Who are the people behind a spate of multi-million dollar ransomware attacks on financial institutions, schools, hospitals and critical infrastructure? When Nicky Woolf began to investigate the highest-profile ransomware outfit, REvil, it was almost completely hidden from view. But then the cyber-police started to uncover its secrets
Sir Dan Moynihan: I was out for a jog on a Saturday before. A week before Easter.
Nicky Woolf, narrating: It’s late March, 2021.
Dan: I’m Sir Dan Moynihan, CEO of the Harris Federation, a group of 51 academies, all located in London.
Nicky, narrating: On his run, Sir Dan’s phone rang. On the other end was one of the techs responsible for the IT system all Harris Federation schools used. Overnight, one of the system’s servers had failed, he told Dan. He’d checked to find out why. And what he found marked the beginning of a months-long nightmare.
Dan: He discovered that the server had been encrypted. So that immediately meant we’d been attacked by malware.
Nicky, narrating: All the schools in his group used the same computer system, and it had been hacked. Infected with a hostile computer program – malware. Later, Dan would find out that the Harris schools’ computers had been accessed by the hackers a few days earlier, on the wednesday. For three days, they’d done nothing. Just poked around. Gathered intelligence.
Then on Friday night – the perfect time to cause chaos, with staff off for the weekend – the hackers activated their program.
It was a specific kind of virus, which swallows up all the data on a computer network and encrypts it. That means it scrambles it mathematically, locking it off from anyone who doesn’t have the specific cryptographic key. Without the key, the data is effectively destroyed. Wiped out.
When you try to log in to an affected computer, all you get is a text file containing a simple message.
Computer voice: Welcome again. What’s happened? Your files are encrypted and currently unavailable. You can check it all. By the way, everything is possible to recover but you have to follow our instructions.
Nicky, narrating: Congratulations: you’ve been hit by ransomware.
Nicky: And what was your first thought when you heard that?
Dan: My stomach fell through the floor, really. I had a sick nauseous feeling because I knew this would have been done with a purpose and the purpose was to extract something from us, probably for financial gain.
Nicky, narrating: It’s nothing new at all, really. It’s a stick-up. A mugging. A shakedown. ‘Nice network you have here; lots of data, lots of critical information. Very important for you, all this stuff, isn’t it. Be a shame if something were to happen to it.’
It’s not particularly subtle. The program instructs its victims to hand over a certain amount of money, in the form of cryptocurrency, or all that data either gets eradicated, or leaked online, whichever the target would find most disastrous.
In the past year or two, this type of attack has been spreading, becoming increasingly common.
A major incident is declared after almost 40 NHS organisations across England and Scotland are hit by a large-scale cyber attack.
Nicky, narrating: It’s hit hospitals. Critical infrastructure.
Colonial pipeline, tonight still not pumping fuel across America thanks to a cyber attack.
The computer company Acer has apparently been targeted by ransomware hackers.
Nicky, narrating: Companies around the world.
The group is reportedly giving Acer until Sunday to pay up.
Nicky, narrating: It’s cost millions of dollars in ransom payments, and millions more in disruption.
Ransomwares first alleged casualty. The family is suing, arguing the cyber attack caused staff to miss troubling signs which resulted in the death of their infant daughter.
Nicky, narrating: And it’s cost lives, too.
Dan: On Sunday we’d contacted the government’s national cybersecurity center and they listed a series of firms that could help you with this, if you’d been hacked and we’d contacted all of those firms on the Sunday, and none of them could take us on because they were all at capacity dealing with other people who’d been hacked.
Nicky, narrating: On the advice of one of his board members, who worked in the IT industry, Sir Dan Moynihan brought in a specialist company, based in Israel, to help. That’s when he learned who – or rather, what – was attacking them.
Dan: They quickly saw the calling cards in the software of REvil.
Nicky, narrating: The schools of the Harris Federation – 38,000 pupils, 5,000 teachers and staff – had become the latest victims of a group which was on the way to being one of the highest-profile ransomware operators in the world.
