REvil Ransomware Group Reemerges, Already Wreaking Havoc
There is no evidence suggesting there was a political link between the disappearance and reemergence of REvil.
![Havoc Havoc](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt0d4898e87b2fddca/652445a9d41e337b6369b95b/Havoc.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Are we likely to see REvil now carrying out more attacks? If so, how?
Maria Gershuni: In a word, yes. Flashpoint analysts have observed evidence that suggests REvil ransomware attacks are currently ongoing, and believe it is very likely that these attacks will continue.
The method of these attacks will likely mirror previous ones. REvil ransomware is primarily spread through compromised remote desktop protocol (RDP) sessions, phishing and software vulnerabilities. In an interview with Russian-language Telegram channel Russian OSINT, a REvil spokesperson said that the group’s affiliates have used brute-force attacks in order to gain access to RDP. If a company pays the ransom, REvil has been known to give working decryption keys and refrain from posting stolen information on their leaks blog. If an organization or entity refuses to pay demanded ransom, REvil will leak stolen information on their leaks blog, known as Happy Blog, and refuse to provide a decryption key.
CF: Is there anything new or different about this latest REvil? If so, how?
MG: For the most part, it seems that the group is following traditional REvil tactics, techniques and procedures (TTPs). However, there are several new developments that cyber threat intelligence teams and cybersecurity researchers should be aware of and look out for.
REvil’s prolific spokesperson on illicit Russian-language forums—who operated under the username UNKN or Unknown—is no longer active. A threat actor operating under the alias REvil on the Russian-language illicit forum Exploit appears to have replaced UNKN. As an additional point of reference, Unknown was banned on the illicit Russian-language forum XSS.
Also, REvil will be operating in a larger threat-actor ecosystem that is far more hostile to ransomware collectives than the one in which they previously operated. Several high-profile ransomware attacks, such as the Colonial Pipeline attack by Darkside and the REvil Kaseya attack, caused increased law enforcement scrutiny of illicit forum and cybercrime operations. The operators of some major illicit forums, such as XSS and RaidForums, banned ransomware advertising. Some threat actors not involved in ransomware welcomed the ban, hoping to divert law enforcement attention from their operations. REvil now has to resort to other means, such as Jabber and chat services, to recruit potential partners and affiliates.
CF: What should organizations be doing to protect themselves from REvil and other ransomware groups?
MG: Proactively monitoring the cyber threat landscape can go a long way towards preventing and protecting against a ransomware attack. Flashpoint recommends the following actions:
Monitor illicit communities for the newest targeting techniques, breached data for sale, and technologies that are being targeted.
Implement multifactor authentication (MFA), password change and password complexity.
Monitor bot shops for employee access to corporate domains.
Monitor trending vulnerabilities and exploits being discussed in illicit communities to prioritize your patch-management process.
Review the CISA Stop Ransomware site for additional tips.
Palo Alto Networks‘ Unit 42 Threat Intelligence team has identified the first known vulnerability that could allow one user of a public cloud service to break out of their environment and execute code on environments belonging to other users in the same public cloud service.
This unprecedented cross-account takeover affected Microsoft’s Azure Container-as-a-Service (CaaS) platform. Researchers named the finding Azurescape because the attack started from a container escape, a technique that enables privilege escalation out of container environments.
Unit 42 said Microsoft took swift action to fix the underlying issues as soon as it reported them to the Microsoft Security Response Center (MSRC).
“We’re not aware of any Azurescape attacks in the wild, but it is possible that a malicious user of the Azure Container Instances (ACI) platform could have exploited the vulnerability to execute code on other customers’ containers, without any prior access to their environment,” Unit 42 said.
Josh Angell is managing consultant at nVisium, which provides application security services.
“Since it’s a two-year-old vulnerability with a patch, I’d call this a lesson learned in the importance of updating your services and libraries to ensure they’re running the latest versions with all of the security patches in those services,” he said. “It is imperative for security teams to ensure they update their services and libraries, which was done quickly once this issue became known.”
It is a well-known tactic that attackers most often identify older versions of services and libraries to research vulnerabilities within those outdated services, Angell said. That’s makes it easier to gain a foothold into the system.
“You leave yourself wide open to situations like these by keeping vulnerable components exposed — you’re essentially providing adversaries an instruction manual titled how to break my system,” he said. “While the situation may be unprecedented, it’s not unprecedented to gain a foothold into a cluster in this manner given it’s a vulnerability that’s existed for over two years.”
Douglas Murray is CEO at Valtix, a cloud network provider.
“There’s no doubt that the public cloud is an incredible enabler of business agility and net positive for organizations making the cloud transition,” he said. “However, what Azurescape and other such platform service vulnerabilities continue to highlight is that the already difficult task of security is different in the cloud. Zero-day vulnerabilities will continue to occur and the shared responsibility model often complicates remediation. In the end, the lesson learned is that same lesson we’ve known for many years – defense-in-depth is essential.”
Microsoft this week shared mitigation for a remote code execution vulnerability in Windows that is being exploited in targeted attacks against Office 365 and Office 2019 on Windows 10.
Microsoft and the CISA are warning of a new zero day exploited in targeted office attacks.
“Exploitation of this vulnerability may allow a remote attacker to take control of an affected system,” the CISA said. “This vulnerability has been detected in exploits in the wild.”
An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
John Bambenek is principal threat hunter at Netenrich, a digital IT and security operations company.
