REvil's Ransomware-as-a-Service Model

Summary: REvil, a ransomware group, prioritized offering their ransomware as a service rather than deploying it themselves, seeing it as more profitable. They handled payment collection, decryption, and victim support, splitting ransoms with the 'affiliates' who deployed the malware. This business model allowed them to scale their operations via other criminals.

Insights:

• REvil's 'Ransomware-as-a-Service' model was more lucrative than direct attacks, demonstrating a shift in cybercriminal strategy.
• REvil handled the entire ransomware process, from payments to decryption, offering a full-service solution to its criminal affiliates.
• Their model targeted the CIS (Commonwealth of Independent States, essentially former Soviet Union countries), highlighting both a potential origin and a strategic avoidance of legal repercussions in certain territories.

Proper Nouns:

• REvil: Name of the ransomware and the group operating it, a reference to Resident Evil.
• CIS (Commonwealth of Independent States): A group of countries REvil avoided targeting, likely due to political or legal reasons.

Research

• How effective were REvil’s geo-targeting efforts in avoiding prosecution?
• What percentage of the ransom did REvil typically keep in their profit-sharing model?
• How did REvil recruit and manage its affiliates?