They called themselves R-Evil, or Revil
I’m Nicky Woolf and this week on the Slow Newscast I’m on the trail of Revil. Who are they? Who’s behind this malicious software that holds your data hostage, and then demands millions in ransom payments.
Dan: The ransom demand was $4 million in cryptocurrency which would double if it wasn’t paid within I think 10 days. Now we’re a group of schools, we were being asked for $4 million, potentially $8 million.
Nicky, narrating: Sir Dan Moynihan decided to take a stand.
Dan: I mean we just don’t have that, but even if we had it we weren’t going to pay it.
Nicky, narrating: But it’s 2021. Everything depends on the computer network. That’s just a fact of life now.
Dan: Modern schools use IT for all sorts of things. All of our teaching materials are held on our network. CCTV systems operate on computers. Many of the academies have electronic doors and gates which are secured using the internet. Registers, medical details for pupils, predicted grades in a year where there were no exams and predicted grades had to be provided to exam boards, fire systems, safety systems, building management systems, everything relied on IT. So we were then left with a decision: do we open on Monday? Do we have safeguarding information? Did we know medical details for children, peanut allergies, people who should be taking medicine approved by parents?
Nicky, narrating: Luckily, the schools could cobble together the life-critical stuff from hard backups – health records especially. It was clear opening on Monday was going to be a nightmare. But closing down would have real consequences too.
A-level and GCSE exams were cancelled because of the pandemic, and teachers were instead due to submit their grades for pupils in just four weeks. And in any case, there was no way of knowing how long the data hostage crisis would last.
Dan: You know, nearly half of our children are eligible for free school meals. They live in social housing, they have difficult lives. And we decided, given that we’d been closed for so much during the pandemic, we would open on Monday morning.
Nicky, narrating: When all 51 schools came back Monday morning, with much of their computer network still held hostage by REvil, it was, inevitably, chaos.
Dan: Some schools, their front doors were open and insecure. Other schools struggled to get their doors open. We lost security systems so in some schools we lost fire systems and we had to institute fire wardens, people on corridors with radios. We lost access to medical details but we knew we had a hard copy of those so we were able to open for youngsters, but, I mean, there are things like sometimes parents are separated, sometimes one parent doesn’t have access, all of that’s on a system. Fortunately we had hard copies of it, but it was pretty stressful. Paying for school meals is done using an electronic swipe card that didn’t work so we effectively gave everyone free food for a number of weeks and then tried to sort it out later. Lighting systems coming on and off and, and teaching materials are all, you know, most modern classrooms have an electronic whiteboard, schemes of work, lesson plans, all of that is stored electronically. And it just wasn’t available.
Nicky, narrating: Dan felt sick, and he wasn’t the only one.
Dan: I think pupils were worried, they were scared, they felt that school is a safe place for them, particularly in some parts of urban London. The school is a safe place compared to many places. And something had gone wrong. There was a criminal element outside of their teachers control.
Nicky, narrating: By the end of the week, the company Dan had brought in had opened a direct line of negotiation with REvil.
Dan: And so a kind of dance ensued where we were clear from the beginning that we weren’t going to pay because firstly we had no guarantee that our systems would be decrypted and secondly, even if we’d received a decryption key, what we discovered was that it could take weeks to use that to get your data back. But more importantly, we are a group of schools receiving public money. And in our particular business, we deal with turning around struggling and failing schools for disadvantaged kids. We were in no position to be giving cash for that purpose to a group of criminals. It’s just not what we’re for. And to have done so would have meant that hacks in the education sector would be much more likely in future. And we certainly didn’t want to be responsible for that.
Nicky, narrating: REvil pulled out all the stops – cajoling, threatening, trying everything they could to try to squeeze Dan into giving them what they wanted. He held his ground.
Dan: As it became apparent we weren’t paying, they started phoning our office asking to speak to people in senior positions. The whole thing was bizarre really.
Nicky, narrating: To get a better sense of what that negotiation was like, I got in touch with Neil Hare-Brown. The founder and CEO of Storm Guidance, a boutique cyber-risk advisory firm, Neil’s been the point of contact between REvil and victims in situations like this many times before.
