Executive Summary
REvil has emerged as one of the world’s most notorious ransomware operators. In just the past month, it extracted an $11 million payment from the world’s largest meatpacking company, demanded $5 million from a Brazilian medical diagnostics company and launched a large-scale attack on dozens, perhaps hundreds, of companies that use IT management software from Kaseya VSA.
While REvil (which is also known as Sodinokibi) may seem like a new player in the world of cybercrime, Unit 42 has been monitoring the threat actors tied to this group for three years. We first encountered them in 2018 when they were working with a group known as GandCrab. At the time, they were mostly focused on distributing ransomware through malvertising and exploit kits, which are malicious advertisements and malware tools that hackers use to infect victims through drive-by downloads when they visit a malicious website.
That group morphed into REvil, grew and earned a reputation for exfiltrating massive data sets and demanding multimillion dollar ransoms. It is now among an elite group of cyber extortion gangs that are responsible for the surge in debilitating attacks that have made ransomware among the most pressing security threats to businesses and nations around the globe.
Earlier this year, we released a threat assessment tying REvil/Sodinokibi to GrandCrab. Here, we provide insights gleaned from Unit 42 cybersecurity consultants who worked over a dozen REvil ransomware cases in the first six months of 2021. We hope these accounts of REvil’s tactics and steps taken to counter this threat will help organizations better defend against future ransomware attacks. We also encourage you to review the 2021 Unit 42 Ransomware Threat Report for further insigh ..
Support the originator by clicking the read the rest link below.
