REvil ransomware developers are continuously making improvements in the malware code and carrying out substantial heists. Recently, they added new abilities that could be used to evade detection by security software. Moreover, this ransomware has been used to target a prominent enterprise, demanding the highest ransom amount to date.
Attack on Acer
Along with new abilities, REvil has been recently used to attack the Taiwanese PC giant Acer, by targeting its Microsoft Exchange server.
- Intel’s intelligence platform discovered that an affiliate of REvil is weaponizing Microsoft Exchange. Later, REvil operators claimed to be stealing unencrypted data on their leak site.
- REvil operators posted some data, including financial spreadsheets, bank balances, and communications on their leak site as proof of hack.
- In addition, the cyberattackers demanded the largest known ransom to date - $50,000,000. They offered a 20% discount if payment was made before 17 March.
About the new enhancements
Recently, the MalwareHunterTeam identified a new sample of REvil with support for infection in Safe Mode.
- The new variant has a -smode command-line argument that forces the infected computer to reboot into Safe Mode with Networking.
- Once the device is restarted in the Safe Mode With Networking, the user will be asked to log in to Windows. After login, the ransomware is executed without the -smode argument to encrypt all the files on the victim machine.
Since late-December 2020, the REvil ransomware gang has been on an attack spree.
In 2020, the average ransom demands have risen from $115,123 in 2019 to $312,493, while ransom demands achieved a 171% year-over-year increase. The ongoing success of ransomware attacks has led to operators making bold demands. Security experts emphasize, besides securing remote desktop services, organizations should also regularly store backups.