Neil Hare-Brown: When it comes to ransomware, it’s a very developed organised criminal process and there are various players that act in a particular ransomware attack to make up the whole attack. So it’s not one single attacker that breaks in or that figures out that an organisation is vulnerable, then breaks into their network, then drops the ransomware, then begins the negotiation process and completes payments. Each of those are actually completely different actors, different people.
There are a whole range of ransomware groups and they all operate in what’s called ransomware as a service. So the main if you like authors of the ransomware malware provide a website on the dark web and they recruit affiliates and those affiliates will provide various roles in the attack sequences that I just described. So you might have, for instance, initial access brokers that figure out that it’s possible to break into a particular system. They will then sell that information on to the actual attackers who will then break into that system, drop the ransomware – they will also be affiliates of a particular ransomware group. Then they will drop the ransomware that will then be encrypted. And then when the victim then wants to begin that ransom negotiation process, they will then be talking to another group of people who will literally, like a call center, begin the actual ransom negotiations.
Nicky: What kind of people are they? Are they rude? Are they speaking fluent English? What vibes did you get from them?
Neil: Their English is pretty good, it’s not perfect I would say. But, if you like, the strata of the criminal enterprise that you’re dealing with when negotiating a ransom is essentially like a call center. So it’s definitely not lone actors in hoodies behind a computer talking to you. It’s a call center operation. There are tens, if not hundreds of people, who are negotiating these ransoms and sitting there at their desks. They go off and have meetings just like legitimate business people do and they discuss, you know, what’s going to be acceptable or unacceptable. What intelligence they’ve got which might inform the level of ransom that they are prepared to demand in the first place and to negotiate afterwards.
Nicky: I just love this idea of a call center, like in The Office, of people who are kind of executing these ransoms on companies and then going out to gossip behind the watercooler.
Neil: Yeah, absolutely. I’ve got photographs. I’ve got photographs of these types of call center operations.
Nicky, narrating: Neil sends the picture, and it really does just look just like it could be any office, anywhere. Row on row of blue cubicles. Cheap pine desks. Notices pinned to a corkboard on the wall. Who knew mass extortion could be so banal.
Neil: So, yeah, it’s just like if you were to go into a call center at one of those legitimate businesses in the UK that runs things, and then immediately go into one of these REvil call centers, you’ll see pretty much exactly the same operation, except one is one is a legitimate business and the other one is a criminal enterprise.
Nicky, narrating: I can’t hide how completely compelling this image is to me. Are there office politics? Do they gossip on Slack? Do they all go for happy hour drinks after a long day of digital blackmail? I’m obsessed.
The most famous example of ransomware is probably still the 2014 Sony Pictures hack, which led to a whole tranche of extremely embarrassing internal documents and emails being leaked online. But that one was actually unusual – it was done by hackers working for the government of North Korea in explicit retaliation for the Seth Rogan comedy “The Interview” which depicted Kim Jong-Un’s death. Honestly, that’s true.
But more often than not, ransomware isn’t like that. REvil are almost certainly Russian, or at least most of their members are. GandCrab, the group REvil is thought to have evolved from were Russian, and the REvil software seems specifically designed to whitelist – i.e. not target – computers that have the keyboard laid out for the Russian language. Affiliates are asked not to attack organisations based in the CIS – the former Soviet states – places like Belarus or Georgia or Kazahstan. But none of that means the gangs are operated by the Russian state itself the same way the Sony hack was by North Korea. It’s more complicated than that.
Megan Stifel: My name is Megan Stifel, I’m currently the Global Policy Officer at a nonprofit organisation called the Global Cyber Alliance.
Nicky, narrating: Megan has also served as a White House adviser on cyber policy, and before that she was an attorney prosecuting cyber crime for the Department of Justice.
Megan: I would say that while it’s certainly blurred in the case of ransomware, there is a distinction in these kinds of two or three groups, depending on how we think of them.
