Report shines light on REvil's depressingly simple tactics: Phishing, credential-stuffing RDP servers... the usual

Palo Alto Networks' global threat intelligence team, Unit 42, has detailed the tactics ransomware group REvil has employed to great impact so far this year – along with an estimation of the multimillion-dollar payouts it's receiving.

REvil, also known as "Ransomware Evil" or "Sodinokibi," first hit the cybersecurity scene while working in partnership with a group called GandCrab. Initially it operated like many other ransomware outfits, distributing malicious code through faked adverts and trojan horse downloads – but it soon stepped up its game.

The group, which provides what security wonks have come to term "Ransomware as a Service" or RAAS, has been fingered in some high-profile attacks: Travelex, an entertainment-focused law firm with an A-lister client base; Apple supplier Quanta Computer; a major meat producer; a nuclear weapons contractor; and fashion giant French Connection UK – among many others.

REvil threat actors often encrypted the environment within seven days of the initial compromise. However, in some instances, [they] waited up to 23 days....

Most recently, the group gained access to an estimated 1,500 companies through the Kayesa VSA platform. While the company denied a supply-chain attack, it disabled its Saas platform as a security measure – and, as of this morning, was struggling to recover.

"[REvil] is now among an elite group of cyber extortion gangs that are responsible for the surge in debilitating attacks that have made ransomware among the most pressing security threats to businesses and nations around the globe. This criminal group provides adaptable encryptors and decryptors, infrastructure and services for negotiation communications, and a leak site for publishing stolen data when victims don't pay the ransom demand," claimed John Martineau, principal consultant at Unit 42, in a summary of what he has learned in three years of tracking REvil.

• Ransomware-hit law firm gets court order asking crooks not to publish the data they stole
• IT for service providers biz Kaseya defers decision about SaaS restoration following supply chain attack
• Cyber insurance model is broken, consider banning ransomware payments, says think tank
• Fashion titan French Connection says 'FCUK' as REvil-linked ransomware makes off with data

"For these services, REvil takes a percentage of the negotiated ransom price as their fee. Affiliates of REvil often use two approaches to persuade victims into paying up: they encrypt data so that organizations cannot access information, use critical computer systems or restore from backups, and they also steal data and threaten to post it on a leak site (a tactic known as double extortion)."

According to research carried out by Martineau and colleagues, REvil and its affiliates averaged $2.25m in payouts per breach over the first six months of 2021 – chickenfeed compared to the $70m the group is demanding for a universal decryption tool designed to unlock the data being ransomed as a result of the Kaseya attack.

The methods chosen by the group to gain access to the target systems are depressingly simple, Martineau's report claimed, with the most common methods being as simple as sending a phishing message or attempting to log in to Remote Desktop Protocol (RDP) servers using previously-compromised credentials.

"However," Martineau noted, "we also observed a few unique vectors that relate to the recent Microsoft Exchange Server CVEs, as well as a case that involved a SonicWall compromise."

Once in, REvil attackers cement their access by creating new local and domain user accounts, install Cobalt Strike's Beacon covert payload – a commercial product which apparently delivers a little too well on its promise to "model advanced attackers" for "threat emulation" – and disable antivirus, security services, and other protection systems. The impact is further expanded to other devices on the network, using "various open-source tools to gather intelligence on a victim environment."

It could be a while before the attack is noticed, too – no surprise given how the group often exfiltrates gigabytes of data as part of its ransom approach. "REvil threat actors often encrypted the environment within seven days of the initial compromise," Martineau found. "However, in some instances, the threat actor(s) waited up to 23 days. [They] often used MEGASync software or navigated to the MEGASync website to exfiltrate archived data. In one instance, the threat actor used RCLONE to exfiltrate data.

"As we draw closer to a post COVID-19 environment, IT and other defenders of networks should take time to learn what's normal in their environments and notice and question abnormalities," Martineau concluded. "Investigate them. Question your defences.

"Do all users need to be able to open macro-enabled documents? Do you have endpoint visibility and protections to, at minimum, alert you to secondary infections such as QakBot? If you absolutely need RDP, are you using tokenised MFA? And don't question just once – question routinely. Think like the attacker. You might be able to stop your organisation from being the next victim and escape being in the headlines for the wrong reasons."

"All attacks seem to involve a phishing email along the way, but that is because they are so successful and are not slowing down," Jake Moore, cybersecurity expert at ESET UK, told The Register of the report's findings. "RDP attacks are also on the rise, due to previously compromised credentials, making protection an ever more challenging task.

"No one is 100 per cent safe, but routinely questioning abnormalities will no doubt help secure organisations. However, at the same time it also adds more work for those infosec individuals in charge – making for a more labour-intensive industry."

The full report has been published on the Unit 42 site. ®