REvil Ransomware Overview

TIR-20210614 Executive Summary

This is a Threat Actor Profile on REvil, a ransomware-as-a-service (RaaS) syndicate. Believed to operate from inside Russia, they were first observed in April of 2019. In June of 2019, the Federal Bureau of Investigation received notice of REvil (and its variants Sodin and Sodinokibi) being used to exploit Managed Service Providers and spread ransomware through the MSP’s client network. Since then, the group has grown to become a highly connected service provider with a claimed revenue of $100 Million per year and goals to grow their income to at least $1 Billion per year. AdvIntel Andariel served as the primary source of information for this report.

REvil Ransomware Tactics, Techniques, and Procedures

REvil is known to use many of the common RaaS techniques, including masquerading as a legitimate process, phishing emails that rely on user execution, and brute forcing Remote Desktop Protocols (RDP). 

REvil is particularly notable for targeting service providers and their clients, such as what happened to the law firm Grubman Shire Meiselas & Sacks in May of 2020. REvil representatives have claimed they exploited a basic vulnerability in Citrix as their breach method. After targeting the firm, the group launched similar attacks against many of the firm’s clients.

Most recently, REvil has been connected to the attack on the JBS Meat Company. This attack highlights a development in RaaS, as REvil partnered with another cyber-crime group QBot to upload malware to the target. This operation is in line with statements made by a representative of REvil in October of 2020, indicating that the group was interested in partnering with other syndicates to increase the pool of available targets.

Strategic Impact

• Loss of Confidentiality – data exfiltration exposes sensitive information to the entire world, including competitors and critics.
• Loss of Integrity – breaches that allow for data encryption could also allow syndicates like REvil to modify data.
• Financial Loss - the ransom itself; legal advice & representation; incident response & recovery.
• Loss of Productivity - business closure during remediation can put the impacted organization behind its service agreements with clients.
• Loss of Reputation – clients will lose confidence that sensitive information is properly protected, resulting in further financial loss.
• Client and Customer Financial Loss – if clients or customers are targeted by follow-up attacks, they may suffer a significant enough loss that eliminates their ability to continue paying for service. 

Our Recommendations

• Implement and maintain access control lists of users who are allowed access to RDP.
• Ensure backup and recovery strategies are routinely scheduled.
• Implement regular patching to ensure existing vulnerabilities are sealed.
• Implement strong password protocols and multi-factor authentication at every level of access.
• Implement monitoring across as much of the organization’s digital presence as possible. Be on watch for Indicators of Compromise (IoC) by both REvil, QBot, and any other associated syndicates.
• Implement advanced intelligence gathering to maintain an up-to-date list of known IoC’s and ensure these lists are available to the Security Analysts as newly implemented rules and manually available lists.
• Implement end-user training to harden the human component against phishing campaigns and Social Engineering.
• Whenever possible, solicit the advice and representation of legal counsel prior to an event; this may be the first call in a ransom situation.

Sources

• https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights
• https://www.advanced-intel.com/post/an-interview-with-unkn-sheds-light-on-revil-s-operations-future-victims
• https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs

Supporting Documentation

• https://www.avertium.com/the-rise-of-raas-gangs-what-you-need-to-know

MITRE Mapping(s)

• https://attack.mitre.org/software/S0496/
• https://attack.mitre.org/groups/G0115/
• https://attack.mitre.org/software/S0591/
  

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.