# Uncensored Interview with REvil / Sodinokibi Ransomware Operators **[cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/](https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/)** July 3, 2021 An uncensored interview between the Russian OSINT and REvil operator has popped up in one of the hacking forums today. This is an unedited interview, which was originally released [on October 23, 2020, by the Russian OSINT on their YouTube channel.](https://www.youtube.com/watch?v=ZyQCQ1VZp8s&t=192s) Here are some of the interesting insights – Per the operators, it meant Ransom Evil and was derived from Resident Evil. REvil is an encryptor written in C. The encryptor also requires to liquidate backups and merge information as much as possible for a successful attack. They support elliptical cryptography and a “triple” scheme (file key – system key – affiliate key). Malware developers keep 20-30% of the share, while distributor takes the remaining 70% WannaCry was unmanageable and called “stupid.” The top three attacks were – Travelex, Grubman, and Texas 23 counties The REvil mentioned that some paid them on behalf of Alan Grubman as they had access to tax evasion schemes. REvil makes over $100M a year. They have a penetration testing group with over ten individuals working for them. They operate as a “closed” family. The selection process is rigorous. They don’t communicate with each other directly. Per REvil, they compromised Grubman and Travelex through known Pulsar and Citrix vulnerabilities. They also boasted about how they owned the network in under 3 minutes. 33% of deals with the group are unreported or secret Their favorite targeted as IT providers, Insurance, Legal firms. Manufacturing Monero is the preferred mode of payment due to the difficulties in tracking transactions REvil is inspired by SunCrypt ransomware, i.e., DDoSing the site as well to add extra pressure. They are working on it. REvil’s Ransomware Attacks Summary is below (Source: Cyble Vision): ----- Ransomware Attacks Heat Map (REvil) Industries Targeted by REvil Ransomware Operators **Here is the original interview (as published on a cybercrime forum):** **_Russian OSINT: ” REvil deposited a million dollars on a hacker forum. ” ” Thus, hackers_** _want to prove to potential partners that they are serious about the matter, ” Maria Nefyodova_ _wrote in the article. As an ordinary person, together with the audience, it is interesting to_ _know what REvil is or what is it called Sodinokibi? Do I understand correctly that the_ _encryption program Revil used to obtain ransom from organizations in the event of a_ _successful attack?_ ----- **_Revil: REvil (or as it is called by the information security vendors of the sodinokibi) is an_** _encryptor written in C. Yes, the program encrypts user files, thereby restricting access to_ _them. For a successful attack, it is also necessary to liquidate backups (NAS and TAPE_ _storages for example) and “merge” as much information as possible to yourself. Very often_ _they pay not for the fact of encryption, but for the fact that these files do not get into public_ _access. An example of how not to do it is Travelex. In my memory, as a result of our attack,_ _they simply went bankrupt due to the fall in shares._ **_Russian OSINT: As journalists write, Revil operates on the RAAS model (Ransomware-as-_** _a-Service, “Ransomware-as-a-Service”), as part of this agreement, affiliates and_ _ransomware developers share the proceeds from the ransom. Is it true that with such a_ _“division of labor”, malware developers get a 20-30% share, while distributors get 70-80% of_ _the ransoms received?_ **_REvil: Yes it is. Distributors do most of the work, and software is just a tool. I think this is fair._** **_Russian OSINT: Please explain for viewers and subscribers how REvil differs from other_** _ransomware programs, for example WannaCry?_ **_REvil: REvil is not meant to be massive. WannaCry was a very stupid experiment, and_** _unmanageable. To make such a rustle and get less than $ 100k is very funny. At the very_ _least, we do not have the RCE exploit, as WannaCry had, so it does not automatically infect_ _other computers, like a worm. On the external internet. Within the network, of course, the_ _software itself will connect external media and systems for maximum effect._ **_Russian OSINT: How did REvil come about, is there a background to the creation of the_** _project?