REvil on the run!

Posted byAaron.Posted inCyber Security, Incident ResponseTags:, , , , ,

Hello World!

Ransomware hackers and affiliates of the REvil (Ransomware Evil), also known as Sodinokibi are on the run from the feds this week, one can suspect that the US authorities have it out for them as this is not the first occasion of direct engagement against this threat actor (TA).

If you follow the story closely like I do, then you might already be aware about the kerfuffle with the decryption keys a few months ago now, but the official story about it only dropped a couple weeks ago. Basically, one of Kaseya’s IT management platforms was compromised in what we call a supply chain attack, the method being to hold the companies that use this platform and their data to ransom.

This is achieved through the used of a piece of malware known as Ransomware, which falls under the category of Crypto-malware, see the image below for a look at what a user infected with the WannaCry ransomware would see after being infected.

So, what did I mean when I said this isn’t the first engagement… and the recent news of the official story?

Well the gang took themselves “offline” after attracting too much attention after their attack on Kaseya… Then re-emerged from the shadows a few months later. What the gang and their affiliates were unaware of is that a campaign by international law enforcement had; compromised their systems; exfiltrated information and most importantly here… Had already compromised the backups that REvil has used to restore their infrastructure. So you can see who has the upper hand in this situation.

To step away from the story of REvil and their fight with government hackers. (Which isn’t going so well for the criminals, who have seen multiple arrests across countries.) It would be good to have a brief talk about what we do to defend against ransomware and just how much the battlefield is evolving. Firstly let’s go all the way back to 1989 when the AIDS Trojan first made it’s way onto computers via the medium of floppy disk, this was the first documented case of a ransomware attack. Victims were requested to mail cash to a PO address in Panama, however security researchers were able to quickly develop tools that would decrypt the data relatively easily.

Now, you don’t need to know too much about how it’s changed over the years to the technical details about how it encrypts, installs and so on. But let’s step back into 2021 and nearly 2022 as I write this… Ransomware is no longer just about a “denial of service” to the data, but we have seen the rise of double-extortion where they not only encrypt your data but also exfiltrate, and threaten to make it public too!

Our security methods change all the time, but active defence could play an important role in the defence against these double extortion attacks. If a network defender can keep creating file shares padded with random but legitimate looking information, use telemetry simulators to confuse the attackers and many other techniques that can give the defender an upper hand.

I look forward to hopefully taking a look at some methods that would be used to stall an attack as it happens, but will recommend a book to any security professional interested in the idea of a cyber-battlefield as it’s a brilliant read… Adversarial Tradecraft in Cybersecurity by Dan Borges.