REvil ransomware: 5 000 attacks across 22 countries 

Read time 2min 50sec

On 2 July, it became apparent that the notorious REvil ransomware gang, (aka Sodinokibi), carried out a wide-scale, global attack against managed service providers (MSPs). According to Kaspersky, this led to thousands of companies becoming potential victims.

The security company has noted more than 5 000 infection attempts in Europe, North and South America.

REvil is one of the most infamous and prolific ransomware-as-a-service (RaaS) operators that first reared its ugly head in 2019. The group has made several headlines over the past few months due to the victims it targets and its record-high ransomware earnings.

How it works

This latest attack saw REVil infecting a provider of IT management software for MSPs, which affected multiple entities worldwide. The bad actors behind the campaign deployed a malicious payload via PowerShell script, which, in turn, was presumably executed through the MSP provider’s software.

This script disabled Microsoft Defender for Endpoint protection features and then decoded a malicious executable, including a legitimate Microsoft binary, an older version of the Microsoft Defender solution, and a malicious library containing REvil ransomware.

Using this range of components in the loader, the threat actors were able to exploit the DLL side-loading technique and attack multiple organisations.

Vladimir Kuskov, head of Threat Exploration at Kaspersky, says ransomware gangs and their affiliates are upping their game after high-profile attacks on the Colonial Pipeline and JBS, and many other organisations around the world in the interim.

“This time, REvil operators have carried out a massive attack on MSPs with thousands of managed businesses around the world, infecting them as well,” he adds.

Preventative measures

This instnce shows how critical it is to have the proper cyber security tools and process in place across the supply chain, he says.

Kaspersky protect against this threat and detects it with the following names:

  • UDS:DangerousObject.Multi.Generic
  • Trojan-Ransom.Win32.Gen.gen
  • Trojan-Ransom.Win32.Sodin.gen
  • Trojan-Ransom.Win32.Convagent.gen
  • PDM:Trojan.Win32.Generic (with Behavior Detection)

To stay protected from modern ransomware attacks, Kaspersky recommends companies deploy a reliable endpoint security solution, and to never expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.

In addition, the security giant advises to promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in the network. Also, always keep software updated on all devices used to prevent ransomware from exploiting vulnerabilities.

Next, Kaspersky says to focus defence strategies on detecting lateral movements and data exfiltration to the Internet, paying special attention to the outgoing traffic to detect cyber criminals' connections.

“Backup data regularly. Make sure you can quickly access it in an emergency when needed. Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors,” the company says.

Finally, protect the corporate environment and educate employees. Dedicated training courses can help. For a free lesson on how to protect from ransomware attacks, click here.

See also