So there is certainly one group, those are the kind of pure criminals who are conducting this type of activity for personal gain. Then we have the hacktivists, who are just kind of seeking fame. We have those who are seeking to be remunerated for this, right, they’re trying to get money. There are, in a second category, nation state actors who are often undertaking this type of activity for more political purposes.
And then there’s kind of this third category of actors who are in the venn diagram of these two groups where they may be nation state actors who are moonlighting and in their spare time working with criminal groups, leveraging the capabilities that they’ve learned in their day jobs as nation state hackers to gain some money on the side. Particularly I think that’s of potential interest in the ransomware case because we do know that so many of these actors are operating out of Russia or former Soviet republics and whether or not they’re getting enough money from their day jobs and that’s causing them to kind of think about other opportunities.
Nicky, narrating: REvil is a brand, part of a huge and lucrative industry. And it’s an industry that’s growing fast. Exact figures are hard to come by, but in 2020, companies paid at least 350 million bucks in ransom – and that’s just the ones we know about. We do know that’s going up sharply: it’s at least three times as much as was paid in 2019. In 2021, reported ransom payments had almost doubled that – almost $600 million – by mid October. And again – those are just the payments that get reported to authorities. That kind of growth is going to get noticed eventually.
In spring 2021 – in fact, while the Harris Federation was still negotiating with REvil – another ransomware group flew a little too close to the sun.
The largest US fuel pipeline is now the victim of a ransomware attack and Brian Sullivan has the latest on the Colonial Pipeline.
We are going to begin tonight with a run on gasoline from Florida to Virginia with panicked drivers lining up at gas stations fearing a fuel shortage.
We have some breaking news here on this group. The group is called DarkSide; they are allegedly the group behind this attack.
Nicky, narrating: On May 7th, the Colonial Pipeline, which carries fuel from Texas across the American south-east, was infected by ransomware called DarkSide. The pipe was shut down, a state of emergency was issued in several states in order to prevent fuel shortages.
After its owners paid a negotiated ransom of more than four million dollars, DarkSide did provide them with a software key to get back into the computer system. But still the attack seemed to be a tipping-point. Hospitals and schools? Whatever. But hit America in the petroleum, it turns out, and the government is gonna sit up and take notice.
My administration takes this very seriously, we have efforts underway with the FBI and the DoJ.
News clip of Joe Biden speaking
Nicky, narrating: The Biden administration singled out Russia in particular.
We do not believe the Russian government was involved in this attack but we do have strong reason to believe that the criminals who did the attack are living in Russia, that’s where it came from.
News clip of Joe Biden speaking
Megan: I would say there are a number of factors that make Russia a more hospitable place to conduct this activity from. And particularly, in the United States, there’s a phrase that’s famous from, I don’t know if it’s Hollywood or elsewhere, ‘I’ve run off to a non extradition territory.’ Well, that is the case with Russia. We don’t have an extradition treaty with the Russian Federation, so there’s this idea that they’re kind of, they may be perceived to be operating outside the scope of the long arm of the law for the United States.
Secondly, there is, I think, a good degree of technical education in and around that country. And unfortunately it’s not a strong economy, as strong an economy as we have in other developed nations, and so there is this need to kind of use those skills in whatever way is going to pay the bills. Whether it be on behalf of the state or with these criminal groups who are offering ransomware as a service, there is an ability to monetise their skills. And so that I would say is the second piece, they need to make money.
Nicky, narrating: We may actually know more about REvil than any other ransomware organisation right now. That’s because some shit has gone down in the months since the Harris Federation was hacked.
Dmitri Alperovich: What’s important to understand is how some of these cyber criminal groups are structured.
Nicky, narrating: This is Dmitri Alperovich.
Dmitri: Hi, I’m chairman of Silverado policy accelerator and co-founder and former CTO of CrowdStrike.
Nicky, narrating: CrowdStrike is the world’s largest cybersecurity company by market cap. Dmitri, as its former Chief Technology Officer, has been on the front lines of the battle against malware. His current position at Silverado, a Washington DC think tank focusing on cybersecurity – puts him right at the centre of US cybercrime policy.
