What to Expect When Hit with REvil Ransomware

REvil, also known as Sodinokibi, is a widely used, conventional ransomware-as-a-service (RaaS) offering that has been around since 2019. Criminal customers can lease the REvil ransomware from its developers, adding their own tools and resources for targeting and implementation. As a result, the approach and impact of an attack involving REvil ransomware is highly variable. This can make it hard for defenders to know what to expect and look out for.

The following information may help IT admins facing or proactively concerned with the impact of a REvil ransomware attack. The findings are based on insights from the Sophos Rapid Response team, which has investigated multiple cyberattacks involving REvil.

What to do immediately: contain and neutralise

The first thing you need to do is determine whether the attack is still underway. If you suspect it is, and you don’t have the tools in place to stop it, determine which devices have been impacted and isolate them immediately. The easiest option is to simply disconnect from all networks. If the damage is more widespread than a few devices, consider doing this at the switch level and taking entire network segments offline instead of individual devices. Only shut down devices if you can’t disconnect the network.

Second, you need to assess the damage. Which endpoints, servers and operating systems were affected, what has been lost? Are your backups still intact or has the attacker deleted them? If they are intact, make an offline copy immediately. Also, which machines were protected? They’ll be critical in getting you back on your feet.

Third, do you have a comprehensive incident response plan in place? If not, you need to identify who should be involved in dealing with this incident. IT admins and senior management will be required, but you may also need to bring in outside security experts and consult with cyber insurance and legal counsel. Should you report the incident to law enforcement and/or inform data protection authorities? There is also the question of what information you should give to employees, many of whom are likely to find a similar ransom note on their desktop.

Last, but definitely not least: you’ll need to contact these and other key people, such as customers, to let them know what’s happening, but the attackers may be eavesdropping so don’t use your normal channels of communication. If the intruders have been in your network for a while, they’ll probably have access to email, for instance.

What defenders can do

There are some proactive steps you can take to enhance your IT security for the future, including:

• Monitor your network security 24/7 and be aware of the five early indicators an attacker is presentto stop ransomware attacks before they launch
• Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN or zero-trust network access connection and enforce the use of Multi-Factor Authentication (MFA)
• Educate employees on what to look out for in terms of phishing and malicious spam and introduce robust security policies
• Keep regular backups of your most important and current data on an offline storage device. The standard recommendation for backups is to follow the 3-2-1 method: 3 copies of the data, using 2 different systems, 1 of which is offline. Also test your ability to perform a restore
• Prevent attackers from getting access to and disabling your security: choose a solution with a cloud-hosted management console with multi-factor authentication enabled and Role Based Administration to limit access rights
• Remember, there is no single silver bullet for protection, and a layered, defense-in-depth security modelis essential – extend it to all endpoints and servers and ensure they can share security-related data
• Have an effective incident response plan in place and update it as needed. If you don’t feel confident you have the skills or resources in place to do this, to monitor threats or to respond to emergency incidents, consider turning to external experts for help

Dealing with a cyberattack is a stressful experience. It can be tempting to clear the immediate threat and close the book on the incident, but the truth is that in doing so you are unlikely to have eliminated all traces of the attack. It is important that you take time to identify how the attackers got in, learn from any mistakes and make improvements to your security. If you don’t, you run the risk that the same adversary or another one might attack again in the future.