declared they were shutting down their operation.
While the Western infosec world talks the talk, according to Antivirus not many are yet walking the walk:
The strategy of our conditional adversaries – information security departments – network segmentation according to the principle of zero trust. All the security forces now talk about this, but the tactics have not yet been brought to the ideal.
Interestingly, he also mentioned politics: "If you go to the Italian forums on the darknet, they write more about socialism than about hacks."
Italian ransomware gangs are, of course, virtually unknown. Nonetheless, Antivirus said there were few political motivations in actual attacks: targets were selected "because they are rich and have a lot of money."
The REvil gang, notorious for targeting Western organisations with ransomware attacks over the past couple of years, was recently criticised by other criminals for stealing "their" ransoms by apparently using backdoors implanted in their malware.
It is available for rent by customers who don't have the skills to write their own ransomware. ®