REvil: How Cyber Criminals Operate Ransomware-as-a-service

In 2021, REvil made headlines for their high profile ransomware attacks on larger corporations. Most notably, they have been confirmed as the attackers behind the JBS Foods attack in June of 2021 as well as the Kaseya attack that left at least one million devices encrypted. REvil also made headlines as President Biden applied extra pressure on Russian president Vladimir Putin to take action against REvil , as Russia’s lack of action up to this point has allowed the group to thrive without much consequence. Understanding how REvil operates provides a window into their organization and strategies that make them so effective at what they do. Additionally, by understanding how REvil operates, your organization can better understand what steps you should take to combat the threats posed by the group.

What is REvil?

When you think of REvil, you probably think of the attackers actively targeting and ambushing your system. However, this image is not completely correct. Instead, REvil acts as a Ransomware as a Service (RaaS) exchange provider. In essence, this means that REvil creates the ransomware tools that launch dangerous attacks on systems. After creating these tools, they then “license” them out to affiliates who will actually carry out the attack. If a ransom is paid, then REvil collects a portion of the ransom in exchange for their services. The attacks executed by REvil associates usually are a two-pronged approach. First, they make your organization pay up in order to decrypt the data that is on computers in order to restore operations. Second, they reveal that they also stole your data before they encrypted it and threaten to post this data if the ransom is not paid. So, even if the organization can restore operations through backups, they may still be forced to pay up in order to keep their data from going public. This attack technique, known commonly as double extortion, leaves organizations in an impossible situation where they feel forced to pay.

How do they gain access?

There are a few main tactics used by REvil to gain access to organizational systems. There are a few that are fairly common among cyberattack groups. They utilize compromised credentials in order to execute Remote Desktop Protocol (RDP), which allows them to remotely access the system. They also use malicious payloads downloaded via phishing emails to compromise the system. As well, they exploit vulnerabilities in software that lets them gain access to credentials, which they then use to access the environment. In fact, REvil has recently uncovered a flaw in the Linux operating system that they utilize to gain device access and encrypt the contents . This attack also allows REvil to move laterally across a network, which means that REvil can hop from one device to the next no matter the operating system as long as they are on the same network.

What Can Your Organization Do?

There are several things that your organization can do to prevent an attack by REvil or a similar group. Much of it comes back to practicing good cybersecurity hygiene. Here are a few ideas of thing your organization can do:

• Implement a layered security approach.
• Update your systems to the most current software update, as this will help prevent any vulnerabilities in old software versions from being exploited.
• Enable multi-factor authentication wherever possible in order to prevent a single set of compromised credentials from being enough to get into the system. 
• Use strong passwords and change passwords in the case of any kind of breach.
• Allow devices to access only the data they need to prevent from one compromised device allowing access to the whole system. (Note: This is a fundamental pillar of Zero Trust architecture.)

Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.