Here, have a cookie! See our Privacy Policy to learn more.
With well-known companies impacted by REvil in every sector, including tech, it’s time to get a better understanding of who they are and what makes their ransomware so successful.
According to ransomware response company Coveware, REvil/Sodinkibi have the largest market share of ransomware variants earlier this year . This isn’t surprising, considering how well they’ve evolved their Ransomware-as-a-Service model.
Remember, REvil likely isn’t the threat actors attacking a given organization; they’re just the manufacturers of the tools used with their “affiliates” doing the threat acting.
Security researchers at Palo Alto Networks found a variety of initial attack vectors , including:
Coveware found the very same methods, with phishing, RDP access, and Vulnerabilities representing the initial attack vector in well over 95% of the cases they saw.
According to Palo Alto, a combination of Cobalt Strike BEACON, use of remote connection software ScreenConnect and AnyDesk, and the creation of local and domain accounts provide REvil threat actors with persistent access to the victim network. Tools like Mimikatz and Procdump are used to find elevated credentials used for the infection phase.
Everything from legitimate tools like NETSTAT and IPCONFIG, to tools like BloodHound and AdFind to map out systems.
Many cases of infection are accomplished using the legitimate tool PsExec and a text file-based list of internal IP addresses. It’s also been noted that encryption usually happens within 7 days of initial compromise but, in some cases, took as long as 23 days.
These attacks are now textbook runs being carried out by individuals with no real expertise in threat acting; the plethora of tools and playbooks available enables REvil’s Ransomware-as-a-Service model to not just exist, but thrive.
Your response to REvil (and every other ransomware variant) is to look for ways to minimize the initial attack threat surface:
Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?
cvv sites reddit free carding dumps