REvil (aka Sodinokibi) ransomware group, one of the most active ransomware groups of our time, is apparently planning for something big. The group that focuses more on private Ransomware-as-a-Service (RaaS) operations has made a stunning declaration.
The REvil ransomware group just deposited $1 million in bitcoins on a Russian-speaking hacker forum to attract more affiliates for their RaaS operations. Depositing such large money is a clear indication that the group is expanding or planning for something big.
- According to an update on a forum post, they are recruiting new affiliates to spread their ransomware and looking for hackers skilled at penetration testing and few other technologies.
- The group is now offering a 20%–30% cut to the developers behind this ransomware, and their affiliates will get 70%–80% of the ransom payments they generate.
The group seems to be changing its attack strategy. Until some time back, the ransomware operators were targeting retail organizations and manufacturers (mostly the food and beverage industry). However, recently, this has changed.
- They were seen targeting several banking, financial services, and insurance (BFSI) organizations, such as BancoEstado and National Western Life Insurance.
- Other prominent targets include IT (SeaChange International, Artech Information Systems) and enterprise services (DXP Enterprises).
The group has been more focused on its RaaS model to exploit unpatched vulnerabilities and send malicious files.
- In one of the attacks, the group sent a malicious Office document that installed a backdoor on the bank's network.
- The ransomware group has been exploiting the CVE-2019-11510 vulnerability that exists in the Pulse Secure VPN server.
- In addition to this, the group was spotted leaking and stealing data from targeted entities, similar to other major ransomware groups.
The way the REvil ransomware group is operating, future attacks are expected to be more sophisticated and deadlier. Thus, organizations should proactively prepare themselves by following good security practices suggested by experts, such as taking data backup, patching deployed applications, and following basic security hygiene.