NEW insights ☠️

Relentless REvil, revealed: RaaS as variable as the criminals who use it

No two criminal groups deploy the ransomware-as-a-service (RaaS), also known as Sodinokibi, in exactly the same way...

(a thread) 1/11
As attacks involving RaaS malware, including REvil, increasingly have generated attention, we wanted to pull together a common body of our knowledge about the ransomware itself, and the variety we observe in attack methods employed by the criminals who lease the software. 2/11
We've also reviewed reports from Sophos Rapid Response about attacks involving Sodinokibi/REvil where the MTR team were hired to provide incident response and cleanup. From these detailed analyses, we were able to develop a picture of a common malware being deployed. 3/11
Typical attack phases:

1. Penetration and initial access
2. Credential harvesting and privilege escalation
3. Tilling the field
4. Deployment of the ransomware

1. Common initial access methods used by criminals who attacked using Sodinokibi/REvil:

▫️ Brute-force attacks
▫️ Abuse of previously-obtained credentials/access
▫️ Piggybacking as a payload from other malware present on the target’s network.

2. Credential harvesting and privilege escalation

If ransomware threat actors haven’t bought a stolen or phished credential, they’ll often quietly monitor the network where the computer on which they gained an initial foothold is located. 6/11
3. Tilling the field

The attackers establish a list of internal targets, give themselves domain admin privileges, and use those privileges to shut down or otherwise hobble anything that might impede their attack. 7/11
4. The final insult: deployment

Attackers have launched the ransomware payload using a wide variety of methods... Sodinokibi/REvil has a few additional options that its operators may take advantage of by launching the malware with special command flags. 8/11
(Some) guidance for IT professionals:

▫️ Monitor and respond to alerts
▫️ Use strong passwords
▫️ Use Multi Factor Authentication (MFA)
▫️ Lock down accessible services
▫️ Segmentation and Zero-Trust
▫️ Inventory your assets and accounts
▫️ Patch everything

Sophos products detect various forms of Sodinokibi/REvil as Troj/Sodino-*, Mem/Sodino-*, and HPMal/Sodino-A.

Users of Sophos LiveDiscover can run SQL queries to interrogate telemetry from devices on their managed network, and hunt for unusual or unexpected behavior. 10/11
Read more from @threatresearch:…

And thank you to SophosLabs researchers @AnandAjjan, Hajnalka Kope, @markloman, and Rapid Response manager @AltShiftPrtScn who contributed to our understanding of REvil attacks and the malware’s behavior.


• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with SophosLabs

SophosLabs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosLabs

8 Jun
NEW on Patch Tuesday: Six in-the-wild exploits patched in Microsoft’s June security fix release

Security fixes address five critical vulnerabilities, including scripting and Defender bugs—and one actively exploited flaw in MSHTML...

(a thread) 1/7 Image
The June security update drop has a mere 49 new vulnerability fixes, plus five synchronized fixes delivered by Adobe.

Only five of Microsoft’s bug fixes are rated as critical. But that doesn’t lessen the importance of applying patches as soon as possible. 2/7
All five critical patches are for bugs that are potentially exploitable for remote code execution (RCE). And one of them, a vulnerability in the Windows MSHTML “platform”, is already being exploited. 3/7
Read 7 tweets
2 Jun
NEW: AMSI bypasses remain tricks of the malware trade

Malware developers continue to try to sabotage or evade Microsoft’s Anti-Malware Software Interface in “fileless” and living-off-land attacks...

(a thread) 1/13
As Windows 10 and the latest generation of Windows Server platforms have risen to prominence, malware developers and malicious actors have increasingly aimed to evade detection by taking out those platforms’ anti-malware traffic cop: Microsoft’s Antimalware Scan Interface. 2/13
AMSI, introduced in 2015, provides a way for software to talk to security products, requesting scans of files, memory, or streams for malicious payloads in a vendor-agnostic way. 3/13
Read 13 tweets
1 Jun
A NEW ransomware enters the fray: Epsilon Red

A bare-bones ransomware offloads most of its functionality to a cache of PowerShell scripts...

(a thread) 1/13
Sophos analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red.

The malware was delivered as the final executable payload in a hand-controlled attack in which every other early-stage component was a PowerShell script. 2/13
While the name and tooling were unique to this attacker, the ransom note left behind resembles the note left behind by REvil ransomware, but adds a few minor grammatical corrections.

There were no other obvious similarities between the Epsilon Red ransomware and REvil. 3/13
Read 13 tweets
12 May
NEW RESEARCH: A defender's view inside a #DarkSide ransomware attack ***

What to expect when you’re targeted by a headline-seeking threat actor... (a thread)

The recent ransomware intrusion of a major US gasoline pipeline operator was the work of an affiliate of #DarkSide, a ransomware ring that has been responsible for at least 60 known cases of ransomware double-extortion so far this year.

DarkSide has struck several high-profile victims recently, including companies listed on the NASDAQ stock exchange.

Read 8 tweets
11 May
NEW: May’s Patch Tuesday brings a lighter-than-usual number of Windows updates

... But fewer patches does not make the bugs less dangerous

(a thread) 1/9
The recent history of Patch Tuesday releases has seen Microsoft updating upwards of 100 software bugs every month, but that trend is broken today when the company fixes just 55 vulnerabilities across their products. 2/9
Synchronized to release in parallel with Microsoft’s updates, Adobe is also fixing 11 bugs in their Acrobat Reader software, one of which (CVE-2021-28550/APSB21-29) is reportedly being “exploited in the wild in limited attacks targeting Adobe Reader users on Windows,” 3/9
Read 10 tweets
23 Mar
NEW RESEARCH: Black Kingdom ransomware begins appearing on Exchange servers

A novel, if not particularly well made, ransomware is spreading to Exchange servers that haven't been patched against the ProxyLogon exploit.

(a thread)

1/15 Image
Following the #DearCry ransomware attacks reported on last week, another ransomware gang has also started to target vulnerable Exchange servers with another ransomware, called #BlackKingDom.

Sophos telemetry began detecting the ransomware on Thursday March 18 as it targeted Exchange servers that remain unpatched against the ProxyLogon vulnerabilities disclosed by Microsoft earlier this month.

Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!