The "Unknown" REvil interview
An application of the Anchored Narratives methodology to a recent threat intelligence news story
Disclaimer: The views, methods, and opinions expressed at Anchored Narratives are those of the author and do not necessarily reflect the official policy or position of my employer.
Introduction
This week, many chatter on Twitter around an interview of “Unknown,” the infamous REvil ransomware group's public face. Targeted ransomware attacks on companies are currently one of the biggest threats, and basically, a whole industry with security products to protect companies from that threat is thriving on it. Some of the collected tweets that were triggered on the REvil actor group are displayed below.
"Really interesting interview with ransomware REvil's Unknown https://t.co/PT6O5fYEIG"
"Unknown, the public face of the REvil/Sodinokibi RaaS spoke to @ddd1ms about using ransomware as a weapon, staying out of politics, experimenting with new tactics, and more https://t.co/ql2XnvGXAn"
Apparently, several information professionals found the interview “really interesting.” Let’s apply the Anchored Narratives Theory (ANT) to this “interview” to understand which evidence this story is based on. If you have not read the interview already, please do so.
A quick recap of the story
In the interview, the public face of the REvil ransomware group called “Unknown” makes several big claims about affiliates of the Ransomware as a Service RaaS1: “Well, I know at the very least that several affiliates have access to a ballistic missile launch system, one to a U.S. Navy cruiser, a third to a nuclear power plant, and a fourth to a weapons factory.” Furthermore, the story details how the actor group puts extra pressure on ransomware victims by calling them and leaking information to journalists. “Unknown” also claims that CEOs might get hit by personal bullying by leveraging open-source information.
A break down of The “Unknown” interview
I assume you have read the entire interview by now, but the main question from the Anchored Narratives perspective is why we should believe this story? Is the interview credible, and what evidence is provided to make it credible?
So what is the problem with the content of the interview from an ANT perspective? You might recall that the quality of a story increases by raising the W-questions. After reading the interview, one could raise so many questions that might provide a different perspective to the story. Let’s start.
So assume if you are a security information professional that considers the following: “Threat intelligence news stories coming from threat intelligence vendors are usually true.” The professional could settle for that and anchors the interview information based on that general rule as explained last week—the sooner one anchors, the greater the chance of a wrong decision. A benefit of it is that a decision to anchor is made fast.
If the information security professional is a little bit more skeptical, he/she may wonder whether this anchorage is sufficient and would raise additional questions.
The story begins with an editorial note on the claims that “Unknown” makes about affiliates having access to ballistic missile launch systems and nuclear power plants and refers to two articles published in Politico and the other in the New York Times, both are about different actors, So why is this correlation made? The methodology between REvil and the Russian nation’s state actors is a different one.
But it is not the outlandish claims that “Unknown” makes in this interview. It is the claim that The Record makes by publishing such an interview. Let’s dig a bit deeper. Below are some questions that might increase the story's quality before a more skeptical information security professional anchors the information.
When did this interview take place? Who was present from The Record side?
How was the contact established with “Unknown” or vice versa?
How did this interview take place? Was it via e-mail, chat, or a video call?
Has evidence of the interview been collected? Where is the evidence for that? The current story lacks any specifics.
How was the identity of the “Unknown” handle established? You would assume that “Unknown” wants to maintain anonymity.
How do we know “Unknown” is not just a sock puppet account of an imposter?
What details did “Unknown” provide that is perpetrator knowledge? No detail in the interview could be found that discriminates the handle between an impostor who basically used open-source information about the REvil group and shares that.
“Unknown” makes several claims about the affiliates having access to sensitive nuclear plants. This could have been an opportunity to share some discriminating evidence.
Why was a professional Russian translator needed? Was the interviewer not able to translate the message?
By leveraging the Wayback machine, some changes to the story could be obtained. The current version of the interview on the website differs slightly from the initial version achieved version.
~$ diff current_version_RE_Unknown_dated_16_March archived_version_RE_Unknown_dated_16_March
< Some of Unknown’s claims, like affiliates with access to ballistic missile launch systems and nuclear power plants, seem outlandish—until you read reports that make them seem eerily plausible. The Record is not able to verify the assertions. Unknown talked to Recorded Future expert threat intelligence analyst Dmitry Smilyanets recently about using ransomware as a weapon, staying out of politics, experimenting with new tactics, and much more. The interview was conducted in Russian and translated to English with the help of a professional translator, and has been edited for clarity.
---
> Unknown talked to Recorded Future expert threat intelligence analyst Dmitry Smilyanets recently about using ransomware as a weapon, staying out of politics, experimenting with new tactics, and much more. The interview was conducted in Russian and translated to English with the help of a professional translator, and has been edited for clarity.
Although an editorial note safeguards the current version of the article that The Record cannot verify the assertions, why choose to publish such an article? What is the motive behind such a story, and who benefits from it? If the alleged claim by “Unknown” uses journalists to increase pressure on the ransomware victims is the threat intelligence media outlet, then not a vehicle for these cybercriminals?
Conclusion
Although the Anchored Narratives Theory is usually applied to criminal evidence cases, it also helps to understand threat intelligence stories' real value. Based on a brief assessment of the interview, I believe there is an opportunity on The Record side to update their story with additional details about the interview. The current version lacks fundamental details for a more skeptical analyst to believe this story. Some analysts are very interested in those details.
Maybe the article by The Record was a clear signal to Law Enforcement worldwide that the author of the article is in contact with one of the most successful cybercrime gangs.
“The RaaS is operated as an affiliate service, where affiliates spread the malware by acquiring victims and the REvil operators maintain the malware and payment infrastructure. Affiliates receive 60% to 70% of the ransom payment.” https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/