Dmitri: So you have a core gang, like REvil or DarkSide or Black Matter that are really providing the infrastructure for execution of these operations but they’re actually not involved in the operations themselves. The right way to think about this is as a franchise model. McDonald’s doesn’t actually own the restaurants. They just provide the infrastructure: the food, the ingredients and the recipes. But someone else will do the work, and will own the operations. That’s what happens with these ransomware groups. They recruit these affiliates, they will do the hacking, they will do the distribution of the malware that these gangs will supply them with, that will redirect victims to the ransomware portal where they’ll negotiate the ransom with the groups. But most of the work will be done by the affiliates. They will get the majority of the cut of the ransom as well. And REvil or DarkSide, will just have to sit back and collect the payments and will continue to make sure that the infrastructure is available for these affiliates. But as a result, they’re really not in control of who gets targeted. The affiliates can be all over the world. The range of their sophistication varies. Some of them may not even do the hacking directly, but they may buy access to a network of a company through someone called an access broker, which are dedicated hackers who do the hacking operations, they only break into companies and then resell access to those companies to someone else like these ransomware operators. So it’s become a very convoluted and distributed ecosystem in cyber crime and as a result the ability to sort of control, we’ve seen statements from some of these groups saying, we’ll no longer target critical infrastructure. Well, they don’t actually have the power to stop that even if we believe their statements because they’re not the ones doing all the hacking.
Nicky, narrating: Following the Colonial Pipeline hack, the US government started to push back. The Biden administration raised the issue of ransomware strongly when the president and Vladimir Putin met in Geneva for a summit in June.
Nicky: And what was the Geneva agreement? Tell us about what we know about what was agreed between the president and Putin.
Dmitri: Well, first of all, it was a landmark summit because it was the first time that you had the two presidents meet, President Biden, President Putin, in their roles. But also it was the first time that you had the Russian president and American president have cyber be such a huge part of the agenda.
Nicky, narrating: Biden is reported to have asked Putin: “How would you feel if ransomware took on the pipelines from your oil fields?” – which, I mean, that’s a not-even–particularly-veiled threat, isn’t it? Well, again – it’s complicated.
Dmitri: So one thing that the US government has been very clear on is that they do not believe that President Putin or people in his regime are directing these groups or coordinating these attacks in any way, shape or form, which is a really important point, there’ve been obviously other accusations of Russian government’s involvement in hacking operations, this is not that. These are criminal groups, they’re operating on their own, that have a profit motive. They want to steal money, they want to get tens of millions of dollars in ransom payments from these major companies that they’re extorting. However, we do know that some of these criminals do have connections to Russian intelligence services. In some cases they’ve been moonlighting for them when they hack into a company and they find information that would be of use to Russian law enforcement, to Russian intelligence, they pass it on. It is believed that many of them pay off local officials, not necessarily higher-ups in the government, but people sort of in their neighborhood that can provide protection to them from the really nasty criminals in Russia, sort of the organised criminal gangs that have the guns that can kill people.
After all, even though these are criminals, they’re still computer nerds. They’re spending most of their time in front of a computer terminal, orchestrating these operations and the last thing that they want is for someone to show up at their doorstep, waving a gun and demanding that they turn over all their profits to the really nasty criminals that you have in a number of different major Russian cities.
So, to protect themselves against that possibility they need to pay off local law enforcement, local intelligence officials, to make sure that they will provide them, what’s known in Russia as krisha, or roof, protection from some of these nasty characters. So that really is important to understand because while we don’t believe that these attacks have been directed by the Russian government, the Russian government certainly has the capability to stop it because officials in the Russian government are very likely aware of these people, what they’re doing, some of them may be even getting paid off as I mentioned. But that means they have leverage to shut it down if the decision gets made at the top, that this is no longer in the interest of the Russian Federation.
