REvil
REvil is a Russia-based hacker organization, which name is a fusion of "ransomware" and "evil". Groups like REvil distribute ransomware, which is essentially a file-blocking virus that encrypts files after infection. After the information has been stolen and made inaccessible to the victim, the group sends out a ransom to the victims. The message usually requires a ransom to be paid in cryptocurrencies such as Bitcoin. If the ransom is not paid on time, the amount is doubled. Bitcoin is used due to perceived anonymity and easy payment online.
Unique strategy
The group REvil uses a unique strategy to put further pressure on the victims by stealing data, locking the victims out of their computers, and then threatening to release stolen data by auctioning it off on their websites on the "Dark Web".
REvil also rents out ransomware to other hacking groups so that they can carry out similar attacks. REvil thus offers ransomware as services (RaaS). One of last year's most notable ransomware attacks carried out by the group DarkSide bought the service from REvil and carried out the attack in May 2021 against Colonial Pipeline (a US oil pipeline company).
How the attacks take place
One method is by using previously stolen credentials to gain remote access (Remote Desktop Protocol) to computers and servers and then distribute malicious software. Another common method is through phishing i.e., by tricking a person into revealing sensitive information.
Known attacks
The ransomware group has been linked to many known attacks, including against Quanta, a Taiwanese company that sells among other things, data center equipment to Apple. REvil was able to steal sensitive data from Apple, like computer and mobile designs and demanded a ransom of $ 50 million. One month later, REvil removed all references related to the attack from its site on the Dark Web. Therefore, it is unclear whether Apple or Quanta paid the ransom.
Another notorious attack was against New York law firm Grubman Shire Meiselas & Sacks, which claims to have obtained documents related to former President Donald Trump.
On May 30, 2021, JBS S.A. of ransomware that forced the company to temporarily pause all its US meat factories. JBS was forced to pay a ransom of $ 11 million in Bitcoin to REvil in order to obtain the encryption key.
On July 2, 2021, REvil attacked the software Kaseya (which manages networks, systems and information technology infrastructure) by distributing ransomware on Kaseya's system. REvil demanded $ 70 million to restore all encrypted data. As a result, the Swedish Coop store chain was forced to close 800 stores for several days.
On July 13, 2021, REvil's websites and other infrastructure disappeared from the internet. It was later revealed that the Russian government had attacked many of the group's members and thus shut down REvil.
It is important to note that REvil, unlike state hackers, is almost exclusively financially motivated.
How to protect your organizations against ransomware?
Even if the REvil group focuses on large organizations, this does not mean that smaller organizations are not exposed to similar attacks. Therefore, it is important to always review vulnerabilities, and to question your security protection. You must think like the attacker.
Here are some recommendations to combat ransomware:
- Settings and permissions: Review your system settings and regulations. Review permissions and access. Make sure that users run with the least possible permissions to be able to perform their work.
- Reduce attack area: Have systems to filter malicious emails from the system before they are delivered to users.
- Make backups: To be able to restore systems that have been affected by ransomware, there needs to be backups and routines for restoring these.
- Introduce multifactor authentication: To stop the spread of ransomware, multifactor authentication should be introduced in all accounts in the organization.
- Patch systems regularly: Have a system that enables patching of all business units and applications.