_ **_REvil: Nothing special. We used similar software as advertisers earlier – the software_** _eventually ceased to exist. We bought its source code and wrote our product for our_ _purposes._ **_Russian OSINT: What are the main competitive advantages of your product in comparison_** _with other TOP-5 ransomware? Why do your so-called partners choose you?_ **_REvil: An encryption system. Neither Maze nor Lockbit have elliptical cryptography, no_** _“triple” scheme (file key – system key – affiliate key). But they come to us rather because of_ _our competent work on receiving payment (envelope) and technologies. Maze and we, in_ _principle, set the vector of the direction of the ransoms as a whole as branches. We treat our_ _competitors quite neutrally and are always ready for dialogue (very often this happens when_ _2 lockers encrypt 1 company at the same time. If you don’t agree, both will be left without_ _money)._ ----- **_Russian OSINT: What does the R prefix in the word Revil mean? Is that the word_** _Reborn? I.e “_ **_REvil: Ransom Evil. The thought came from Resident Evil._** **_Russian OSINT: When I was preparing for the release, I must admit that I did not fully_** _realize how serious Ransomware is and, in particular, Revil is involved in a number of high-_ _profile scandals, it is mentioned by such authoritative media as Forbes, Wallstreet Journal,_ _BBC, Security Lab, Xakep, Cyberbeast, even in Wikipedia … ..What TOP-3 public attacks of_ _REvil do you think are the most resonant?_ **_REvil: Travelex, Grubman and Texas 23 counties. This is for a moment. There will be one_** _more very loud attack, but we will not advertise it for now. I will just say that she is connected_ _with a very large game developer._ **_Russian OSINT: Some media reported that in May 2020, you demanded $ 42 million from_** _US President Donald Trump. It was alleged that you deciphered the elliptic curve_ _cryptography that the firm used to protect its data. How did the story end, did the US_ _authorities make a deal with you by paying the ransom?_ **_REvil: No no, we wished the NSA, the FBI and the US Secret Service the best in decrypting_** _the data. Not Trump, but Alan Grubman. Money paid for the data. Who bought them – I will_ _not say. The data was related to tax evasion schemes by companies affiliated with Trump._ **_Russian OSINT: The deposit of a million dollars is about 77 million rubles at the current_** _exchange rate, it seems to me, for you it is mere pennies .. if it’s not a secret, what is the_ _approximate annual revenue of REvil for 2019 and 2020 in comparison?_ **_REvil: More than $ 100 million a year. If we talk about rubles, then already well over a billion._** **_Russian OSINT: Aren’t you afraid of losing 1 million if the forum gets hacked or private keys_** _leak into the network? As you yourself hint in your posts, Western intelligence services are_ _hunting you._ **_REvil: We’ll earn more. Money comes and goes._** **_Russian OSINT: Does it take more than 10 people to service a complex product like REvil?_** **_REvil: If we talk about the development group, less than 10 is enough. But about the pentest_** _group, more than 10, of course._ **_Russian OSINT: Why did you decide to work according to the Ransomware as-a-Service_** _model, and not do everything yourself from start to finish: hack, secure, encrypt, demand a_ _ransom and launder money?_ ----- **_REvil: We work anyway . According to the RaaS model, it is more profitable. More profit is_** _obtained._ **_Russian OSINT: Does the RaaS model allow you to scale your business faster?_** **_REvil: Undoubtedly_** **_Russian OSINT: What service options do you provide to your partners today?_** **_REvil: Negotiations, pressure on the organization. Well, the software itself. Receiving a_** ransom, providing a decryptor. Russian OSINT: Once again, I want to capture an important point for viewers: when a partner _asks you to provide him with your service, do you lease REvil to him? That is, the partner_ _does not control the encryptor and does not know how its filling works … he only uses the_ _finished product. Right?