No Two REvil Attacks Are the Same, Experts Warn

No two criminal groups deploy the infamous REvil ransomware variant identically, adding to the challenge for those tasked with detecting and responding to such attacks, according to a new report.

The new study from Sophos details the activity of the affiliates who license the malware itself and handle the break-ins. This ransomware-as-a-service (RaaS) model now accounts for the majority of attacks in the wild.

Initial network access could come from brute-forcing internet-facing services like VPNs, RDP, VNC, and cloud-based management systems. Or it could come from phished or otherwise stolen credentials for legitimate accounts not protected by multi-factor authentication (MFA). Or in some cases, from “piggybacking” from other malware already present on the network.

Brute force password cracking attempts on RDP servers is common: Sophos revealed that one customer experienced 35,000 failed login attempts over a five-minute period, originating from 349 unique IP addresses around the world. 

Suppose they don’t have a functioning credential. In that case, the REvil affiliates are then likely to bide their time, monitoring the target network and/or using tools like Mimikatz to extract passwords for a domain administrator account.

The next stage involves preparing the victim network for a ransomware attack, which Sophos principal researcher, Andrew Brandt, calls “tilling the field.”

“The attackers need to establish a list of internal targets, give themselves domain admin privileges, and use those privileges to shut down or otherwise hobble anything that might impede their attack,” he explained.

“Windows Defender is usually the first to go, but often the attackers will spend some time trying to determine what endpoint protection tools are running on the computers, and may run one or more customized scripts that combine an attempt to kill any running protection process or services, and also to remove any persistence those processes or services might have.”

A tell-tale sign of malicious activity here is the presence of PowerShell scripts, batch files, or other “laying the groundwork” code used to disable protective features.

Next comes data exfiltration, a practice that should be detectable “but never happened in the cases we investigated,” according to Brandt.

REvil affiliate attackers typically spend a few days looking through file servers and bundling large numbers of docs into compressed files in a single location. It’s then usually uploaded to a cloud storage service over the course of a few hours or a day, with Mega.nz favored by most attackers.

There’s a wide variety of different ways to launch the ransomware payload itself, Sophos explained.

“They may push out copies to individual machines from a domain controller, or use administrative commands with WMIC or PsExec to run the malware directly from another server or workstation they control over the internal network of the target organization,” said Brandt.

Another option for REvil affiliates is to reboot a hijacked computer into Safe Mode, with the REvil malware adding itself to the shortlist of apps that can run in this mode.

“In others, we’ve observed the threat actor using WMI to create service entries on the machines they target for encryption,” said Brandt. “The entries contain a long, encoded command string that is impossible to decode unless you know the specific variables it was looking for.”

The sheer variety of REvil affiliate attacks, and by implication, those of other popular ransomware types, may appear challenging, but there are some helpful common best practices.

Sophos recommended MFA and strong passwords, Zero Trust and segmentation, prompt patching of all assets and the locking down of internet-facing services like RDP, among other steps.

What’s Hot on Infosecurity Magazine?