“Malicious office docs are a go-to favorite for cybercriminals and hostile nation-states,” he said. “This vulnerability allows more direct exploitation of a system than the usual tricking users to disable security controls. As this is already being exploited, immediate patching should be done. However, this is a stark reminder that in 2021, we still can’t send documents from point A to point B securely.”
Casey Ellis is founder and CTO of Bugcrowd, a crowdsourced cybersecurity platform.
“The good news is that this vulnerability is client-side and requires user interaction,” he said. “A patch is also available. Unfortunately, that’s the end of the good news. Exploit complexity appears quite low, the impact is very high, and it’s weaponized form is useful in many different attacks including the installation of ransomware. The consistent challenge with client-side vulnerabilities like this one is that there are a lot of systems that need to be patched, which means they stay available for exploitation to attackers for quite some time.”
Snyk, a cloud-native application security provider, this week announced it’s Series F funding round totaling $530 million. With this round, Snyk has raised $775 million to date and now is valued at $8.5 billion, triple its value at the beginning of 2021.
Snyk has already achieved a number of milestones in 2021 following the company’s Series E financing and expansion into Asia Pacific Japan earlier this year.
So far this year, Snyk has:
Increased annual recurring revenue (ARR) by 154% year-over-year.
Grown its customer base to more than 1,200 companies, from established enterprise leaders to emerging hypergrowth technology players.
Hired and onboarded 320 employees with projections to end the year with more than 800 employees worldwide.
Delivered more than 40 new product features.
Successfully acquired FossID to expand license compliance and programming language capabilities.
Peter McKay is Snyk‘s CEO.
“This new investment, together with the rapid adoption of our platform and growing customer base, validates our developer security vision,” he said. “When security starts with the world’s expanding pool of developers – estimated to reach 45 million by 2030 – organizations of all sizes will be able to truly reap the rewards of digital transformation, while also making the world’s software safer.”
Snyk, a cloud-native application security provider, this week announced it’s Series F funding round totaling $530 million. With this round, Snyk has raised $775 million to date and now is valued at $8.5 billion, triple its value at the beginning of 2021.
Snyk has already achieved a number of milestones in 2021 following the company’s Series E financing and expansion into Asia Pacific Japan earlier this year.
So far this year, Snyk has:
Increased annual recurring revenue (ARR) by 154% year-over-year.
Grown its customer base to more than 1,200 companies, from established enterprise leaders to emerging hypergrowth technology players.
Hired and onboarded 320 employees with projections to end the year with more than 800 employees worldwide.
Delivered more than 40 new product features.
Successfully acquired FossID to expand license compliance and programming language capabilities.
Peter McKay is Snyk‘s CEO.
“This new investment, together with the rapid adoption of our platform and growing customer base, validates our developer security vision,” he said. “When security starts with the world’s expanding pool of developers – estimated to reach 45 million by 2030 – organizations of all sizes will be able to truly reap the rewards of digital transformation, while also making the world’s software safer.”
The REvil ransomware group, which was behind the attack on Kaseya just before the July 4th weekend, is back after a brief disappearance.
Flashpoint’s threat intelligence team has observed new activity from the REvil ransomware group. The group posted twice on the illicit Russian-language forum Exploit to address and clarify what happened during the Kaseya-related key generation process and the human error that apparently caused the universal key to be leaked.
In the weeks following the attack, Kaseya said it acquired a universal decryptor allowing victims of the attack to unlock encrypted files for free.
In one of its Exploit posts, REvil explains how it lost control of the universal decryptor:
“Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine. Then, in the process of generating the keys, we had to generate between 20 and 500 decryption keys for each [individual] victim [because the victims of the Kaseya attack all had networks of different sizes]. One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine.”
REvil Ransomware Group ‘Fully Operational’
According to Flashpoint, “for all intents and purposes, it appears that REvil is fully operational after its hiatus.”
“Evidence also points to the ransomware group making efforts to mend fences with former affiliates who have expressed unhappiness with the group’s disappearance,” it said.
Flashpoint cybersecurity and threat intelligence analysts said there is no evidence suggesting there was a political link between the disappearance and reemergence of REvil.
Also, in its latest posts, REvil says victims of the Kaseya attack paid $10 million in ransoms.
What Reemergence Means
Flashpoint’s Maria Gershuni
So what does the reemergence of REvil mean? We spoke with Maria Gershuni, global intel analyst II with Flashpoint.
Chanel Futures: What does this reemergence of REvil mean? Is it surprising that REvil is back?
Maria Gershuni: While this development is significant, it is not surprising. Flashpoint analysts have long observed chatter on illicit forums discussing a possible reemergence of the group. However, most chatter believed that the group would reemerge under a new name. They were wrong.
After REvil first disappeared, discussion circulated on whether the disappearance had geopolitical implications. Prompted by REvil’s attack, U.S. President Biden issued an ultimatum to Russian President Putin in a July 2021 phone call, telling his Russian counterpart to step up and deal with the ransomware collectives that are operating within Russian territory.
Researchers commonly believe that cybercriminals who operate in Russia receive safe harbor from domestic law enforcement in exchange for the criminals’ tacit agreement to not attack Russian entities. REvil’s disappearance, less than a week after the Biden-Putin phone call, seemed to point to the Russian government’s cooperation with U.S. requests and may have signaled a potential cyber rapprochement in dealing with cybercriminal organizations. The reemergence of REvil, however, puts a damper on hopes that Russia and the U.S. would cooperate to combat cybercrime.
Scroll through our gallery above for more of Gershuni’s comments and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like