The Sophos Managed Threat Response team in direct exchange with REvil ransomware. A specific case shows how the cyber criminals proceeded, how the Managed Threat Response (MTR) team finally gained the upper hand and what lessons companies should learn from the incident.
Like many other ransomware families, the REvil blackmail software is used by cyber criminals to steal and encrypt data in order to subsequently demand the highest possible ransom. What makes REvil special, however, is the way the ransomware is made available. As if it were a completely normal business, the makers offer their "product" as a service that can even be leased - this clearly shows that the cybercriminals are talking about business worth millions.
REvil attack: $ 2 million ransom
How the attack works and how the criminals can be effectively countered is shown by the current example of a media company from which the extortionists demanded over two million ransom money. With around 600 networked devices, including 25 servers and three Active Directory domains for 24/7 operation, this company was also encouraged to move many of its daily work to remote offices from the COVID-19 wave onwards. External workplaces were connected to the network and the internet connection adjusted - all well-intentioned actions in terms of the necessary requirements. But it opened the door to the REvil attack.
Having penetrated the network, the criminals made their way to the unprotected devices and other online systems, installed their attack tools and used them to extend the attack to other devices.
Rapid reaction force
When the Rapid Response Team was called by Sophos and carefully examined the crime scene, it quickly became clear that the REvil attackers had already compromised a number of accounts and were moving freely between unprotected computers. A closer look at the applications showed that 130 endpoints were equipped with the Screen Connect 130 software, which is often used as a collaboration tool for remote offices. In fact, the company was unaware of these installations, which indicated that the attackers had installed this tool along with various other programs for their criminal purposes.
Direct exchange of blows
As the attackers began to work more intensively on the network, they realized that they would likely be discovered and blocked, and that the MTR team was after them. They knew that behavior-based detection tools were being used to track them down and that CryptoGuard would detect and block encryption. The attackers then tried to penetrate other unprotected endpoints in order to execute the ransomware there.
The direct exchange of blows between the MTR team and the attacker was more intense and complex than usual, as the media company had to keep most of the servers online in order to maintain the 24/7 systems and transmissions. Eventually the onslaught began to slow down. Incoming attacks were sporadically discovered on the second day, but it was clear that the main attack attempt was over and failed. The winner in this fight was certain: the MTR team.
Balance sheet and findings
It could have been a lot worse. The IT security team found that the damage was mainly limited to the unprotected devices and domains. The online domain previously protected by air-gap (network security option) was completely destroyed and had to be rebuilt, and the online backups were also deleted. The good news: Although the attackers managed to get into the network, the company was not completely paralyzed and did not have to pay an exorbitant ransom.
“In most cases, the attack is already taking place when we are called. We can then help contain, neutralize and investigate the aftermath,” says Peter Mackenzie, Manager Sophos Rapid Response. “In this case, we were asked for assistance and were on hand as the final phase of the attack unfolded and we were able to see both the attackers' initial determination and then growing frustration. And they used every available weapon against us, firing from as many directions as they could."
Two particularly important findings
The first concerns risk management. When a company makes changes to an environment, such as moving a network from air-gapped to online, as in the case of this company, the risk changes. New weaknesses emerge, which the IT security teams have to recognize and eliminate.
The second insight concerns the protection of data. The first account compromised in this attack belonged to a member of the IT team. All data had been erased. This means that valuable information, such as B. Details of the original break-in that could have been used for forensic analysis and investigation have been lost. The more information that is left intact, the easier it is to understand what happened and to ensure that something like this cannot happen again.
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.