Bitcoin top-ups and chat support: Analysts reveal how REvil hackers interact with victims

Elliptic specialists опубликовали results of a new study illustrating the process of communication of the REvil ransomware group with a victim of extortion software.

As an example, analysts examined one of REvil’s attacks. After the infection of the computer system, the victim received a ransom demand with a link to the so-called victim page on the Tor network, where subsequent instructions were contained.

For decrypting the files, hackers demanded $50,000 in Monero, and if the ransom was not paid by the deadline the amount doubled. On the page the attackers posted information about where to purchase cryptocurrency and to which address to send it.

The victim can reach extortionists via the ‘Chat Support’ tab. In the Elliptic case under review, the victim stated that the demanded amount was too high. In response, a REvil representative offered a 20% discount. As a result of the negotiations, the ransom price was reduced to $25,000.

The victim also asked to make the payment in Bitcoin rather than Monero. The REvil representative said this was possible, but with a 10% surcharge.

“This demonstrates the increased risk REvil faces when accepting Bitcoin payments due to their traceability,” Elliptic noted.

After paying the ransom, the victim’s page is updated to show access to the decryptor. Elliptic emphasised that there is no guarantee that the attackers will provide such a tool even after receiving payment.

Subsequently, REvil splits the received coins and sends them to many different wallets, and also mixes them with bitcoins from other sources to launder the funds. The cryptocurrency is later withdrawn through exchanges and darknet markets.

Researchers noted that they share information with law enforcement, exchanges and financial institutions to identify the cryptocurrencies and wallets linked to cybercriminals, in order to prevent money from being cashed out.

Earlier in July, REvil взломали тысячи компаний after the attack on the American software developer Kaseya and demanded a $70 million ransom in Bitcoin. On the night of July 13, the group’s darknet sites suddenly ушли в офлайн.

For more on ransomware and the consequences of hackers’ activity for Bitcoin, read ForkLog’s exclusive.

Follow ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, prices and analytics.