Everything You Need to Know About REvil Ransomware
Sam Curry, Chief Security Officer, Cybereason, analyses REvil ransomware and discusses how organisations can defend against such attacks.
According to reports, meatpacking giant JBS was hit with a serious attack reportedly involving REvil ransomware, shutting down a good portion of the company’s production capabilities and threatening to create supply chain disruptions and sharp cost of goods increases.
Back in April of 2019, the Cybereason Nocturnus team first encountered and analysed a new type of ransomware dubbed REvil (aka Sodinokibi, Sodin), a notoriously aggressive and highly evasive threat that takes many measures to maintain obfuscation and prevent detection by security tools.
Over time, REvil has become the largest ransomware cartel in operation to date. Subsequent attacks attributed to the REvil gang include a March, 2021 attack against Taiwanese multinational electronics corporation Acer where the assailants demanded a record breaking $50 million ransom.
In April, the REvil gang attempted to extort Apple following an attack against one of the tech giant’s business partners with a $50 million ransom demand with the additional threats to increase the ransom demand to $100 million and release exfiltrated data from the target should the payment not be made promptly.
The REvil ransomware gang have previously been connected to the same authors of the prolific GandCrab ransomware, which was retired in June 2019. GandCrab was responsible for 40 percent of all ransomware infections globally. If the association is accurate, GandCrab sets a good example for just how impactful REvil may become.
Much like the DarkSide ransomware gang that struck Colonial Pipeline in early May, the REvil gang follows the double extortion trend, where the threat actors first exfiltrates sensitive information stored on a victim’s systems before launching the encryption routine.
After the ransomware encrypts the target’s data and issues the ransom demand for payment in exchange for the decryption key, the threat actors make the additional threat of publishing the exfiltrated data online should the target refuse to make the ransom payment.
This means the target is still faced with the prospect of having to pay the ransom regardless of whether they employed data backups as a precautionary measure and underscores the need to take a prevention-first security posture.
Ransomware prevention capabilities are key
The best ransomware defense for organisations is to focus on preventing a ransomware infection in the first place. Organisations need visibility into the more subtle Indicators of Behavior (IOBs) that allow detection and prevention of a ransomware attack at the earliest stages.
A robust ransomware solution must have a multi-layered prevention, detection and response, including:
- Anti-ransomware prevention and deception: which uses a combination of behavioral detections and proprietary deception techniques to surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
- Intelligence-Based Antivirus: which blocks known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
- NGAV: which recognizes malicious components in code to block unknown ransomware variants prior to execution.
- Fileless Ransomware Protection: which disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
- Endpoint Controls: which hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
- Behavioral Document Protection: which detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.