Recent Deeds Of REvil Ransomware Family - A Quick Look

Top targets

• Since early 2020, the REvil operators have mostly targeted North American (National Eating Disorders Association, Agromart Group, etc.) and Western European (Atlas Cars, Plaza Collection, etc.) organizations.
• One specific sector of its interest seems to be food and beverage manufacturing and distribution organizations. Brown Forman Daniel’s, Lion, Harvest Food Distributors, and Sherwood Food Distributors are among the recent victims from this industry. 
• They have also targeted multiple other sectors ranging from IT, media, energy, retail, real estate, legal, transportation, healthcare, manufacturing, entertainment, non-profit, and government.

Modus operandi

• The operators behind this ransomware follow Ransomware-as-a-Service (RaaS) model that allows its affiliates to distribute REvil ransomware in whatever way they want, by exploiting a vulnerability or brute-forcing unsecured RDP ports.  
• In the beginning, the ransomware was observed to be targeting organizations with exploiting vulnerabilities. But since last year, they started to use common infection vectors such as phishing and exploit kits (RIG EK).

Recent associations and enhancements

• The cybercriminals behind the REvil ransomware are the same individuals who created the GandCrab RaaS. This claim is based on observations related to similarities in the language, whitelist countries, and attack techniques.
• In June 2020, the group started something new, where they added an auction feature to its underground website for anonymous bidding on stolen data.

Key takeaways