I’m quite convinced that when DarkSide hit Colonial, they had no understanding of the importance of Colonial to the US energy security or the repercussions that their attacks would cost. And maybe if they had known, they perhaps wouldn’t even launch because they wouldn’t want all that attention on them. But the reality is that it can happen with so many companies because you have companies that people have never heard of that are critical to our water supply, energy supplies, food supplies, and so forth. And hitting the wrong one can have these cascading effects that are quite unpredictable. And, I think the most important thing for leadership, both in the United States and Russia, to realise is that the last thing we want for some 30 year old in St. Petersburg, that is part of these criminal operations, to be able to hold hostage the entire very critical US-Russia relationship. That should not be acceptable to President Putin or President Biden.
Nicky: And it doesn’t feel like that’s in President Putin’s interest to be the case.
Dmitri: No, President Putin ultimately wants control. And if he wants to escalate things between the US and Russia, he wants to be the one to decide to do that.
Nicky, narrating: Behind the scenes, American law enforcement agencies were getting to work.
The Harris Federation didn’t pay any ransom. But REvil had a big year elsewhere. In May, they hacked JBS SA – a huge Brazilian meat processing company, the biggest in the world – and were paid $11 million in ransom. Then, on the 2nd of July, they made their biggest attack yet: an enormous software company called Kaseya.
Hundreds of supermarkets in Sweden are forced to close after a cyber attack that’s hit organisations all around the world.
A massive cyber attack that started out of a Miami based IT company sent shockwaves worldwide after it impacted hundreds of businesses in the US and in other countries.
Nicky, narrating: By some ways of measuring, this was the biggest ransomware attack in history. More than 800 and maybe as many as 1,500 businesses that used Kaseya’s software were compromised. In what must have been a tense phone on July 9th, Biden reportedly told President Putin:
That the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act
Nicky, narrating: And then, on July 13:
The ransomware gang known as REvil appears to have disappeared from the internet.
Nicky, narrating: REvil disappeared. Just vanished.
REvil’s blog and payment website went down on Tuesday and there is speculation that it was deliberately targeted by state actors.
Nicky, narrating: Experts speculated that Russia had finally cracked down. Maybe they did, maybe they didn’t.
The story doesn’t end there, though. In fact, this is where things start to get strange. Ransomware groups disappear all the time. They come and go. Usually they reconstitute as something else, a new brand. Sometimes it’s the same people, sometimes not. But in September, REvil came back.
But not for long.
Dmitri: REvil has actually gone down several times. So the first time that they went down was in July after they had launched another major attack on the Kaseya software company that is used by many small businesses around the world. And about a thousand of their customers as a result were impacted in some form or fashion because through that software, they were able to lock up computer systems in many companies, including small businesses. There was a co-op in Sweden that was completely shut down and couldn’t process payments. So the grocery stores shut down in Sweden and schools in New Zealand and many other implications globally. But right after that attack, the REvil group disappeared voluntarily.
And as we later learned, when they popped up again in September, the reason that they had disappeared is they said that one of their members, a person that goes by the nickname UNKN had just vanished into thin air without an explanation. And they were very afraid that maybe he had gotten arrested, maybe he was ratting them out. So they decided it was safer to just shut down and lay low for a few months to see what happens. And then in September, when they came back, they said they hadn’t heard anything, they hadn’t heard of any arrests. So they assumed that maybe that person had just died and they didn’t know his identity because they communicate only online, so they had no ability to actually verify that. But they decided it was safe enough to resume operations.
Nicky, narrating: That guy, UNKN, he’d just entirely disappeared.
Allan Liska: Nobody’s heard from him since the Kaseya attack. And he went way, way underground and no one’s heard.
Nicky, narrating: Allan Liska.
Allan: My name’s Allan Liska, I’m an intelligence analyst at Recorded Future and what I do is I research malware, mostly ransomware at this point, but really any sort of cyber criminal activity.
Nicky, narrating: So the gang member who goes by the name of Unknown may have disappeared. But REvil? Well, it comes back. Coming back for REvil seems like it was a bad idea.
Allan: That was one of the mistakes that REvil made specifically. And we know that the group that restarted REvil didn’t include the original founder but what the developers and other members of the REvil group did, that was a big mistake, was they just resurfaced their old infrastructure. So what happened was you had the Kaseya attack and the Kaseya attack is probably the largest ransomware attack since either NotPetya or WannaCry. Certainly in terms of the number of victims and simultaneous victims, and that got the world’s attention as far as every intelligence agency in every country outside of Russia was now looking at REvil and a whole lot of data was collected very fast on that group and, and their infrastructure and how they work, et cetera.
