Cybersecurity Snapshots #16 - REvil/Shodinokibi Was the Most Widespread Ransomware in 2020

Cybersecurity Snapshots #16 -

REvil/Shodinokibi Was the Most Widespread Ransomware in 2020

Researchers at SonicWall discovered that ransomware threats in 2020 spiked 62% globally and 158% in North America. The retail sector saw a 365% increase in ransomware threats in 2020, followed by the healthcare sector (123%) and the government sector (21%). According to recent reports from security firms, REvil, also known as Sodinokibi, is considered the most widespread ransomware threat.

REvil is a ransomware-as-a-service (RaaS) operation that has extorted large amounts of money from organizations worldwide over the past year. The group's name stands for Ransomware Evil. The group behind it doubles down on its extortion efforts by also stealing business data and threatening to release it. REvil first appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. The REvil gang appears to adjust its ransom requests based on the victim organizations' annual revenue, which is why its demands varied widely in 2020 between $1,500 and $42 million and up to 9% of the victim's yearly income. IBM researchers estimate that REvil's profits over the past year were at least $81 million. The REvil gang is also trying to grow. In late September, researchers found that the group deposited $1 million in bitcoin on a hacker forum to try to recruit more skilled hackers to become its affiliates.

Recently the REvil gang has claimed to have infected nine organizations across Africa, Europe, Mexico, and the United States over the past two weeks. The organizations supposedly affected include two law firms, an insurance company, an architectural firm, a construction company, and an agricultural co-op, all located in the United States. The other organizations affected include two large international banks (one in Mexico and one in Africa), and a European manufacturer. Researchers at eSentire stated that REvil cybercriminals posted documents on underground forums that purported to be from the victims' systems, including company computer file directories, partial customer lists, customer quotes, and copies of contracts. The researchers also stated that the threat group also posted what appears to be several official IDs, either belonging to an employee or a customer of the victim companies. The researchers are not 100% sure the claims are accurate. However, after reviewing several of the documents that the REvil gang claims are from their new victims, the researchers found that many appear authentic.

In September, the IBM Security X-Force Incident Response team reported that one in four cybersecurity incidents it was called to remedy this year in customer networks was a ransomware infection. The researchers also found that one in every three ransomware infections involved REvil/Sodinokibi. Sodinokibi also makes up 29% of all IBM Security X-Force ransomware engagements in 2020, suggesting that Sodinokibi actors are more skilled at gaining access to victim networks when compared to other ransomware strains. According to Coveware, REvil/Sodinokibi had the largest market share among ransomware groups during the third quarter of 2020, being responsible for 16% of infections. The group also led during the previous quarter. IBM Security X-Force estimated that REvil hit at least 140 organizations since it appeared in April 2019 with wholesale, manufacturing, and professional services being the most frequently targeted industries. Around 60% of the gang's victims are organizations from the US, followed by UK, Australia, and Canada. The researchers also estimates that a third of REvil victims paid the ransom, one in ten had their sensitive information auctioned off on the dark web, and a third of the group's victims had their data stolen.

REvil is one of the ransomware programs deployed during human-operated ransomware campaigns, similar to Ryuk, WastedLocker, and others. After breaking in, adversaries use various tools and techniques to map the network, perform lateral movement, obtain domain administrator privileges, and deploy the ransomware on all computers to maximize the impact. According to researchers at Coveware, REvil is now distributed primarily through compromised RDP sessions (65%), phishing (16%), and software vulnerabilities (8%). REvil stands apart from other ransomware programs through its use of Elliptic-curve Diffie-Hellman key exchange instead of RSA, Salsa20, and AES to encrypt files. Elliptic-curve Diffie-Hellman key exchange uses shorter keys than other encryption methods, is highly efficient, and is uncrackable if implemented correctly. REvil kills some processes on the infected machines, including email clients, SQL and other database servers, Microsoft Office programs, browsers, and other tools that might keep important files locked or backed into RAM. It then deletes Windows shadow copies of files and other backups to prevent file recovery.

Almost half of all ransomware cases investigated by Coveware involved threats to release exfiltrated data, with an increasing number of groups adopting this technique. In particular, Coveware has seen incidents where victims who already paid were re-extorted by REvil a few weeks later with threats to release the same data. An affiliate that was interviewed, who is referred to as "Unknown," stated that REvil is also looking into adopting other techniques, such as launching Distributed Denial-of-Service (DDoS) attacks to force the hand of organizations that suspend negotiations. Researchers suggest that organizations and individuals should never pay the ransom. 

The Coveware researchers believe professional services such as law or accounting firms are especially vulnerable to the REvil ransomware. The 4.2 million US professional services firms make up about 14% of all businesses in the country but make up 25% of attacks. The researchers stated that these firms commonly leave vulnerabilities like RDP open to the internet and are victimized much more regularly than companies in other industries. The researchers stated that small professional services firms must recognize that there is no such thing as being "too small" to be targeted. The researchers also stated that if an organization presents a cheap vulnerability to the internet, they will get attacked.

To protect one's organization from REvil ransomware, the researchers suggest that organizations should always secure their remote access with strong credentials, two-factor authentication and consider making such services available over VPN only. The researchers also suggested that all publicly exposed servers, applications, and appliances should be kept updated and regularly scanned for vulnerabilities, misconfiguration, and suspicious behavior. Brute force protection that blocks excessive login attempts with the wrong credentials should also be enabled where possible. Inside local networks, an organization should block unneeded SMB and RPC communications between endpoints that can be used for lateral movement. Organizations should also monitor privileged accounts for suspicious behavior. Organizations should have a data backup process in place that stores backups offsite and test that restoring from backups can be done in a timely manner. It is also critical that an organization have a clearly defined incident response plan to immediately take action if an attack is detected.