What would you say to the person who stole your personal data, held it ransom and posted it on the dark web?
The people behind the cyber attacks on Australia are highly organised criminal gangs, often based in Russia, with dozens of employees and even HR departments.
Authorities are still tight-lipped about who carried out last year’s Medibank hack that left the personal details of millions of Australians exposed on the dark web.
However, security researchers have linked the attack to REvil — one of the most successful cyber gangs of all time.
With the help of those researchers, we spoke to a hacker who says he’s worked for them.
Known as “Kerasid”, he agreed to chat on an encrypted service.
Four Corners: How do you feel when you hack into a system?
Kerasid: Great, It’s a feeling of being on top of the world, like nobody can touch you
Four Corners: Do you see Australia as an attractive target?
Kerasid: Yes, let me tell you something
Australians are the most stupidest humans alive
and they have a lot of money for no reason
alot of money and no sense at all
Kerasid didn’t hold back on the US either.
“I loved American targets because I am not a fan of the Americans,” he said.
“Companies in the states have quiet[sic] a lot of money. I loved seeing them suffer.”
Suffer is no understatement.
It’s a sophisticated operation designed to inflict maximum pain on victims to squeeze out the most ransom money.
Hackers — also known as “affiliates” — gain access to an organisation. They steal sensitive data and then encrypt an organisation’s files using a gang’s ransomware application.
The tactic is known as “double extortion”.
The gang then carries out the ransom negotiation process. If a victim agrees to pay, both the affiliate and the gang take a cut.
These syndicates have used this method on all types of organisations, even hospitals, putting lives at risk to try to extract ransom payments.
The hacker that hit Medibank released the most intimate health issues of more than 2,000 people — such as mental health diagnoses and pregnancy terminations.
Kerasid said he did some PR and “human resources” work for REvil, as well as some hacks.
Four Corners: So is it correct that revil was involved in the medibank hack?
Kerasid: yes indeed
Four Corners: So were you involved with medibank?
even if I was why would I incriminate mysekf
Four Corners: The medibank hack caused distress to millions of Australians. Does this concern you?
Kerasid: I could not care less
Four Corners: You say that you can’t care less about the distress caused by the medibank hack. But that revealed intimate details of men, women and children with their names and details. Isn’t that wrong?
Kerasid: 😂😂😂😂😂😂😂😂😂😂😂so sad
it isn’t wrong in my eyes
Kerasid told us he’d made millions out of hacking and moved freely between the UK and eastern Europe, without fear of being arrested.
“I don’t believe in flashing money. When you are not humble, it all goes wrong,” he said.
“Don’t get me wrong I have cars, watches, houses but the most important thing to me is family and my wife.”
He also claimed he was a key leader of REvil — known as 0_neday.
If so, that would be quite a coup. 0_neday is one of only two known leaders of the REvil gang who has a public persona and he hasn’t posted anything on public forums in more than a year.
We tried to prove the link but, in the end, we couldn’t stack up the claim that he led the gang.
Who is REvil?
REvil – short for Ransomware Evil – was prolific in 2020 and 2021, carrying out dozens of attacks and raking in at least $US200 million.
It tried to extort Apple by stealing drawings for new products, helped send currency exchange business Travelex into administration after locking up its systems, and threatened US and Australian food supply chains when it shut down JBS abattoirs.
Cyber analyst Jon DiMaggio — who has spent years studying REvil — says they made the “double extortion” method famous, and loved creating hype.
“They would post bits of [data] publicly on their website, in order to embarrass victims and sort of entice them to pay the ransom,” he said.
“They would reach out to reporters and talk to them and do interviews. They drew a lot of attention.”
The hacker who negotiated with Medibank claimed to be affiliated with several gangs, including REvil.
However, Medibank’s team was sceptical. John MacPherson, the head of cyber security at Ashurst, a company that was working for Medibank at the time of the hack.
“They were never able to demonstrate that they were part of a group who would do what they say they were going to do,” he said.
It’s often important for companies to know who they’re negotiating with, because some of the criminal syndicates are known for being true to their word: decrypting and returning data when a ransom is paid.
The strongest link to REvil was the leak site that the hacker published the stolen data on.
If you typed in the address for the REvil’s leak site into your browser, you would be redirected to the page that hosted the Medibank leak.
Cyber security analysts say it’s highly probable that only someone who was close to REvil could have redirected the traffic to that new site.
However, here’s where it gets a bit strange.
REvil basically stopped operating at the end of 2021 after a Federal Bureau of Investigation crackdown on the group led to arrests around the world.
Their activities came to a halt, and their servers went offline.
So, we pressed Kerasid on whether the people who hacked Medibank were the same people behind REvil.
“The answer is yes, however, there is some new faces,” he said.
Jon DiMaggio says Kerasid is half right.
