REvil, also known as Sodinokibi, is a mature and widespread ransomware-as-a-service (RaaS) offering. Sophos researchers examined the tools and behaviors that attackers believe are most common in deploying a REvil attack.
Criminal customers can lease the ransomware from the developers and place it on their victims' computers with their own parameters. The respective approach and the effects of an attack with REvil ransomware are therefore very variable and depend on the tools, behaviors, resources and skills of the attacker who is renting the malware.
REvil ransomware under the hood
Andrew Brandt, Principal Researcher at Sophos, says: “For an ordinary, everyday ransomware that has only been around for a few years, REvil/Sodinokibi already manages to cause significant damage and demand millions of dollars in ransom payments. REvil/Sodinokibi's success may be due in part to the fact that as a ransomware-as-a-service offering, every attack is different. That can make it difficult for defenders to spot the red flags to look out for.”
In the article, Sophos researchers from SophosLabs and the Sophos Rapid Response Team describe the tools and behaviors that attackers believe most often to implement a REvil attack. The aim of the report is to provide defenders with insight into how to identify an impending or developing REvil ransomware attack and protect their business.
REvil ransomware attack tools
- Brute force attacks against popular internet services like VPN, remote desktop protocols (RDP), desktop remote management tools like VNC, and even some cloud-based management systems; Misuse of credentials obtained through malware, phishing, or simply by adding it to other malware already on the target's network.
- Credential harvesting and privilege escalation using Mimikatz to obtain domain administrator credentials.
- Laying the groundwork for the ransomware to be released by disabling or deleting backups, attempting to disable security technologies, and identifying target computers for encryption.
- Uploading large amounts of data for exfiltration - although Sophos researchers only saw this in about half of the REvil / Sodonokibi incidents studied. In cases involving data theft, around three quarters of the time used Mega.nz as the (temporary) storage location for the stolen data.
- Restart the computer in Safe Mode before encrypting data to bypass endpoint protection tools.
For more information on REvil / Sodinokibi ransomware attacks and how to protect yourself from them, see the article on SophosLabs Uncut.
Tenacity and strange feathers
The attackers using REvil ransomware can be very persistent, according to Sophos Rapid Response. In a REvil attack recently investigated by the team, data collected from a compromised server showed approximately 35.000 failed login attempts over a period of five minutes from 349 unique IP addresses around the world. In at least two REvil attacks observed by Sophos researchers, the original access point was also a tool left behind by a previous ransomware attack by another attacker.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.