REvil: How does the most active ransomware of the moment work?
REvil is a ransomware-type malware, which like Ryuk or WastedLocker has been widely used in several malicious operations.
Once cybercriminals gain access to an organization's computer network, they use a set of computer tools to map the network and targeted computer systems. They will then make every effort to acquire as many administrator privileges as possible. This is how they manage to deploy the ransom program. "Since REvil is distributed by different affiliates, the initial access vectors differ between phishing emails with malicious attachments to compromised RDP (Remote Desktop Protocol) credentials and the exploitation of vulnerabilities in various utilities." Lucian Constantin, CSO. Last year, for example, cyber criminals using this malware used an already known security flaw in the Oracle WebLogic system (CVE-2019-2725).
This article will also interest you: REvil: Focus on the most popular ransomware of the moment
According to the recent report produced by the security company Coveware, REvil is distributed mainly through:
– Compromised RDP sessions (65%)
– Phishing (16%)
– Software security flaws (8%)
In a Russian blog, a hacker supposed to get out of REvil's group of cybercriminals operators claimed that several of the group's affiliates mainly use brute force attacks.
"REvil differs from other ransomware programs in its use of elliptical curve Diffie-Hellman key exchange instead of RSA and Salsa20 instead of AES to encrypt files. These encryption algorithms use shorter keys, are very effective and unbreakable if properly implemented. Ransomware kills certain processes on infected machines, including email clients, SQL and other database servers, Microsoft Office programs, browsers and other tools that can keep important files locked or backed up in RAM. It then removes Windows copy shadows and other backups to prevent file recovery. explains Lucian Constantin.
According to experts in the field, to secure computer systems against this malware it will be necessary in the prelude to the security of remote access:
– The use of fairly solid identification data is required.
– It is also recommended that VPN networks be used specifically for remote information transmissions, regardless of the nature of these exchanges.
– All applications or servers that are publicly accessible need to be regularly updated.
– It must be analyzed and taken into account anything that may appear to be errors in the configuration of suspicious behaviors or security vulnerabilities for an effective immediate response.
– Protection solutions against brute force attacks should be permanently activated. This will require finding a way to block all excessive requests for credentials when they are incorrect.
In addition, the hospital sector should be given a relatively special interest. "Some industries, such as health, may appear to be more highly targeted than others, due to the sensitive data they hold and their relative intolerance to downtime," Coveware researchers noted in the study. "However, what we have seen over time is that the presence of cheap vulnerabilities to exploit, which happen to be common in a given industry, is what points to an industry concentration," they add.
Researchers from the security company also point out that certain sectors such as law firms or accountants are very vulnerable to attacks by REvil. A significant risk when serving in the United States, these types of firms account for 14% of all total businesses in the country, with nearly 4.2 million companies registered. It accounts for 25% of computer attacks. "These companies are more likely to take the threat of ransomware less seriously," says Coveware researchers. "They generally leave vulnerabilities like RDP open to the Internet and are victims much more regularly than companies in other sectors. It is essential that small professional services companies recognize that there is no such thing being "too small" to be targeted. The cyber extortion industry doesn't work that way. If you present a cheap vulnerability to the Internet, you will be attacked. It's just a matter of when, not if. »
Now access an unlimited number of passwords: