Sophos: REvil Ransomware Group Most Active in Targeting Businesses
Unfortunately, there is no simple answer and no silver bullet to stopping ransomware.
Shutterstock
Channel Futures: Is REvil an especially dangerous and increasingly widespread threat? If so, why?
Sophos’ Peter Mackenzie: REvil is the most active ransomware group targeting businesses at the moment. In recent weeks, the amount of attacks has increased significantly. This is likely due to other ransomware-as-a-service (RaaS) groups such as DarkSide and Avaddon shutting down, and the affiliates moving over to REvil.
CF: Is REvil evolving? Is it becoming more difficult to fight? If so, how?
PM: Any active ransomware group is always looking for a way to improve the ransomware, either the encryption process or its ability to execute undetected. REvil also just added a Linux version to target VMWare’s ESXi hosts, adding to the potential damage a victim can expect.
CF: We’re increasingly being told you should never pay a ransom. Is that true if hit with REvil? If so, why?
PM: Nobody wants to pay a ransom; even if you ignore the fact you are essentially sponsoring the next attack and funding criminal organizations who might be using that money for a wide range of criminal activities. The realities of modern, human-led ransomware attacks is that when they succeed they can be truly devastating to an organization to the point where their option is pay or to close the business.
CF: What can MSSPs and other cybersecurity providers do to help protect organizations against REvil?
PM: Unfortunately, there is no simple answer and no silver bullet to stopping ransomware. However, organizations of all sizes can avoid being the low-hanging fruit by taking some simple measures. First, ensure every single computer on your network has security software installed and managed centrally. Attackers love unprotected machines. Next, ensure they are getting patches regularly. And remember, if a computer has not rebooted for a year, then it likely has not applied any patches either. Another very important aspect of security is to make sure you have someone reviewing what is being detected on your network and investigating suspicious activity.
Software alone is not enough to stop advanced threat actors. Think of your cybersecurity in the same way you do for physical CCTV systems. Having the security in place may act as a deterrent and may slow an attacker down, but by itself it will not stop them, just provide you the evidence of what happened afterward. For the best cybersecurity, you need people watching what is happening and reacting to it live. That is what can make the biggest difference.
According to Bloomberg Law, the Justice Department opened a record number of False Claims Act cases last year involving allegations of health-care fraud.
The department is targeting those who misuse electronic health records, contribute to the opioid epidemic, abuse senior citizens, manipulate Medicare’s managed care program, and improperly claim COVID-19 relief funds.
The pandemic has dramatically increased the digital side of health care for end users and patients. That’s led to an abundance of valuable medical data and growing fraud schemes.
Beth Griffin is vice president of Mastercard’s cyber and intelligence health care unit.
“We are seeing significant growth in health care fraud cases involving cybercrime,” she said. “Cybercrime attacks have been a growing problem for the industry and are especially increasing in frequency during the pandemic. In 2020, health care data breaches were up 25% in the U.S. from the previous year. The criminals are taking advantage of the increasing move to digital engagement in health care and infiltrating where there are security gaps. There can be gaps in how the data is being stored, vulnerabilities in people accessing data from mobile devices and gaps in relationships with third-party vendors.”
With the increase in ransom being paid by organizations held hostage, the criminals are emboldened to continue their attempts, with health care organizations being a lucrative target because of their data, Griffin said.
“Medical records can be 50 times more valuable than payment card information,” she said. “Criminals can use it to set up fake medical businesses or file false claims with insurance companies. Stolen data can include personally identifiable information for patients and their relationships with their health care providers, which could be harnessed for phishing or ransomware scams.”
Health care organizations should establish a comprehensive set of solutions, including both technology and processes, to protect themselves, Griffin said. That includes cybersecurity solutions to protect their own organization’s systems, as well as to secure their data from gaps in third-party vendor software, where criminals often prey to find a weakness into an organization.
In addition, digital ID verification, artificial intelligence (AI) to proactively identify and mitigate fraud, and employee security training can help, she said.
“It’s hard to predict the future, but we can expect fraudsters to continue to take advantage of the security weaknesses of health care organizations and of their employees, both at work and in their personal digital interactions,” Griffin said.
Jamf, the provider of Apple enterprise management, has completed its acquisition of Wandera, a provider of zero-trust cloud security and access.
This acquisition positions Jamf to help IT and security teams protect devices, data and applications while extending the intended Apple experience through Jamf’s platform.
Both Jamf and Wandera integrate with cloud identity providers to ensure secure access to company resources. While Jamf allows users to leverage their single identity and biometrics to access their Mac and cloud applications, Wandera is a zero-trust network access (ZTNA) solution that replaces legacy conditional access and VPN technology. It ensures that after a user authenticates their device, business connections are secured, while enabling non-business applications to route directly to the internet.
Josh Jagdfeld is Jamf‘s senior director of partner marketing.
“Today’s version of where work happens is so different than it has ever been in the past,” he said. “And it has all been driven by employees working from more places on a range of different networks and devices than ever. This environment, paired with the unbelievable growth in risks for employees around keeping corporate data secure with all of these variables, presents an unbelievable opportunity for solution providers and security partners to help solve. We’re so excited to see our partners run to build solutions to these problems and to help grow awareness of solutions for enterprise organizations.”
Wandera’s Apple-first mobile security solutions have led to iOS and iPadOS representing a majority of the devices Wandera secures, Jagfeld said.
“Wandera’s solution is entirely complementary to Jamf’s, without overlap, making the eventual combination a compelling and unique solution for organizations who embrace Apple’s ecosystem,” he said. “Coupled with the work we’ve already done and plan to do, this announcement will lead Jamf to transform the enterprise user experience and make sure everyone who wants Apple can use Apple, and they can feel confidently that they’re doing so with the security tools they need to protect their organization and employees.”
Jamf, the provider of Apple enterprise management, has completed its acquisition of Wandera, a provider of zero-trust cloud security and access.
This acquisition positions Jamf to help IT and security teams protect devices, data and applications while extending the intended Apple experience through Jamf’s platform.
Both Jamf and Wandera integrate with cloud identity providers to ensure secure access to company resources. While Jamf allows users to leverage their single identity and biometrics to access their Mac and cloud applications, Wandera is a zero-trust network access (ZTNA) solution that replaces legacy conditional access and VPN technology. It ensures that after a user authenticates their device, business connections are secured, while enabling non-business applications to route directly to the internet.
Josh Jagdfeld is Jamf‘s senior director of partner marketing.
“Today’s version of where work happens is so different than it has ever been in the past,” he said. “And it has all been driven by employees working from more places on a range of different networks and devices than ever. This environment, paired with the unbelievable growth in risks for employees around keeping corporate data secure with all of these variables, presents an unbelievable opportunity for solution providers and security partners to help solve. We’re so excited to see our partners run to build solutions to these problems and to help grow awareness of solutions for enterprise organizations.”
Wandera’s Apple-first mobile security solutions have led to iOS and iPadOS representing a majority of the devices Wandera secures, Jagfeld said.
“Wandera’s solution is entirely complementary to Jamf’s, without overlap, making the eventual combination a compelling and unique solution for organizations who embrace Apple’s ecosystem,” he said. “Coupled with the work we’ve already done and plan to do, this announcement will lead Jamf to transform the enterprise user experience and make sure everyone who wants Apple can use Apple, and they can feel confidently that they’re doing so with the security tools they need to protect their organization and employees.”
Sophos has zeroed in on the notorious REvil ransomware group, which launches human-orchestrated attacks that come with ransom demands.
In a recent blog, Sophos details how it and a targeted company’s IT team were locked in live combat with the adversaries behind the attack. The midsize media company targeted by REvil ransomware attackers sought to secure a multimillion-dollar payout.
The REvil ransomware group attack ultimately failed, but not before the attackers encrypted the data on unprotected devices, deleted online backups, and decimated one online and undefended domain. The company has yet to fully recover.
Sophos’ Peter Mackenzie
REvil, also known as Sodinokibi, is a widely used, conventional ransomware-as-a-service (RaaS) offering that’s been around since 2019. Criminal customers can lease the REvil ransomware from its developers. Furthermore, they can add their own tools and resources for targeting and implementation.
As a result, the approach and impact of an attack involving REvil ransomware is highly variable, according to Sophos. This can make it hard for defenders to know what to expect and look out for.
In a Q&A with Channel Futures, Peter Mackenzie, incident response manager at Sophos, talks more about the REvil ransomware group.
Channel Futures: Is REvil an especially fast-moving attack? What should organizations’ first course of action be if they’re hit with REvil?
Peter Mackenzie: Affiliates do REvil attacks. They use a variety of techniques and styles, which means the time the attacker is on the network can differ greatly. Most are, however, a few days up to a few weeks prior to the ransomware deployment.
Scroll through our slideshow above for more from Sophos and other cybersecurity news this week.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
Read more about:
MSPsAbout the Author(s)
You May Also Like