Dmitri: And then a month later, cyber command launches this offensive action against them to try to shut down their infrastructure to prevent people from going to their websites and then as part of the response to that cyber command operations, they start looking at their systems and the realise they had been hacked by some other party and that party was sitting on their servers and potentially monitoring what they were doing and looking for them. And that was cause enough for them to say too much heat here, time to go away.
Nicky, narrating: The American government had turned the tables on REvil. The group was forced offline. That battle’s still going on. It’s currently November,
Today we are announcing that we are bringing to justice an alleged perpetrator of a significant wide reaching ransomware attack.
Nicky, narrating: And as I’m recording…
Just moments ago, the Department of Justice released new information on a Ukrainian man that was charged with ransomware attacks that affected 1500…
Nicky, narrating: The US Department of Justice has just charged a Ukrainian national – Yaroslav Vasinskyi, who is in custody – and a Russian national – Yevgeniy Polyanin, who is not – with fraud, money laundering, and conspiracy charges relating to the deployment of the REvil ransomware. They also seized $6 million.
Allan: Well, so this is really an interesting use case because most of the time when a ransomware group is stopped by law enforcement, it’s a direct seizure. So the law enforcement, whether that’s US law enforcement or UK law enforcement or Ukrainian law enforcement or wherever reaches out to a hosting provider or whoever is hosting the services of the ransomware group and issues an edict saying, hey, by law, you have to hand over the contents of the servers to us. That’s the way it normally happens or if you’ve seen the videos from Ukrainian cyber police, which are amazing, and I highly recommend people watch them, of the physical takedowns of these ransomware groups where, you know, the police kind of go barging in, take the assets, take the cash, take the cars away, those are the normal ways that we see law enforcement stopping ransomware attacks, physically stopping ransomware attacks. This was a little bit different though in that somebody in law enforcement, whether it was the FBI or whether it was another law enforcement agency working with the FBI, had managed to gain access to credentials, to the servers that the REvil group was using and they directly logged on to take over the servers that way and locked out the admins.
Nicky: So they’re sort of turning their own playbook against them.
Nicky, narrating: It wasn’t just law enforcement who’d started lifting the lid on these groups.
Nicky: Hi, congrats on the story.
Hakan Riverdi: Thank you.
Nicky: I wonder if you could start by doing the podcast style intro, you know, like, “I’m Hakan and I’m a reporter for…” just sort of introduce yourself.
Hakan: Yeah, sure thing. So, hi, my name is Hakan Riverdi. I work with public broadcasting in Germany, and we had a story together with colleagues at Die Zeit, which is a weekly in Germany and we were following the trail of ransomware, so a guy involved in ransomware and not your standard affiliate, so to speak, but one of the core members of the group, and since we’ve been doing this type of investigation, hacking, state-sponsored hacking and so on for quite a while, we were always interested in finding out more about the guys who might be behind it.
Nicky, narrating: At the end of October, Hakan and his colleagues published a story in which they lifted the lid off the life of one of the members of the group.
Hakan: What we found is one person, we call him Nikolai K in the story, it’s not his real name, but we were able to find accounts that either belong to him directly or to people he hangs around with, one of them being his wife.
Nicky, narrating: It’s not known whether this is the Russian one of the two people the US just charged. But it’s a fair bet.
Hakan: And they show their lifestyle on various social media platforms, among others, obviously Instagram, because that’s where you show how you’re living nowadays. And you could see the lavish life they were living, meaning time spent on yachts, expensive clothing, so your Gucci, Louis Vuitton, Yves Saint Laurent, all that, expensive cars.
Nicky: One thing particularly stuck with Hakan.
