Cyber Security Experts Analysis Of REvil Ransomware: Lethal Mix With Powerful Results

By   ISBuzz Team
Writer , Information Security Buzz | Jul 06, 2021 04:59 am PST


Following the news that REvil ransomware gang has executed a mass supply chain attack through management provider Kaseya and demanded $70m paid in Bitcoin in return to unlock all the files. Cybersecurity experts commented below why combining a supply chain attack with ransomware is a lethal mix with powerful results.

Notify of
10 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Miles Tappin
Miles Tappin , VP of EMEA
July 8, 2021 4:19 pm

<p>This latest ransomware attack by REvil raises the stakes significantly for businesses and government agencies that have not shifted to a risk-led approach to cybersecurity.</p>
<p>The time is now to begin quantifying cyber risk in financial and operational terms, integrating real-world cyber threat intelligence, and automating and orchestrating responses. Organisations must adopt this risk-threat-response approach so they can better understand the potential financial and operational impact of the risks they face, the vulnerabilities being targeted and the adversaries attacking the sector.</p>
<p>If companies share information, while also quantifying the risk they face as a company, they can better prepare themselves, and prevent breaches in the long term.</p>
<p> </p>

Last edited 2 years ago by Miles Tappin
Max Locatelli
Max Locatelli , Regional Director Western Europe
July 6, 2021 1:28 pm

<p>The REvil ransomware attack, which paralysed companies such as the supermarket chain Coop in Sweden, shows that once again anyone can be targeted. Instead of being blackmailed by cyber criminals, organisations need to proactively prepare defenses to better mitigate against paying a multiple million dollar ransom. After all, it is not only the possible loss of data that causes enormous damage to companies, but also the long-term consequences due to the loss of trust on the side of customers and partners.<br /><u></u><u></u></p>
<p>To prevent such damage, companies should rethink their threat prevention strategies. Back-ups are a good option for limiting damage by enabling the IT system to be reset, however, it is much better for companies to be able to detect and defend against the attacks at an early stage. Network visibility is indispensable for this and companies that want to protect their business proactively and future-proof in the digital world should take a look at DNS security solutions. Given that a hacker\’s communication with the malware in the victim\’s system also runs via the DNS, comprehensive insights can help to detect and combat dangerous communication at an early stage – regardless of how large the company is.</p>

Last edited 2 years ago by Max Locatelli
Busra Demir
Busra Demir , Senior Solutions Architect
July 6, 2021 1:27 pm

<p>Supply chain attacks remind us that you are only as secure as your weakest link, as many of Kaseya’s customers are now experiencing. This attack is an important reminder for the companies who deliver distributed services as they are under the spotlights of hackers who are looking for a bigger impact on specific industries.</p>
<p>As an MSP you are not only responsible for your business but that of your customer too. Instead of attacking multiple companies and exploiting their various vulnerabilities or looking for a 0-day in the wild, the cybercriminals took advantage of a company that offers managed services to thousands of businesses to distribute the ransomware and take them down all at once.</p>
<p>The news that Kaseya was working with researchers on the 0-day fix shows how much it came down to a race against the clock. Coordinated vulnerability disclosure helps organisations understand what weaknesses they have but it all hinges on how fast those vulnerabilities can be fixed. It’s no surprise that so many organisations measure the success of their security testing programs on how fast they can fix the vulnerabilities surfaced.</p>

Last edited 2 years ago by Busra Demir
Adam Enterkin
Adam Enterkin , SVP, EMEA
July 6, 2021 1:22 pm

<p>Acting as a RaaS, REvil relies on affiliates or partners to perform its attacks. The REvil developers receive a percentage of all proceeds from ransom payments. Because the ransomware is distributed by different entities, the initial infection vector can vary; typically, this is either via phishing campaigns, brute force attacks to compromise RDP, or through software vulnerabilities. REvil has not yet been caught, and ransomware-as-a-service will only continue to grow.  </p>
<p>However, organisations can avoid becoming victims by stopping malware at the exploitation stage through increasing resilience, reducing infrastructure complexity, and streamlining security management. Endpoint detection and response (EDR) focused solutions often take action too late and cannot always stop breaches. Prevention is the best strategy; stopping attacks before they execute. This is entirely possible with next generation solutions that use AI to identify and block malware. Organisations must lead with a prevention-first approach using the fullest capabilities of AI.</p>

Last edited 2 years ago by Adam Enterkin
Christos Betsios
Christos Betsios , Cyber Operations Officer
July 6, 2021 1:20 pm

<p>Definitely the largest ransomware attack in history; it is really brilliant to combine a supply chain attack with a ransomware attack. Especially when you compromise a solution that is designed to allow administration of systems with high level privileges. It was not long ago that we had encountered the SolarWinds supply chain attack and the industry had just started getting over it and here we go again phasing a similar situation with Kaseya’s IT management software tool, largely used in Managed Service Provider (MSP) environments. Even worse this is not something new, <span class=\"il\">REvil</span>’s predecessor Gandcrab has done it twice back in 2019 by using Kaseya’s software to launch their attacks. The key is always to be prepared for the worst-case scenario, even if proper patch management and vulnerability management programs are in place, we are not secure anymore. Attackers will continue to try to compromise big software vendors and distribute their malicious code via them. MDR services are more necessary than ever since they enable a better understanding of risks and help enterprises to respond to detected threats more rapidly.</p>

Last edited 2 years ago by Christos Betsios

Recent Posts

Would love your thoughts, please comment.x