Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Sophos X-Ops Profile picture
@SophosXOps
Jun 11, 2021 11 tweets 4 min read Read on X
Scrolly
NEW insights ☠️

Relentless REvil, revealed: RaaS as variable as the criminals who use it

No two criminal groups deploy the ransomware-as-a-service (RaaS), also known as Sodinokibi, in exactly the same way...

(a thread) 1/11
As attacks involving RaaS malware, including REvil, increasingly have generated attention, we wanted to pull together a common body of our knowledge about the ransomware itself, and the variety we observe in attack methods employed by the criminals who lease the software. 2/11
We've also reviewed reports from Sophos Rapid Response about attacks involving Sodinokibi/REvil where the MTR team were hired to provide incident response and cleanup. From these detailed analyses, we were able to develop a picture of a common malware being deployed. 3/11
Typical attack phases:

1. Penetration and initial access
2. Credential harvesting and privilege escalation
3. Tilling the field
4. Deployment of the ransomware

4/11
1. Common initial access methods used by criminals who attacked using Sodinokibi/REvil:

▫️ Brute-force attacks
▫️ Abuse of previously-obtained credentials/access
▫️ Piggybacking as a payload from other malware present on the target’s network.

5/11
2. Credential harvesting and privilege escalation

If ransomware threat actors haven’t bought a stolen or phished credential, they’ll often quietly monitor the network where the computer on which they gained an initial foothold is located. 6/11
3. Tilling the field

The attackers establish a list of internal targets, give themselves domain admin privileges, and use those privileges to shut down or otherwise hobble anything that might impede their attack. 7/11
4. The final insult: deployment

Attackers have launched the ransomware payload using a wide variety of methods... Sodinokibi/REvil has a few additional options that its operators may take advantage of by launching the malware with special command flags. 8/11
(Some) guidance for IT professionals:

▫️ Monitor and respond to alerts
▫️ Use strong passwords
▫️ Use Multi Factor Authentication (MFA)
▫️ Lock down accessible services
▫️ Segmentation and Zero-Trust
▫️ Inventory your assets and accounts
▫️ Patch everything

9/11
Sophos products detect various forms of Sodinokibi/REvil as Troj/Sodino-*, Mem/Sodino-*, and HPMal/Sodino-A.

Users of Sophos LiveDiscover can run SQL queries to interrogate telemetry from devices on their managed network, and hunt for unusual or unexpected behavior. 10/11
Read more from @threatresearch: news.sophos.com/en-us/2021/06/…

And thank you to SophosLabs researchers @AnandAjjan, Hajnalka Kope, @markloman, and Rapid Response manager @AltShiftPrtScn who contributed to our understanding of REvil attacks and the malware’s behavior.

11/11

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sophos X-Ops

Sophos X-Ops Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosXOps

Sophos X-Ops Profile picture
Mar 13
Every year, Sophos X-Ops releases its annual threat report. This year, however, we took a slightly different approach. Rather than looking at the landscape as a whole, we zoned in on the biggest cybercrime threats to SMBs.
A look at SophosLabs telemetry showed that the number one challenge for SMBs is data protection—which isn’t too surprising. Data and credential theft have become increasingly common, with attackers using the data for ransomware or unauthorized remote access.
Nearly 50% of all malware detections for SMBs were keyloggers/spyware/stealers. We also found multiple advertisements on the dark web from IABs specifically targeting SMBs or selling access to SMB networks. Image
Read 10 tweets
Sophos X-Ops Profile picture
Mar 4
Threat actors often use Bring Your Own Vulnerable Driver (BYOVD) attacks – where they abuse vulnerable drivers to gain privileges on a compromised machine – to terminate EDR solutions.
Lots of drivers exist that can be abused in this way, and several threat actor groups (we've previously reported on Robbinhood, BlackByte, and other ransomware actors) routinely use this technique.
One BYOVD tool that got some attention in 2023 was Terminator. A threat actor was selling this tool to other criminals on underground forums. Researchers found that Terminator used a legitimate signed driver (called Zemana Anti Malware, or ZAM).
Read 18 tweets
Sophos X-Ops Profile picture
Mar 1
We’ve seen three more incidents of attackers attempting to move deeper into customer networks after exploiting a vulnerability in ConnectWise' ScreenConnect server. Two appeared to be from the same threat actor. /1
In one, the attacker attempted to execute some commands for reconnaissance on the ScreenConnect server, using PowerShell to try to run getlocaluser (to obtain a list of local user accounts on the server) and ipconfig (to get the local network interface information). /2
The actor behind the other incidents was much more persistent. In the second incident, they first attempted to disable Sophos endpoint protection. Then they attempted to install a Cloudflare Tunnel client to be used as a backdoor, downloading it from Cloudflare’s GitHub page. /3
Read 8 tweets
Sophos X-Ops Profile picture
Feb 21
While the world digests what, precisely, the LockBit takedown this week entails and how much it’s likely to kneecap the ransomware gang, we’d just like to point out how prevalent the family is – literally, what Conti was to 2021, LockBit was to 2023. 1/11
Here’s a graphic from our upcoming Active Adversary Report , showing precisely how, as seen by the Sophos X-Ops Incident Response team, Conti in 2021 and LockBit in 2023 represented literally double the volume of infections of the nearest “competitors .” 2/11 Image
Back then, Conti was so widespread that even with its shutdown in early 2022, it *still* accounted for nearly 5% of the ransomware cases the IR team tackled. 3/11
Read 11 tweets
Sophos X-Ops Profile picture
Sep 18, 2023
Last year, Sophos X-Ops uncovered a growing number of "liquidity mining" scams—a type of cryptofraud that takes advantage of mobile crypto wallets and decentralized finance (DeFI) apps. While we saw dozens of these last year, we're now seeing 100s of more sophisticated scams. /1
While the scams we first encountered were fairly simple in their attempts to convince targets to join their fraudulent “mining pools”, we have seen liquidity mining scams adopt Sha Zhu Pan (pig butchering) tactics to siphon funds from their victims. /2 Image
Real liquidity pools involve creating a pool of different types of cryptocurrencies for trades, and participants receive a percentage of every fee paid for a trade. Fake pools pretend to operate in the same way—until the scammers pull all the funds from the victims’ wallets./3 Image
Read 9 tweets
Sophos X-Ops Profile picture
Aug 25, 2023
Sophos X-Ops is currently tracking a campaign by threat actors targeting unpatched Citrix NetScaler systems exposed to the internet. Our data indicates strong similarity between attacks using CVE-2023-3519 and previous attacks using a number of the same TTPs.
In the mid-August attack, once the target system was infected, the attackers used the Critical-class NetScaler vulnerability as a code-injection tool to conduct a domain-wide attack.
nvd.nist.gov/vuln/detail/CV…
Later stages of that attack included behaviors such as:
- Payload injection into wuauclt.exe or wmiprvse.exe
- Use of BlueVPS ASN 62005 for malware staging and a C2 IP address (45.66.248[.]189)
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(