Lessons Learned from a REvil Ransomware Attack
How channel partners can better defend against ransomware.
August 30, 2021
Sponsored by Sophos
In a June 2021 incident, the Sophos Rapid Response team responded to a security alert that flagged Cobalt Strike on the network of a midsize media company. Cobalt Strike is a remote access agent that is widely used by adversaries as a precursor to ransomware attack. The attackers proceeded to release ransomware a few hours later, at 4 a.m. local time, targeting proximately 600 computing devices–25 of them servers–and three Active Directory domains that were critical to the company’s ability to maintain its 24/7 operations.
The ransom note demanded a payment of $2.5 million, and it was signed by REvil. Also known as Sodinokibi, REvil is a ransomware-as-a-service (RaaS) offering, which means that criminal customers can lease the malware from the developers and then use their own tools and resources to target and perform the attack. Although REvil was also used in the recent Kaseya attack, the approach and impact of an attack involving REvil ransomware is highly variable, making it difficult for defenders to know what to expect and look out for.
Following the initial ransomware attack, the target’s IT team and Sophos’ Rapid Response team were locked in live combat with the human adversaries orchestrating the attack. The attackers tried repeatedly to breach protected devices and encrypt files, launching attacks from different unprotected devices they had been able to compromise. Every attempt needed to be blocked and investigated to ensure there was nothing else going on and that there was no further damage–even though by then the next attack attempt was already underway. This task was made harder than normal because the organization needed to keep most of its servers online to support the 24/7 broadcasting systems.
Eventually, the onslaught began to slow down. By day two, inbound attacks were still detected intermittently, but it was clear the main attack attempt was over and had failed. Unfortunately, even though the attack ultimately failed, the attackers had already encrypted the data on unprotected devices, deleted online backups, and decimated one online and undefended domain.
Lessons Learned from This REvil Attack
Sophos experts believe there are two important lessons that partners and defenders should take away from this incident.
The first is about risk management. When organizations make changes to their environment–for example, changing a network from air-gapped to online as in the case of this business–the level of risk changes. New areas of vulnerability open up, and partners and IT security teams need to understand and address that.
The second is about preserving data. The first compromised account in this attack belonged to a member of the IT team. All data was wiped, which meant that valuable information–such as details of the original breach, which could have been used for forensic analysis and investigation–was lost. The more information is kept intact, the easier it is to see what happened and to enable partners and the victim organization to make sure it doesn’t happen again.
Responding to a REvil Attack
Sophos recommends the following best practices for partners to help defend against REvil and other families of ransomware and related cyberattacks:
Understand the tactics, techniques and procedures (TTPs) that attackers can use and how to spot the early warning signs of an imminent attack.
Have an incident response plan that is continuously reviewed and updated to reflect changes in customers’ IT environments and business operations and how they impact your security posture and level of risk.
Turn to external support if you don’t have the resources or expertise in house to monitor activity on customer networks or to respond to an incident. Ransomware is often unleashed at the end of an attack, so you need both dedicated anti-ransomware technology and human-led threat hunting, such as Sophos Managed Threat Response (MTR), to detect the tell-tale tactics, techniques and procedures that indicate an attacker is in or attempting to get into the environment.
If you or a customer does get hit, incident response experts like the Sophos Rapid Response team are available 24/7 to call on to contain and neutralize the attack.
Dealing with a cyberattack like REvil is a stressful experience. It can be tempting for partners to clear the immediate threat and close the book on the incident, but the truth is that in doing so you are unlikely to have eliminated all traces of the attack. It is important that you take time to identify how the attackers got in, learn from any mistakes and make improvements to security systems. If you don’t, you run the risk that the same adversary or another one might attack again in the future.
This guest blog is part of a Channel Futures sponsorship.
Read more about:
MSPsAbout the Author
You May Also Like