How REvil Works: A Look Inside the World’s Most Famous Ransomware-as-a-Service
Recently you may have seen a lot of news about the Russian-based cyberattack group REvil. Most notably, they have been confirmed as the attackers behind the JBS Foods attack early last month as well as the Kaseya attack earlier this month that left at least one million devices encrypted. REvil has also been making headlines as President Biden has applied extra pressure on Russian president Vladimir Putin to take action against REvil , as Russia’s lack of action up to this point has allowed the group to thrive without much consequence. Understanding how REvil operates provides a window into their organization and strategies that make them so effective at what they do. Additionally, by understanding how REvil operates, your organization can better understand what steps you should take to combat the threats posed by the group.
What is REvil?
When you think of REvil, you probably think of the attackers actively targeting and ambushing your system. However, this image is not completely correct. Instead, REvil acts as a Ransomware as a Service (RaaS) exchange provider. In essence, this means that REvil creates the ransomware tools that launch dangerous attacks on systems. After creating these tools, they then “license” them out to affiliates who will actually carry out the attack. If a ransom is paid, then REvil collects a portion of the ransom in exchange for their services. The attacks executed by REvil associates usually are a two-pronged approach. First, they make your organization pay up in order to decrypt the data that is on computers in order to restore operations. Second, they reveal that they also stole your data before they encrypted it and threaten to post this data if the ransom is not paid. So, even if the organization can restore operations through backups, they may still be forced to pay up in order to keep their data from going public. This attack technique, known commonly as double extortion, leaves organizations in an impossible situation where they feel forced to pay.
How do they gain access?
There are a few main tactics used by REvil to gain access to organizational systems. There are a few that are fairly common among cyberattack groups. They utilize compromised credentials in order to execute Remote Desktop Protocol (RDP), which allows them to remotely access the system. They also use malicious payloads downloaded via phishing emails to compromise the system. As well, they exploit vulnerabilities in software that lets them gain access to credentials, which they then use to access the environment. In fact, REvil has recently uncovered a flaw in the Linux operating system that they utilize to gain device access and encrypt the contents . This attack also allows REvil to move laterally across a network, which means that REvil can hop from one device to the next no matter the operating system as long as they are on the same network.
What can your organization do?
There are several things that your organization can do to prevent an attack by REvil or a similar group. Much of it comes back to practicing good cybersecurity hygiene. Here are a few ideas of thing your organization can do:
- Implement a layered security approach.
- Update your systems to the most current software update, as this will help prevent any vulnerabilities in old software versions from being exploited.
- Enable multi-factor authentication wherever possible in order to prevent a single set of compromised credentials from being enough to get into the system.
- Use strong passwords and change passwords in the case of any kind of breach.
- Allow devices to access only the data they need to prevent from one compromised device allowing access to the whole system. (Note: This is a fundamental pillar of Zero Trust architecture.)
On 7/12, REvil’s site on the Dark Web went offline. The site was REvil’s main way to communicate with their victims, as they would pay ransoms through this site and the attack group even provided a help desk for victims who paid. The reason behind the site going down is still unknown at this point. There are a few prevailing ideas. One, the US took action against REvil in the wake of recent attacks and attacked REvil directly, which may have resulted in their website going down. Two, Putin took action against the Russia-based group in light of recent comments by President Biden and the rest of the global community. Three, REvil took the website down themselves due to increased pressure around them and are going to be offline for at least a little bit of time. Whatever the reason, the site is down, which is leaving some victims who paid the ransom in a bad position if their key is not working. It is just a matter of waiting and seeing if or when the group reemerges.
Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.
Don’t Gamble With Your Security Contact us