_ **_REvil: We provide software and our own negotiation services. The partner’s task is to infect_** _the network and kill backups. Download files. Everything. The rest is our concern._ **_Russian OSINT: If an organization pays a ransom, does the money go to you first, and then_** _you distribute it among the partners?_ **_REvil: Immediately automatically distributed by the system. But the original wallet is of_** _course ours._ **_Russian OSINT: Were there any cases of conflicts with partners, can you give one_** _memorable case and how you managed to resolve it?_ **_REvil: Honestly, I don’t remember. We have our own “closed family”. The selection is very_** _strict and inadequate personalities, we do not even add to ourselves in the means of_ _communication._ **_Russian OSINT: Who is hunting you today? CIA, NSA, FBI, Interpol?_** **_REvil: The US Secret Service, Europol and cybersecurity companies around the world. This_** _is normal. The project was designed under such pressure._ **_Russian OSINT: Have there been any cases when, under the guise of partnership, agents_** _from the Secret Service, NSA or CIA tried to get into the trust of you?_ **_REvil: Yes. But they are pouring in on the “general political and social” issues of the CIS_** _countries. There were also Russian-speaking people, but when we talk about the specific_ _specifics of work, a person swims. Also immediately denied._ ----- **_Russian OSINT: Do you have a funny story from practice when they tried to recruit_** _you? Share a memorable experience._ **_REvil: Recruit? I don’t know to recruit. We are apolitical. I doubt the practical use of us as a_** _special apparatus. If you remember Trump, there is purely money. No politics. We don’t care_ _who is the president. We have worked, we are working and will continue to work._ **_Russian OSINT: Have your “partners” tried to hack you through phishing links, malware,_** _some complex schemes for the purpose of deanon?_ **_REvil: There are no partners, but cybersecurity experts are. The most striking example is_** _; and info.php in the chat app. They try to break it every_ _day. It’s hard to actually break what you don’t know. I’m sure the experts don’t even know_ _which OS builds are on the servers, which web server. They just attack for luck. There is a_ _separate respect for shell.exe. The product was created for this scale and is capable of_ _holding such a defense._ **_Russian OSINT: How do you feel about the well-known information security journalist Brian_** _Krebs, how objectively does he write about you?_ **_REvil: Read it. Neutral._** **_Russian OSINT: In early September 2020, BancoEstado, one of the three largest banks in_** _Chile, was forced to close all branches following a ransomware attack. They wrote that the_ _incident occurred due to the fact that one of the bank employees opened a malicious Office_ _document received by mail. The allegedly malicious Office file installed a backdoor on the_ _bank’s network, and on the night from Friday to Saturday, hackers used it and spread the_ _ransomware across the financial institution’s network._ _It is reported that initially the bank’s specialists expected to quickly cope with the attack, but_ _the damage turned out to be more serious than they thought, since the ransomware_ _encrypted the vast majority of internal servers and workstations of employees. Details of the_ _attack were not disclosed, but a source close to the investigation said the bank’s internal_ _network was attacked by REvil (Sodinokibi). Was it really or a fictional story?_ **_REvil: It really was. Our handiwork. Very often, companies keep silent about the source of_** _the attack. The reputation is the same. Falling stocks._ **_Russian OSINT: Recently, Tyler Technologies paid a large ransom for Ransomware_** _(approximately $ 10 million). Are there any other interesting cases known when ransomware_ _took advantage of vulnerabilities in the systems of large technology companies? Can you_ _give specific examples when savings on information security led to large losses?_ ----- **_REvil: Grubman and Travelex. Both are hacked through the old Pulsar and Citrix. This is_** _really stupid. We got access to the entire network in 3 minutes. Just because of 1_ _vulnerability, which is healed by the patch._ **_Russian OSINT: In how many% of cases large companies go with you to a secret deal and_** _pay a ransom so that there are no publications in the media or they are not threatened with_ _hate for negligent attitude to security_ **_REvil: In 1/3 of cases_** **_Russian OSINT: How honestly do you negotiate with companies in the event of a successful_** _attack? If a company pays the ransom in good faith, how can they be sure that you don’t_ _double the amount and demand the amount again?