{
	"id": "fefe6c6d-f2d0-4ecd-9c2c-8c6736f13195",
	"created_at": "2026-04-06T00:14:57.344754Z",
	"updated_at": "2026-04-10T03:20:04.162112Z",
	"deleted_at": null,
	"sha1_hash": "c8acb51fc67f535ccafd026c20ec6f5c04cae51a",
	"title": "Axis of REvil: What we know about the hacker collective taunting Apple",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41866,
	"plain_text": "Axis of REvil: What we know about the hacker collective taunting\r\nApple\r\nBy Eamon Javers\r\nPublished: 2021-04-23 · Archived: 2026-04-05 20:45:34 UTC\r\nThe ransom note was both taunting and ominous: “Today we, the REvil Group, will provide data on the upcoming\r\nreleases of the company beloved by many,” the criminal hackers wrote.\r\nIn the note posted on the dark web the group told the world it hacked an Apple supplier called Quanta Computer\r\nand wanted $50 million in ransom or else it would release sensitive internal documents. “Tim Cook can say thank\r\nyou Quanta,” wrote REvil.\r\nThe extortion attempt, which came early this week, represented a significant escalation for a well-known hacker\r\ncollective. And experts tell CNBC it may presage a new era of emboldened ransomware attackers who are\r\nprotected by Russian leader Vladimir Putin and empowered to take on the biggest companies in the world.  \r\nCybersecurity experts in the U.S. say the group has a long rap sheet of criminal activity against Western\r\ncompanies. Their analysis suggests REvil — pronounced like the letter “R” followed by the word “evil” — is\r\nlargely made up of native Russian speakers and is likely located in a former Soviet state. Whoever they are, they\r\nhave a taste for dark humor: REvil posts its stolen documents on a site on the dark web that it calls “Happy Blog.”\r\n“We know that they are protected most likely by Russian intelligence or the Russian government, as are most\r\nransomware groups, which has allowed them to flourish over the last 18 months,” said Marc Bleicher of Arete\r\nIncident Response, a cybersecurity firm that specializes in negotiations with criminal hackers. Bleicher says his\r\nfirm has dealt with REvil 32 times in just the past 90 days.\r\n“I think, you know, based on what we’ve seen so far, this may be just the tip of the iceberg over the last few\r\nmonths, and what you’re going to start to see is organizations that are of the same size and stature as Apple,”\r\nBleicher said.\r\nThat means more CEOs need to brace for ransomware impact and for REvil’s shockingly direct intimidation\r\ntactics. Bleicher said one signature of the group is stealing a CEO’s personal cellphone number from company\r\ncomputers and then repeatedly calling that CEO to taunt him or her personally about the loss of data and to\r\ndemand huge payouts.\r\nBleicher’s firm has analyzed 173 previous REvil attacks and says it can see some patterns in how the gang\r\noperates. One thing becomes clear: Attacking Apple by name — and demanding $50 million — is on a much\r\ndifferent scale from what REvil has operated on in the past. Thirty-one percent of the companies attacked by the\r\ngroup have been in professional services, not technology, Arete found. Nineteen percent have been in health care,\r\nand 16% in manufacturing.\r\nhttps://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html\r\nPage 1 of 2\n\nThe average ransom demand has also been much lower in the past, Arete found, at just under $728,000. After\r\nnegotiations over the price, the average ransom actually paid is even lower than that: Just over $129,000.\r\nIt’s a remarkably business-like operation, complete with customer service desks, software support teams and even\r\na Craigslist-style marketplace to recruit new hackers to the enterprise.\r\nBleicher provided CNBC with one jobs posting for REvil that he found on the dark web. Written in Russian, it\r\nsays: “We have 1 position for a person that gains accesses to networks, that already have active accesses. Monday\r\nwe’ll announce one of our largest attacks. We work 24x7. We are stable. We make money — a lot of money. We\r\nare waiting for you in our direct message.”\r\nCharles Carmakal, a senior vice president at the cybersecurity firm FireEye, said his rough estimate is the gang\r\nhas collected a total of $100 million so far. That means a $50 million ransom would be an enormous step up for\r\nthe group.\r\nBut everything in this criminal underworld is negotiable.\r\n“I have seen other organizations being asked for $50 million,” Carmakal said. “Nobody really realistically pays\r\nthat much money. They’ll try to negotiate it down to a number that is a little bit more reasonable and doable if\r\nthey do decide to pay.”\r\nCarmakal said the huge ransom demand and high-profile target in this case may be more about getting attention —\r\nand scaring future victims — than it is about this one case. One possibility is the high-profile taunting and ransom\r\nnote were only made public after a private negotiation that didn’t end well from the hacker’s point of view. So\r\nnow they’re leveraging that for publicity and intimidation.\r\n“These groups tend to amplify their messages and try to coerce victims, usually after they don’t feel like the\r\nvictim is willing to pay,” Carmakal said.\r\nBut why are companies sending these huge payments to criminal gangs at all? Carmakal said firms look at the\r\nscale of the potential damage and often conclude they have no choice.\r\n“A lot of organizations feel compelled to pay because they don’t want that data to get out there,” he said. “They\r\nfeel that they’ve got an obligation to their shareholders or partners or to the customer to prevent that data from\r\nmaking its way out onto the open market.”\r\nThe latest REvil attack is still in play. The gang demanded payment from Apple by May 1 and said it would\r\nrelease more data every day. So far, though, no further Apple data has been dumped on the dark web.\r\nThat could be one indication, experts say, that ransom payment negotiations are already underway.\r\nSource: https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html\r\nhttps://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html"
	],
	"report_names": [
		"axis-of-revil-inside-the-hacker-collective-taunting-apple.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434497,
	"ts_updated_at": 1775791204,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8acb51fc67f535ccafd026c20ec6f5c04cae51a.pdf",
		"text": "https://archive.orkl.eu/c8acb51fc67f535ccafd026c20ec6f5c04cae51a.txt",
		"img": "https://archive.orkl.eu/c8acb51fc67f535ccafd026c20ec6f5c04cae51a.jpg"
	}
}