An Inside Look at a REvil Ransomware Attack
REvil, also known as Sodinokibi, is a widely used, conventional ransomware-as-a-service (RaaS) offering that has been around since 2019. Criminal customers can lease the REvil ransomware from its developers, adding their own tools and resources for targeting and implementation, which we saw in the July 2021 Kaseya attack. As a result, the approach and impact of an attack involving REvil ransomware is highly variable, making it difficult for defenders to know what to expect and look out for.
In a recent June 2021 incident, the Sophos Rapid Response team responded to a security alert that flagged Cobalt Strike on the network of a mid-size media company. Cobalt Strike is a remote access agent that is widely used by adversaries as a precursor to ransomware attack. The attackers released ransomware a few hours later at 4 am local time, and the ransom note left on encrypted devices was signed by REvil, demanding a payment of $2.5 million.
For the next four hours, the target’s IT team and Sophos’ Rapid Response team were locked in live combat with the human adversaries orchestrating the attack. The attackers tried repeatedly to breach protected devices and encrypt files, launching attacks from different unprotected devices they had been able to compromise. Every attempt needed to be blocked and investigated to ensure there was nothing else going on and that there was no further damage – even though by then the next attack attempt was already underway. This task was made harder than normal because the organization needed to keep most of its servers online to support the 24/7 broadcasting systems.
Eventually, the onslaught began to slow down. By day two, inbound attacks were still detected intermittently but it was clear the main attack attempt was over and had failed. Unfortunately, even though the attack ultimately failed, the attackers had already encrypted the data on unprotected devices, deleted online backups, and decimated one online and undefended domain.
Lessons Learned From This REvil Attack
Sophos experts believe there are two important lessons that partners and defenders should take away from this incident.
The first is about risk management. When organizations make changes to their environment, for example, changing a network from air-gapped to online as in the case of this business, the level of risk changes. New areas of vulnerability open up and partners and IT security teams need to understand and address that.
The second is about preserving data. The first compromised account in this attack belonged to a member of the IT team. All of the data had been wiped and this meant that valuable information, such as details of the original breach, which could have been used for forensic analysis and investigation was lost. The more information is kept intact, the easier it is to see what happened and enable partners and the victim organization to make sure it doesn’t happen again.
Responding To A REvil Attack
Sophos recommends the following best practices for partners to help defend against REvil and other families of ransomware and related cyberattacks:
- Understand the tactics, techniques and procedures (TTPs) that attackers can use and how to spot the early warning signs of an imminent attack
- Have an incident response plan that is continuously reviewed and updated to reflect changes in customers’ IT environments and business operations and how they impact your security posture and level of risk
- Turn to external support if you don’t have the resources or expertise in house to monitor activity on customer networks or respond to an incident. Ransomware is often unleashed at the end of attack, so you need both dedicated anti-ransomware technology and human-led threat hunting, such as Sophos Managed Threat Response (MTR), to detect the tell-tale tactics, techniques, and procedures that indicate an attacker is in or attempting to get into the environment
- If you or a customer does get hit, incident response experts like the Sophos Rapid Response team are available 24/7 to call on to contain and neutralize the attack
Dealing with a cyberattack like REvil is a stressful experience. It can be tempting for partners to clear the immediate threat and close the book on the incident, but the truth is that in doing so you are unlikely to have eliminated all traces of the attack. It is important that you take time to identify how the attackers got in, learn from any mistakes and make improvements to security systems. If you don’t, you run the risk that the same adversary or another one might attack again in the future.