“I think that the current version of REvil is not the real group. I do believe that it’s possible that they have a member or two of the real group, along with some new players. But those members were not the key leaders,” he said.
“They don’t have the capability to develop new ransomware and they don’t have the capability to even do some of the high-level hacks that the other group did.”
Kerasid may have worked for REvil, and still be involved with this REvil offshoot, but we don’t have proof of that.
We do however have proof that he worked for another massive crime gang called Conti, because of this:
In February last year, a Ukrainian security researcher dumped more than 60 thousand internal messages and documents from the Conti gang online, in retaliation for the group’s public support of Russia.
Among them were some messages from Kerasid, that suggested he was a malware developer.
Middle managers and employee bonuses
The leak detailed information including Conti’s recruitment methods, ransom tactics and structure.
It showed Conti had between 60 and 100 employees, an HR function to recruit budding cyber criminals, and coders who developed the malware.
There was also an offensive team that scouted inside organisations to see what the best data was to steal and encrypt, and negotiators to get victims to pay up.
Jeremy Kirk from Cyber Threat Intelligence says all the big cyber gangs, including REvil, are thought to have a similar structure.
“You look like any other software company, but you’re actually just a criminal organisation,” Kirk says.
“They’ve been able to get scale and efficiency, and attack more companies and organisations than ever before.”
He says that, with Conti, the profits were funnelled to the top, while the workers at the bottom of the chain made between $US1,000 and $US2,000 a month.
“They were higher-than-average salaries that you have in these locales, but … the people down below were not really rewarded very greatly,” Kirk says.
The Conti chats show many of the employees were unhappy with their working conditions and, in turn, the bosses were unhappy with their productivity.
There were even fines. But, on the plus side, there was also employee of the month.
There was a team dedicated to negotiating ransoms and making the experience of payment as smooth as possible for companies that have been hacked.
Leaked messages show that, at times, the Conti bosses wanted their negotiators to step up.
“I think that we need to analyse them more deeply and frighten that we’ll leak something that is dear to them … we need to push harder,” one leaked message said.
“We bargain like school children, gangsters don’t behave like that.”
The Russian government gives gangs the green light to keep operating, as long as they don’t attack any companies within Russia.
However, since the Ukraine war began, some analysts say the Kremlin has given the gangs an ultimatum: Hack for your country or your assets will be seized and you’ll go to jail.
Cyber attacks have been a key part of both countries’ tactics in the war.
Katherine Mansted — the director of cyber Intelligence with CyberCX — says Russia has been attacking Ukrainian communication networks, energy infrastructure and water supplies, often coordinating them with military strikes.
“It is the … first war in history between two major cyber powers, Russia and Ukraine … and right from the beginning of the conflict, cyber has been an ever-present dimension of that conflict,” she explained.
“It hasn’t been decisive, but it’s been there the whole way through that conflict. In many respects that’s going to be a blueprint for any future war that is fought, any future war that Australia is part of, there will be a cyber dimension.”
Even if individual hackers and cyber criminals have not been co-opted by the government, analysts say, many are taking independent action against Ukraine anyway.
When we asked, Kerasid would not say if he was working for the Russian government, but claimed to be providing support.
Four Corners: Have you been supporting Russia’s cyber attacks on Ukraine?
Kerasid: yes I’m a fan of it.
Four Corners: How have you been supporting Russia?
Kerasid: I have been providing initial access to ukrainian owned infrastructure
I can’t comment on anything further of the conflict my handler has told me. sorry
Jon DiMaggio says Kerasid could well be doing what he says he is, as we know he was involved in developing malware at Conti.
“He’s the exact type of expertise that they want,” he said.
Di Maggio says REvil’s bosses are also supporting the war against Ukraine.
“I, 100 per cent cent, believe they’re being leveraged by the Russian government,” he says.
“They’re helping [Russian security and intelligence services] the FSB or the GRU … creating malware and facilitating attacks against Ukraine to better the mission of Russia.”
The war has changed the cybercrime landscape, with many of the gangs now split between attacking Ukraine and extorting organisations across the world for ransom.
Police are also getting better at disrupting the business model of the gangs, breaking up some of the bigger syndicates.
That does not necessarily mean things will get easier.
“What we often see is when groups are affected by law enforcement activity — even when there are arrests, even if those arrests are at the top of the organisation — the members of that group reinvent themselves,” Mansted said.
“They move on, they find new groups to attach themselves to. They might turn their infrastructure off for a little bit of time, lie low, and then re-enter the game.”
“So, unfortunately, it’s going to be really hard for us to break the business model of cyber-extortion.”
Especially when the hackers are still just as bold.
Four Corners: Is there a computer you can’t get into?
Watch Four Corners’ full investigation into the cybercrime syndicates attacking Australia tonight on ABC TV and ABC iview.
Story by: Jessica Longbottom, John Lyons, and Jeanavive McGregor
Digital production and design: Nick Wiggins