Five years ago, our global threat intelligence team Unit 42 released athreat reportwarning that ransomware was quickly becoming one of the greatest cyberthreats facing organisations. The majority of ransoms were between US$200 and US$500 then, but we predicted that ransom demands would grow exponentially higher in the coming years. Unfortunately, those predictions came true as today, ransomware attacks run rife with ransoms being demanded in the millions.
Among these ransomware threat actors, REvil has emerged as one of the world’s most notorious ransomware operators. In the past few months, they extorted US$11 million from JBS, the largest meat producer in the world and launched a large-scale attack on companies that use IT management software from Kaseya VSA. The average payment observed in REvil cases this year was about US$2.25 million.
While REvil (also known as Sodinokibi) may seem like a new entrant in the world of cybercrime, they made their appearance working with a group known as GandCrab in 2018. At the time, they were mostly focused on distributing ransomware. Through malicious advertisements and malware tools, hackers infect victims through drive-by downloads when they visit a malicious website. That group morphed into REvil and is now among an elite group of cyber extortion gangs that are responsible for the surge in debilitating, high-profile attacks that have made ransomware among the most pressing security threats to businesses and nations globally.
How have ransomware groups like REvil optimised their business model?
In recent years, we have seen the rise of “ransomware as a service” (RaaS) due to its ability to yield huge profits to criminal organisations. This subscription-based service has grown in popularity as it provides a low barrier to entry for cybercriminals to get into the ransomware business and become an affiliate. More critically, this also allows non-technical affiliates to successfully execute ransomware attacks.
This model is different from the traditional ransomware attacks in the past, where a cohesive team both builds the malware and executes the attack. In the RaaS model, there are at least two parties who establish a business relationship: the developer and the affiliate. The developer writes the malicious program that encrypts and potentially steals the victim’s data. The affiliate executes the attack and collects the ransom, potentially also including additional business arrangements, like purchasing exploits or using cryptocurrency. We have increasingly seen a third party assisting in the RaaS attacks - ‘the Service Provider’. The “Service Provider” or “ransomware consultant” helps the affiliate at various stages of the ransomware attack, starting from selecting victims, providing exploits, attacking victims and also in the negotiations.
REvil is one of the prominent providers of RaaS. They provide adaptable encryptors and decryptors, infrastructure and services for negotiation communications, and a leak site, known as the “happy blog” for publishing stolen data when victims don’t pay the ransom demand. For these services, REvil takes a percentage of the negotiated ransom price as their fee.
There are several other tactics used by the RaaS gangs such as double extortion and distributed denial-of-service (DDoS) against victim websites as additional leverage. In a case of double extortion, ransomware operators encrypt and steal data to further coerce a victim into paying a ransom. A DDoS attack employs very large numbers of attacking computers to overwhelm the target with bogus traffic, and threat actors can employ DDoS attacks against victim organisations that do not cooperate during the negotiation period.
How should an organisation prepare for ransomware attacks?
The most effective strategy for stopping ransomware attacks relies on preventing them from ever entering your organisation. Defending against ransomware attacks is similar to protecting against other malware, however, it represents a much higher risk to the organisation given the magnitude of the potential fiscal loss and data theft involved.
Measures to reduce Ransomware exposure include:
Curbing Initial Access
- Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spear phishing and exploiting weaknesses on public-facing web servers.
- Organisations should maintain user awareness and training for email security as well as consider ways to identify and remediate malicious email as soon as it enters an employee’s mailbox.
- Remote Desktop Protocol (RDP) services should be correctly configured and secured, using the principle of least privilege wherever possible, with a policy in place to detect patterns associated with brute-force attacks.
Set in place a backup and recovery process
- Organisations should continue to back up their data and keep an appropriate recovery process in place. Ransomware operators will target on-site backups for encryption, so organisations should ensure that all backups are maintained securely offline.
- Recovery processes must be implemented and rehearsed with critical stakeholders to minimise downtime and cost to the organisation in the event of a ransomware attack.
Implement security controls across all devices
- The most effective forms of protection from ransomware are endpoint security, URL filtering or web protection, advanced threat prevention (unknown threats/sandboxing) and anti-phishing solutions deployed to all enterprise environments and devices.
- These will drastically reduce the risk of infection from common variants and provide stopgap measures, allowing one technology to offer a line of enforcement when another may not be effective.
