Recent Deeds Of REvil Ransomware Family - A Quick Look

REvil (aka Sodinokibi) is ransomware that first appeared in early 2019. This ransomware has made its name as one of the notorious malware families. Here is a quick look at its recent deeds.

Top targets

In the past few months, the REvil ransomware operators have attacked several organizations across different geographical areas.
  • Since early 2020, the REvil operators have mostly targeted North American (National Eating Disorders Association, Agromart Group, etc.) and Western European (Atlas Cars, Plaza Collection, etc.) organizations.
  • One specific sector of its interest seems to be food and beverage manufacturing and distribution organizations. Brown Forman Daniel’sLion, Harvest Food Distributors, and Sherwood Food Distributors are among the recent victims from this industry. 
  • They have also targeted multiple other sectors ranging from IT, media, energy, retail, real estate, legal, transportation, healthcare, manufacturing, entertainment, non-profit, and government.

Modus operandi

  • The operators behind this ransomware follow Ransomware-as-a-Service (RaaS) model that allows its affiliates to distribute REvil ransomware in whatever way they want, by exploiting a vulnerability or brute-forcing unsecured RDP ports.  
  • In the beginning, the ransomware was observed to be targeting organizations with exploiting vulnerabilities. But since last year, they started to use common infection vectors such as phishing and exploit kits (RIG EK).

Recent associations and enhancements

  • The cybercriminals behind the REvil ransomware are the same individuals who created the GandCrab RaaS. This claim is based on observations related to similarities in the language, whitelist countries, and attack techniques.
  • In June 2020, the group started something new, where they added an auction feature to its underground website for anonymous bidding on stolen data.

Key takeaways

Threats like REvil can target any organization’s corporate networks and steal its internal data as well as customer-related sensitive details. On top of that, the new auction feature on its website provides a clear indication that its operators are planning to continue targeting more victims. Organizations must be proactive in defending themselves against such ransomware by having reliable antivirus software, patching deployed applications, implementing data backups, and following basic security hygiene.