REvil Ransomware (aka Sodinokibi), a sophisticated file-encrypting windows strain distributed with the Ransomware-as-a-Service (RaaS) model, is reportedly hitting organizations and demanding large ransoms to provide the decryption key to unlock infected files.
While attacking the organizations, the malware operators encrypted data files and demanded a ransom in cryptocurrency in return of the digital key to unlock the infected systems. If not paid, they would dump and auction the data online.
- Earlier this month, REvil ransomware targeted a leading supplier of sanitary components, Sanitary Process Engineering & Components Inc, and claimed to have downloaded sensitive and highly confidential documents from the company’s database.
- In the same month, REvil operators had also launched an attack against the Agromart Group and auctioned off the data they stole from the group.
- In May 2020, REvil ransomware targeted Harvest Food Distributors and Sherwood Food Distributors and demanded $7.5 million in ransom payments.
A known attack vector - exploitation of an unpatched vulnerability
The operators of REvil ransomware mainly leverage an arbitrary file read vulnerability (CVE-2019-11510) to distribute REvil ransomware and extort large organizations.
- In May 2020, REvil ransomware targeted Grubman Shire Meiselas & Sacks, through an unpatched Pulse Secure VPN server.
- In January 2020, cybercriminals infected foreign exchange company Travelex with REvil malware using the same known vulnerability.
- Last year, the attackers targeted a range of companies using the same attack vector.
Users should keep the operating system, applications, and browsers patched with the latest updates to prevent the exploitation of known vulnerabilities. Use a trusted anti-virus and web security software solution on connected devices including desktop and mobile, Mobile. Users should perform a regular backup of critical and sensitive data.