REvil isn’t a brand-new reansomware, but it is one that businesses should be aware of. An ambitious ransomware-as-a-service (RAAS), REvil first came to prominence in April 2019, following the demise of another ransomware gang GandCrab.
The RAAS is known for attempting to extort far larger payments from its corporate victims than that typically seen in other attacks. It is promoted among cyber criminals as the best choice for attacking business networks, where there is more money to be made.
It is capable of stealing data from the computers and networks of its victims before being encrypted – a tactic that applies extra pressure on victims which is becoming more and more commonplace.
As with many ransomware attacks, if the ransoms issued to victims are not paid, then REvil threatens to release stolen data by auctioning it off on its website, an example of which can be seen, here.
The “Happy Blog” lists recent victims of REvil, attaches a sample of the stolen data as proof that information has been exfiltrated from an organisation. The REvil gang even offers a “trial” decryption to prove to the victim that their files can be decrypted.
A countdown timer indicates when data leaks will be made public, applying more pressure to companies debating how they should respond.
“Hello – some of your files containing confidential information have been downloaded and are located on our servers. If you refuse to negotiate with us, all documents will be published on the blog and published by the media. If an agreement is reached, the data will be permanently deleted. We advise you to quickly contact us through the support chat.”
This puts businesses in a tough place, as a secure backup of its data could help support a system restore – but cyber criminals will still retain a copy of company data – which can cause an irreversible level of damage to a business’ brand and relationships with customers and suppliers.
The real danger behind ransomware such as REvil, is that the creators of these threats are selling them on the Dark Web. While the threats themselves are dangerous and complex in the way they are built, the cyber criminal gangs operating them (the buyers) are not as sophisticated. This leads more and more ransomware attacks to be distributed via phishing campaigns, and more businesses being made a target.
There are a variety of methods an attacker could use to plant the REvil malware. These include exploiting a vulnerability to gain access to a computer on your company’s network, spear-phishing, or exploiting a third-party business partner. There’s potential that the attack may actually come from a client or partner who has already fallen victim to the hackers.
Businesses still need to be making secure backups, following the rule of three, which sees regular, consistent backups to the Cloud, on-site and on-device. Up-to-date security solutions should be operating, as well as ensuring that your devices are protected with the latest patches against newly-discovered vulnerabilities. Hard-to-crack, unique passwords should be implemented to protect sensitive data, as well as enabling multi-factor authentication, as well as the encryption of sensitive data and the education of staff about the methods used by cyber criminals to infiltrate organisations.