REvil Ransomware Attacks MSP Standley Systems, Leaks SSNs

Notorious ransomware operator REvil boasts on its dark web leak site of having medical documents, social security numbers, personal data, and passports and licenses from MSP Standley Systems and its clients.

The REvil ransomware gang says they’ve attacked IT infrastructure and managed services firm Standley Systems and obtained sensitive data including more than 1,000 social security numbers.

The notorious ransomware operator boasts on its dark web leak site that, in addition to the social security numbers, they have obtained service contracts, medical documents, personal data from Standley’s clients, and passports and licenses of Standley’s employees, according to a screenshot obtained by CRN. On the leak site, REvil said it posted links to data from six Standley customers as well as client backups.

“Your customers have entrusted you with the most valuable thing – their backups and data for storage, but you have not coped with your task,” REvil wrote on its leak site. “Even after we provided you with the lost data, we did not hear a single word in response. Accordingly, you don’t give a damn about your customers … You are disrupting both your reputation and the reputation of people who have trusted you with their safety.”

[Related: CompuCom Hit By DarkSide Ransomware, Tells Customers: Report]

Standley Systems CEO Tim Elliott referred CRN questions about the ransomware attack to COO Greg Elliott – his cousin – but Greg Elliott didn’t respond to CRN calls and emails. The Chickasha, Okla.-based company started in 1934 as The Fred Standley Typewriter Company, and provides IT, print and business transformation services to state and local governments, schools, healthcare providers and law firms.

The Standley Systems data was first posted to the REvil site on Feb. 15 and was then taken down from the site for some time before reappearing more recently, according to a source familiar with the situation. The information might have been taken down due to the start of negotiations between REvil and Standley and then reposted once talks between the two sides fell through, the source told CRN.

The six Standley customers mentioned on the REvil leak site are: oil and natural gas producer Chaparral Energy; oil and energy company Crawley Petroleum; personal and workers’ comp injury evaluator Ellis Clinic; oil and gas exploration company EverQuest; the Oklahoma Medical Board; and structural steel fabricator W&W Steel.

Crawley Petroleum had provided Standley Systems with a data set containing well files and leases as part of a proposal to digitize paper files, CEO Kim Hatfield told CRN. The REvil ransomware operators gained access to Crawley’s data set when they compromised Standley, but Hatfield said the material provided to Standley was all public records and didn’t contain any sensitive information.

Standley reached out to Crawley in mid-February to notify them of the ransomware attack, and said they were working with the FBI as part of their investigation. Standley is having a forensics team do an after-action report on what happened, Hatfield said. Crawley opted to go with a different vendor for record digitization, but had made that decision before the attack occurred, according to Hatfield.

“Everything that happened was within Standley’s network,” Hatfield told CRN. “We were not impacted in any way, shape or form … It’s not like this was a huge breach of our systems or anything terribly interesting.”

Chaparral, Ellis, EverQuest, W&W Steel and the Oklahoma Medical Board have not responded to CRN requests for comment.

REvil doesn’t typically host the stolen victim data themselves, instead turning to a third-party data hosting service like Mega for that, the source told CRN. The victim organizations invariably file a takedown request with Mega, who will comply, according to the source. The links to the Standley data on the REvil leak site no longer work, possibly because Standley filed an abuse complaint with the host.

“REvil isn’t looking to make the victim data permanently available,” the source told CRN. “They just want to give the victim company a fright.”

Standley employs 131 people, is a Hewlett Packard Enterprise and Veeam Gold Partner, and also works with Fortinet, HP Inc., Kyocera, Mitel, Nuance, Savin, VMware and Xerox, according to LinkedIn and the company’s website. The company said its partnership with HPE allows government customers to take advantage of a full suite of IT infrastructure including servers, switches, firewalls, and desktop and laptop computers.

REvil burst onto the public scene in Summer 2019 when one of its affiliates went after TSM Consulting, a small, regional MSP providing products and services to 22 Texas towns and countries that were subject to a devastating ransomware attack. The REvil affiliate focused on managed service providers often targets MSPs with a client base that’s highly concentrated in a specific area such as nursing homes or dentist offices.

REvil starts to turn up the pressure on victims by posting a teaser of data stolen from them on a dedicated leak site, according to Brett Callow, a threat analyst with New Zealand-based Emsisoft. And if the victim still doesn’t pay, Callow said, REvil will either publish the rest of the stolen data or auction all or parts of it off to the highest bidder.

Callow said REvil likes to go after data that can be used for identity theft or data that creates liability issues for clients of the victim organization. More than 1,300 companies lost intellectual property and other sensitive information last year after ransomware operators published their data to a leak site, Emsisoft found. And Callow said REvil reliably makes good on its threats about publicly disseminating victim data.

“People have to know they’re going to follow with their threats,” Callow said. “Otherwise, victims will be less inclined to pay.”

The REvil actors first operated a Ransomware-as-a-Service called GandCrab from January 2018 to May 2019, and then announced their “retirement” on May 31, 2019, after having made more than $2 million. The first evidence of new malware called REvil was spotted in April 2019, and technical analysis tied the malware back to the operators of GandCrab, CrowdStrike SVP of Intelligence Adam Meyers said in 2020.

REvil’s claim to fame is democratizing access to its tools through an affiliate model, giving groups around the world access to its technology, Proofpoint EVP of cybersecurity strategy told CRN last year. The ransomware operator has gone after affiliates with some capability around network intrusion, and having more actors under the REvil umbrella has allowed the group to dramatically scale up its attacks, he said.

The group followed in the footsteps of RobinHood and Maze in December 2019 when it tried to extort organizations not paying the ransom by publishing victim data to a leak site, Meyers said. Then, in July 2020, REvil began auctioning off files it stole from celebrity law firm Grubman Shire Meiselas & Sacks, putting documents related to Nicki Minaj, Mariah Carey and LeBron James up for bid at $600,000 each.

“Their ability to put a tighter chokehold on victims is driving an increase in ransom payments,” McAfee Chief Scientist Raj Samani told CRN last year. “They’re adapting and innovating at a rapid pace.”