With well-known companies impacted by REvil in every sector, including tech, it’s time to get a better understanding of who they are and what makes their ransomware so successful.
According to ransomware response company Coveware, REvil/Sodinkibi have the largest market share of ransomware variants earlier this year. This isn’t surprising, considering how well they’ve evolved their Ransomware-as-a-Service model.
Remember, REvil likely isn’t the threat actors attacking a given organization; they’re just the manufacturers of the tools used with their “affiliates” doing the threat acting.
How do REvil Threat Actors Gain Access?
Security researchers at Palo Alto Networks found a variety of initial attack vectors, including:
- Phishing – malicious attachments resulted in the installation of QakBot or Ursnif malware
- RDP – Using compromised credentials via an Internet-facing system (it’s unsure whether these are a result of a brute force attack or previously compromised)
- Vulnerabilities – Palo Alto offer a few examples they’ve seen in the wild including a vulnerability in SonicWall and one in Exchange.
Coveware found the very same methods, with phishing, RDP access, and Vulnerabilities representing the initial attack vector in well over 95% of the cases they saw.
Next Up, Persistence
According to Palo Alto, a combination of Cobalt Strike BEACON, use of remote connection software ScreenConnect and AnyDesk, and the creation of local and domain accounts provide REvil threat actors with persistent access to the victim network. Tools like Mimikatz and Procdump are used to find elevated credentials used for the infection phase.
Everything from legitimate tools like NETSTAT and IPCONFIG, to tools like BloodHound and AdFind to map out systems.
Many cases of infection are accomplished using the legitimate tool PsExec and a text file-based list of internal IP addresses. It’s also been noted that encryption usually happens within 7 days of initial compromise but, in some cases, took as long as 23 days.
What To Do About REvil?
These attacks are now textbook runs being carried out by individuals with no real expertise in threat acting; the plethora of tools and playbooks available enables REvil’s Ransomware-as-a-Service model to not just exist, but thrive.
Your response to REvil (and every other ransomware variant) is to look for ways to minimize the initial attack threat surface:
- Phishing – Implement email scanning, DNS protection, and Security Awareness Training
- RDP – Shut ‘em down. Use a secure remote access solution!
- Vulnerabilities – Patch, perform vulnerability scans, and monitor systems for unusual access and activity.