Hakan: The Bitcoin watch is the most interesting thing to me, to be honest, just because if you buy this watch and it costs, it starts at, I would say €10,000 and if I recall correctly ends at €75,000 or something in that price range, you have the possibility to include a public wallet address when you buy that watch. So depending on whether he did use that feature to etch his address on the dial and that address being tied to ransomware money directly, he would carry around something you can charge him with on his arms which is kind of funny to me. I don’t know whether that’s the case, it’s a Vanguard Encrypto, that’s what the watch is called, limited edition as far as I know. So that’s an expensive watch already and he had multiple cars, I don’t know if he just switched cars at one point, but 650 PS, German manufactured cars. When he went to Turkey, the yacht he ordered cost about $1,300 a day. And so you can see how they were living, what they were doing on that yacht because they had a professional photographer who made a video, so you have like two to three minutes of how they ate nice fresh fish. And how they, I don’t know, how they were just living a good life to be quite honest. It looked like they were having a great time.
Nicky: What would you, what would you ask him first? What would you say to him if you got him on the phone right now?
Hakan: Whether it is worth it. I mean, he obviously is living a good life, whether he is thinking about what it took him to get to that point at all.
Nicky: And would you ask him about the kind of human, you know, what he’d say to the victims of these attacks?
Hakan: I mean, he’s a core member and what you were able to do is just follow some of the negotiations the affiliates were having with the companies that they had hacked. And in these conversations I’ve read, I don’t know, I stopped counting at one point, but dozens of those negotiations, and for them, it was purely professional. They were writing things like, listen, we know that you are able to pay $100,000 because here attached please find your financial statement from last year, so don’t bullshit us saying that you can only pay $10,000. We know how well your company is working and our demand is not unreasonable. So as far as I could understand it, from reading these negotiations for the affiliates at least it was just a professional thing. They had hacked the company because their security was lax or whatever, and they wanted to profit off of that. But after seeing how people stood for hours, trying to get gasoline after the colonial hack or co-op after the REvil hack in Sweden having to shut down their supermarkets, it’s hard for me to think that it doesn’t affect you at all. So that’s why I would ask the question.
Nicky, narrating: Sir Dan Moynihan and the Harris Federation never did pay a ransom to REvil. But it still was an expensive undertaking. There’s a long tail to these things. The company they brought in helped them rebuild their systems and secure them against future attacks but that doesn’t come cheap.
Dan: The whole thing when it was finished and probably cost us about 750k.
Nicky: And that’s not an abstract figure, that’s coming out of money that would otherwise be helping people. It’s looking like REvil is, in one of the first times for these kinds of groups, we’re actually kind of closing in on the people who are actually doing it. The newspaper used open source information to track an actual Russian person, who is on a yacht, living it up with fancy cars and this kind of lifestyle. If you could sort of speak to him, and knowing that this was off the back of these kinds of criminal operations, what do you think you’d say to him if you had the opportunity?
Dan: I would hope there is some morality in all of us, and attacking vulnerable organisations, be they hospitals or schools, or other such places, is beyond the pale and it’s not an appropriate way to be making money. The purpose of our schools is to try and level the playing field. Why would anybody think that it’s appropriate to try and take money from that situation in order to have more cars or a yacht, I just can’t get my head around it.
Nicky, narrating: When I started looking into the group back in September it felt completely anonymous. It had perpetrated perhaps the widest ranging ransomware attack in history and yet it appeared impenetrable. And yet over the course of making this episode things have started to fit together. It feels like this faceless threat is slowly taking on a more human form. Law enforcement is closing in, and we’re starting to get a sense of the lifestyle of these people. The gold watches of the higher ups, the grim call centres of the people actually doing the leg work. Super weird, isn’t it? This is just what crime looks like now. And everyone’s on computers, so anyone’s vulnerable to this. There’s still a lot of unknowns. It’s possible that the man who Hakan found living it up in the Crimea could be one and the same as Yevgeniy Polyanin, the Russian who US authorities just charged, but we don’t know. In this game of cops and robbers, the cops just scored a big win. But it’s also an arms race, the next big group might not be so careless. The future is a scary place.
Thanks for listening. This episode was written and reported by me, Nicky Woolf, and produced by Katie Gunning. Sound design was by Tom Kinsella.