_ **_REvil: Our reputation is dear to us – it affects the envelope (% of payments). There have_** _never been any deceptions on our part and there never will be. This is the foundation. There_ _will be a bad envelope, people will leave. Reputation in such a business is No. 1._ **_Russian OSINT: Have you ever had problems when it was not possible to decrypt encrypted_** _files after receiving a ransom? That is, something went wrong and you yourself could not do_ _anything._ **_REvil: Yes. If you have previously tried to use third-party data recovery software. If at least 1_** _bit of the file is modified, the key will be lost. Especially often this happens with antivirus – it_ _simply deletes notes, and they contain keys. I say openly – such cases are extremely rare. I_ _remember only 12 for the entire time of work. And, of course, we never took money. The note_ _contains a warning to the victims. If they don’t read it, their difficulties._ **_Russian OSINT: Which industries are currently the “fattest” for Ransomware attacks? Where_** _is the most profit?_ **_REvil: IT-providers, insurance, legal firms. Manufacturing, especially, oddly enough, the_** _agro-industrial complex._ **_Russian OSINT: You don’t do any hacking and fixing into the infrastructure with your own_** _hands … your partners do it, right?_ **_REvil: We have our own “flying squad”, and we also have partners. We do this and that._** **_Russian OSINT: A recent report from Microsoft said that 2 extremely effective attacks for_** _introducing Ransomware are brute-force and RDP hacking, how do you think, will attack_ _vectors change over time?_ **_REvil: Brute force has been alive for 20 years. And he will be alive. RDP is the best_** _vector. Especially the fresh BlueGate vulnerability will hit him very hard._ ----- **_Russian OSINT: Are there Android and iOS Ransomware today? Is it profitable to do_** _this? Let’s say we encrypt the phone memory or cloud storage of CEOs of companies … will_ _there be any movement in this direction?_ **_REvil: You have to be absolutely repulsed to do this. I am totally against it. Android and even_** _more so iOS is ideal for working out the banking sector. What to encrypt? Photos of you_ _eating matzo? Very bad damage, yes._ **_Russian OSINT: In your post on the forum you write“Our software has been repeatedly_** _tested by Europol, Interpol, FBI, CIA, NSA, US Secret Service and other law enforcement_ _agencies and intelligence agencies of countries around the world. Our software has been_ _used all over the world and has passed a government security audit. Top-notch teams trust_ _our software and have been able to significantly expand their budget and improve the_ _arsenal to work with. Together with us, newbies who just downloaded the free version of msf_ _switched to licensed cobalt strike in just a month, and after 6 months they already had 0day_ _lpe / rce exploits at their disposal for successful work. And such examples are enough “_ _Based on your text, as I understand it, supports help and train newcomers, that is, you have_ _built a whole hierarchy and division of labor…. Do newcomers really earn so much?_ **_REvil: Supports will only help in negotiations. They learn the technical details_** _themselves. Yes, they can really do that quickly. Before my eyes, 1 team with redemptions of_ _20-30k dollars rose to redemptions of 7-8 million for 1 goal. For half a year. Hierarchy is_ _unlikely. Competent division of labor. We don’t have the main ones. What I am answering_ _now is purely my personal opinion. All decisions are made collectively. I really appreciate and_ _respect that._ **_Russian OSINT: To prevent young people from rushing for easy money, I want to ask a_** _question related to the risks of such an activity: what are the timing of newcomers for doing_ _this activity and how high are the stakes in your game?_ **_REvil: Seriously, taking the realm of extortion, I wouldn’t be surprised if I get killed. I will_** _understand that. None of our topic will ever fly to the United States and similar countries, and_ _since there is no justice for us, it is quite an option to kill. We create serious problems and_ _are virtually elusive. Timing? 