Sophos: REvil Ransomware Group Most Active in Targeting Businesses

Sophos has zeroed in on the notorious REvil ransomware group, which launches human-orchestrated attacks that come with ransom demands.

In a recent blog, Sophos details how it and a targeted company’s IT team were locked in live combat with the adversaries behind the attack. The midsize media company targeted by REvil ransomware attackers sought to secure a multimillion-dollar payout.

The REvil ransomware group attack ultimately failed, but not before the attackers encrypted the data on unprotected devices, deleted online backups, and decimated one online and undefended domain. The company has yet to fully recover.

Sophos’ Peter Mackenzie

REvil, also known as Sodinokibi, is a widely used, conventional ransomware-as-a-service (RaaS) offering that’s been around since 2019. Criminal customers can lease the REvil ransomware from its developers. Furthermore, they can add their own tools and resources for targeting and implementation.

As a result, the approach and impact of an attack involving REvil ransomware is highly variable, according to Sophos. This can make it hard for defenders to know what to expect and look out for.

In a Q&A with Channel Futures, Peter Mackenzie, incident response manager at Sophos, talks more about the REvil ransomware group.

Channel Futures: Is REvil an especially fast-moving attack? What should organizations’ first course of action be if they’re hit with REvil?

Peter Mackenzie: Affiliates do REvil attacks. They use a variety of techniques and styles, which means the time the attacker is on the network can differ greatly. Most are, however, a few days up to a few weeks prior to the ransomware deployment.

Scroll through our slideshow above for more from Sophos and other cybersecurity news this week.