US Convicts Cybercriminal, REvil Returns with New Website
April 28 - May 4, 2022 | Issue 6 - Counterintelligence/Cyber (CICYBER)
Keanna Grelicha, Emma Hoskins, Marina Tovar, CICYBER Team
Léopold Maisonny, Editor; Demetrios Giannakaris, Senior Editor
Ransomware Cyber Crime
Date: April 28, 2022
Parties involved: USA; US government; US Department of Defense (DoD); Sercan Oyuntur; Southeast Asian Contractor; Cybercriminals
The event: The US convicted Sercan Oyuntur, a US citizen, of six counts of fraud for conducting a phishing campaign in September 2018 targeting US government employees. Oyuntur sent fake emails impersonating the US government that redirected the victims to a fake “login.gov” phishing website, requiring them to enter their login credentials. Oyuntur used the login credentials to access an account belonging to a Southeast Asian contractor with a pending contract of over $23 million to provide DoD jet fuel. Oyuntur altered the banking information of the contractor to his account, causing the DoD to transfer the sum to him unknowingly. Oyuntur will face 30 years in prison for all the charges, but a sentencing date has not been set.
Analysis & Implications:
Oyuntur’s sentencing will likely deter cybercriminals from targeting US institutions due to the threat of prosecution. Lone cybercriminals targeting US government entities will very likely improve their Tools, Techniques, and Methods (TTPs) to reduce their detectability. More sophisticated TTPs will almost certainly reduce law enforcement’s ability to attribute the attack to the cybercriminal, likely resulting in cybercriminals improving their TTPs to target US government entities.
The DoD attack likely demonstrated that phishing emails with malware is an effective tactic, likely resulting in more threat actors employing this strategy. Wider use of phishing emails will very likely lead to more sophisticated emails, almost certainly increasing the efficacy of attacks. Improved phishing methods are likely to evade detection more frequently and impact law enforcement’s ability to identify cybercriminals and combat cyberattacks.
Date: May 1, 2022
Parties involved: Russia; Russian law enforcement; REvil; US; Ukraine; AVAST
The event: Russian law enforcement shut down REvil, a Russian-based ransomware group, in October 2021, leading to the arrest of a few group members. The US and Russia held negotiations about the ransomware group due to the group’s attacks on US-based companies, but communications ended when Russia invaded Ukraine in February 2022. Some REvil attacks on the US include ransomware operations on Kaseya and JBS Holdings. As Russia-US tensions rise with the conflict in Ukraine, REvil returns with a new website using its Tor servers and a new encryptor with threats of future attacks. Despite the new website not looking like REvil's previous websites, AVAST, a cybersecurity company, confirmed that the encryptor and website's source code are slightly similar to REvil's previous operations.
Analysis & Implications:
REvil’s new website is likely designed to evade law enforcement by making it challenging to link REvil’s attacks with the new branding. The new website configuration will likely make REvil’s members and activities difficult to track, almost certainly making it more difficult for Russian law enforcement to conduct arrests. REvil’s new methodology will very likely result in an increasing number of ransomware attacks, likely leading Russian law enforcement to invest in data forensic resources to conduct investigations.
REvil’s return will very likely result in further attacks targeting the US’ public and private sectors, which will very likely further increase tensions between the US and Russia. Increasing ransomware attacks against the US will likely result in sanctions directed at REvil to freeze their assets, likely providing the US with time to conduct further investigations. REvil’s location will almost certainly be subject to jurisdictional authority likely countermanding the US’ investigation and likely resulting in Russia perceiving US actions as a threat.
The Counterterrorism Group (CTG)
 California Man Found Guilty of Conspiracy to Steal Payments from U.S. Department of Defense, Bank Fraud, Lying to Federal Agents, and Other Offenses Related to $23m Phishing Scam, United States Department of Justice, April 2022, https://www.justice.gov/usao-nj/pr/california-man-found-guilty-conspiracy-steal-payments-us-department-defense-bank-fraud
 U.S. DoD tricked into paying $23.5 million to phishing actor, Bleeping Computer, May 2022, https://www.bleepingcomputer.com/news/security/us-dod-tricked-into-paying-235-million-to-phishing-actor/
 REvil ransomware returns: New malware sample confirms gang is back, Bleeping Computer, May 2022, https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/
 U.S. and Europe Crack Down on REvil Ransomware Group, The Wall Street Journal, November 2021, https://www.wsj.com/articles/hackers-linked-to-ransomware-attacks-on-jbs-kaseya-arrested-in-romania-11636390527
 “The Tor server is REvil's website network that redirects visitors to a new website with hidden malware to trap its victims.” REvil ransomware returns: New malware sample confirms gang is back, Bleeping Computer, May 2022, https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/
 “The source code is the website's code that allows the ransomware operations to run with the new configurations of malware REvil implemented with the rebrand.” Ibid