Let me remind you that REvil works under the “ransomware as a service” (RaaS) scheme, that is, the malware is leased to various criminal groups. Due to the fact that there are a lot of groups, as well as because of the high customizability of REvil, it is extremely difficult to monitor all the operations of the encryptor and numerous partner campaigns for its distribution.
However, KPN experts managed to apply syncholing and intercept the messages exchanged by the ransomware infected computers with the REvil management servers. Researchers write that they have collected unique information about REvil operations, including the number of active infections, the number of infected computers per attack, and even found out the order of the amounts that hackers require from their victims as a ransom.
Analysts watched REvil for about five months and found more than 150,000 unique infections worldwide. These 150,000 infected machines were linked to only 148 REvil samples. Apparently, each of these samples represents a successful infection of a network of a company. Moreover, some attacks are huge, encrypting more than 3,000 unique systems. Researchers note that only a few of these attacks were discussed in the media, while many companies were silent about compromise.
According to KPN, in recent months REvil operators have requested ransoms totaling more than $ 38,000,000 and, on average, extort $ 260,000 from victim companies. In some cases, the ransom amount was $ 48,000, which is less than the average REvil level, but still much more than the usual $ 1,000- $ 2,000 that other extortionists demand from home users.
If REvil manages to infect several workstations in the company’s network, the average ransom amount rises to $ 470,000, and in many cases the demands of the attackers even exceeded the mark of $ 1,000,000.
It is not clear how many compromised companies agreed to pay a buyback to REvil operators, but the KPN study sheds light on the fact that the amounts that other information security experts previously wrote about seem to be far from reality.
For example, according to Coverware, which helps victims recover from ransomware attacks and sometimes negotiates ransom on behalf of the victims, in the fourth quarter of 2019, the average ransom amount increased by 104% to $ 84,116, compared to $ 41,198 in the third quarter of 2019. Thus, REvil operators extort much more from their victims than other ransomware. Most likely, the fact is that REvil is aimed at companies and large corporate networks, but not at home users.