2 for life._ **_Russian OSINT: Considering that the NSA and the CIA are after you, Tox or Jabber?_** **_REvil: My own OS build, personally tested and compiled (Gentoo for example). Also with_** _software. I advise the paranoid to decentralization._ **_Russian OSINT: Monero Still Cannot Trace?_** **_REvil: I guess so. The most obvious trace is that on exchanges it is rarely accepted; its large_** _number raises questions. Therefore, Monero is only a transit means of payment._ ----- **_Russian OSINT: Do you do charity work? For example donating to various open source_** _foundations, the Tor Project, the Electronic Frontier Foundation?_ **_REvil: Possibly._** **_Russian OSINT: As Naked Security by Sophos writes: your favorite attacks on entering the_** _company’s infrastructure are exploit kits, exploitation scan techniques, RDP servers,_ _installation files with backdoors. What type of attack do you think is the most effective of the_ _above?_ **_REvil: I don’t know how to get into the infrastructure through a bunch of exploits, for_** _example, RIG. It is written somehow incorrectly. The best method, for me personally, is to_ _catch the authorization data of the drocher sysadmin from a regular stealer and get full_ _access to the MSP of the entire organization. I’m not telling it out of thin air – this was in_ _practice. The organization was serious, the ransom with 6 zeros. And so RDP and_ _exploits. For a very important purpose – ringing spam mailings._ **_Russian OSINT: How do you think the Ransomware market will change in the next 2-3_** _years? What global movements or changes will there be in the market?_ **_REvil: Yes. Everything is moving towards merging files, not encrypting them. Encryption is_** _just a nice touch. Personally, I liked the idea of SunCrypt – the ddos of the site and_ _infrastructure, together with encrypted files and the threat of their publication – very strong_ _pressure. We are developing this idea._ **_Russian OSINT: When you make enough money, do you think you can stop at the right_** _time? Or the process associated with great risk and money is like a drug, addictive … .._ **_REvil: Speaking about myself, it would be high time to stop. There will be enough money for_** _more than one hundred years. But there is never a lot of money – there is always not enough_ _money._ **_Russian OSINT: The funniest resume / autobiography that you have come across from_** _candidates / partners during your entire work …_ **_REvil: There are actually a lot of them. The most average – I buy Dedicated files in a shop_** _and I want to work with you. Rarely do really talented people actually write. I think everyone_ _who has already been assigned to affiliate programs. Therefore, I personally think to rely on_ _young people. Give them a chance to prove themselves. And if he does not show it – there_ _are plenty of competitors, our demand is always high – no one is offended._ **_Russian OSINT: Is it possible to travel with what you do?_** **_REvil: Impossible – definitely_** ----- **_Russian OSINT: How to recognize “Drovoruba” who wants to make friends with_** _you? (_ _[sarcasm about the name of the rootkit )](https://www.linux.org.ru/forum/talks/15855787)_ _“The NSA has issued a warning about Russian intelligence (GRU) spy operations using a_ _previously unknown malicious Linux kernel-based OS toolkit called” Woodcutter “_ **_REvil: He is very insistent on invading your sweet system with maximum rights. Egoist._** **_Russian OSINT: Describe your life in one word_** **_REvil: More_** **_Russian OSINT: Do you have a secret dream?_** **_REvil: Billion dollars. Then 2 billion. If you are in a good mood – 5._** **_Russian OSINT: Where do you live: what metro station, street, house number?_** **_REvil: Nikita Kuvikov or Nariman Namazov. Something in the middle of their habitats._** **_Russian OSINT: How did you come to such a life?_** **_REvil: Once, when I was little, I installed a joint. And I liked it. Everywhere._** **_Russian OSINT: What advice do you have for beginners?_** **_REvil: To eat more often, but better to drink. But seriously, study, read, try. Everything will_** _work out, everything is real._ -----