REvil, also known as Sodinokibi, is a widely used, conventional ransomware-as-a-service (RaaS) offering that has been around since 2019. Criminal customers can lease the REvil ransomware from its developers, adding their own tools and resources for targeting and implementation, which we saw in the July 2021 Kaseya attack. As a result, the approach and impact of an attack involving REvil ransomware is highly variable, making it difficult for defenders to know what to expect and look out for.In a recent June 2021 incident, the Sophos Rapid Response team responded to a security alert that flagged Cobalt Strike on the network of a mid-size media company. Cobalt Strike is a remote access agent that is widely used by adversaries as a precursor to ransomware attack. The attackers released ransomware a few hours later at 4 am local time, and the ransom note left on encrypted devices was signed by REvil, demanding a payment of $2.5 million.For the next four hours, the target’s IT team and Sophos’ Rapid Response team were locked in live combat with the human adversaries orchestrating the attack. The attackers tried repeatedly to breach protected devices and encrypt files, launching attacks from different unprotected devices they had been able to compromise. Every attempt needed to be blocked and investigated to ensure there was nothing else going on and that there was no further damage – even though by then the next attack attempt was already underway. This task was made harder than normal because the organization needed to keep most of its servers online to support the 24/7 broadcasting systems.Eventually, the onslaught began to slow down. By day two, inbound attacks were still detected intermittently but it was clear the main attack attempt was over and had failed. Unfortunately, even though the attack ultimately failed, the attackers had already encrypted the data on unprotected devices, deleted online backups, and decimated one online and undefended domain.Understand the tactics, techniques and procedures (TTPs) that attackers can use and how to spot the early warning signs of an imminent attack Have an incident response plan that is continuously reviewed and updated to reflect changes in customers’ IT environments and business operations and how they impact your security posture and level of risk Turn to external support if you don’t have the resources or expertise in house to monitor activity on customer networks or respond to an incident. Ransomware is often unleashed at the end of attack, so you need both dedicated anti-ransomware technology and human-led threat hunting, such as Sophos Managed Threat Response (MTR), to detect the tell-tale tactics, techniques, and procedures that indicate an attacker is in or attempting to get into the environment If you or a customer does get hit, incident response experts like the Sophos Rapid Response team are available 24/7 to call on to contain and neutralize the attack Dealing with a cyberattack like REvil is a stressful experience. It can be tempting for partners to clear the immediate threat and close the book on the incident, but the truth is that in doing so you are unlikely to have eliminated all traces of the attack. It is important that you take time to identify how the attackers got in, learn from any mistakes and make improvements to security systems. If you don’t, you run the risk that the same adversary or another one might attack again in the future.
Guest blog courtesy of at Sophos. Read more Sophos blogs here.
You can skip this ad in 5 seconds