Good V REvil: The Dawn of Ransomware as a Service (RaaS)

Join us for a look back at the major ransomware attacks this year and the larger hierarchy behind modern attacks.

News of catastrophic cyber-attacks are a regular occurrence these days. So much so that we’ve become calloused to their causes and consequences. In a recent threat report by VMWare Carbon Black, 94% of surveyed organisations had suffered a data breach at the hands of a cyber-attack, just in the last 12 months. Clearly, complacency is the last thing we need in the wake of these statistics. But what’s the best way to avoid complacency? How do we avoid falling victim to the new wave of malware?


The DarkSide of REvil

First and foremost, we must examine attacks to find common patterns. This is the most effective way for organisations to strategise and implement good defense practices. So, let’s take a look at some recent examples from this year.

Some of the most notable attacks have targeted Colonial Pipeline, meatpackers JBS SA and the national health service of Ireland; so, what’s the common pattern between each of these attacks?

They were all perpetrated by the hacking group known as DarkSide. But, if we zoom out a little, you’ll find the makers of the ransomware itself. REvil (also known as Sodinokibi). REvil operates as a ransomware as a service (RaaS) provider to multiple hacker cells.

Attacks used to be a series of isolated actors carrying out targeted campaigns. Now, a huge range of ransomware providers offer up the actual code to criminal groups who can then automate the planning time to strike their victims hard and fast.


The REvil business model

The ransomware produced by REvil targets both Windows and Linux systems by encrypting all files with RSA-1024 and RSA-4096. REvil sells its software as a toolkit for hackers to target specific organisations, all whilst collecting a commission from successful ransoms. After that, it’s a case of businesses either paying or not. In the latter case, REvil has been known to respond by publishing sensitive files online. Or, in the case of high-profile victims such as Apple, auctioning off files to the highest bidder.

The causes they expose and exploit are often down to insecure RDP servers or phishing attacks. Whilst both can be mitigated, the chance of falling victim to either should be a major concern to all. Securing a company against both may postpone a ransomware disaster, but won’t be much help when they’re then faced with the choices of paying a hefty ransom or frantically negotiating. For a front-seat view of what the attack would look like on your own desktop, watch this 2-minute video by Sophos.


The attack on kaseya

Days before the 4th of July weekend, a brutal attack hit Kaseya, a company that provides VSA software to MSPs. By exploiting an authentication bypass vulnerability and elevating privileges, an installation package was sent off to dozens of Kaseya’s customers. But with around 30 MSPs being impacted, this meant that at least 1500 end users, many being SMEs, were in for a rude awakening. This was essentially a supply chain attack whereby a flaw in Kaseya’s software opened the gates to a host of unprepared SMEs. From Swedish grocery stores to US technology suppliers for the NASA, all were directly impacted by REvil’s ransomware.


Preparing for the future

Cyberwarfare is becoming a prominent part of militaries around the world. So it’s likely REvil and similar groups aren’t going away anytime soon. Ransomware will remain a major problem for years to come. With organisations in the US having lost a combined total of over 7 billion dollars in 2019, and the industry expected to grow rapidly into the next decade, ransomware is a profitable venture. Cyber insurance offers up a monetary cushion for these situations. But it can’t recuperate the damage to reputation, business downtime and the bittersweet joy of bartering your ransom down to the nearest thousand.

The only way to stay assured is by taking constant backups of your organisation’s data. At which point, you can at least rest assured that if the worst is to happen, you can bounce back with minimal disruption to your business. You can learn more about that here, where we talk about how to prepare for ransomware attacks. In a nutshell, stay one step ahead with prepared counterattacks that can trip criminals up. Give them the satisfying faceplant that they deserve!


Article by  Nazish Malik