On 2 July 2021, it became known that the REvil ransomware gang perpetrated a large attack against Managed Service Providers (MSPs) and their clients around the world. The far-reaching attack affected firms across 22 countries, including South Africa, the UK, Canada, Argentina, Mexico and Spain, amongst others.
This led to thousands of companies becoming potential victims of ransomware. At the moment of writing, Kaspersky reports that their researchers have already observed over 5000 infection attempts in Europe, North and South America.
REvil Ransomware Group
REvil (aka Sodinokibi) is one of the most prolific ransomware-as-a-service (RaaS) operators that first surfaced in 2019, and made numerous headlines in the past few months due to the targets they hit and their record ransomware earnings.
In this latest attack, REVil infected a provider of IT Management Software for MSP, affecting multiple companies across the world. The attackers deployed a malicious payload via PowerShell script, which, in turn, was presumably executed through the MSP provider’s software.
This script disabled Microsoft Defender for Endpoint protection features and then decoded a malicious executable, which included a legitimate Microsoft binary, an older version of the Microsoft Defender solution, and a malicious library containing REvil ransomware.
Using this combination of components in the loader, the attackers were able to exploit the DLL side-loading technique and attack multiple organisations.
Using its Threat Intelligence Service, Kaspersky says that more than 5000 attack attempts in 22 countries, with the most affected being Italy (45.2% registered attack attempts), the USA (25.91%), Colombia (14.83%), Germany (3,21%) and Mexico (2.21%).
“Ransomware gangs and their affiliates continue to up their game after high-profile attacks on the Colonial Pipeline and JBS, and many other organisations in different countries since then. This time, REvil operators have carried out a massive attack on MSPs with thousands of managed businesses around the world, infecting them as well,” comments Vladimir Kuskov, Head of Threat Exploration at Kaspersky.
“This case once again demonstrates how important it is to implement proper cybersecurity measurements and solutions at all stages – including suppliers and partners.”
Kaspersky detects REvil’s malware with the following names:
- PDM:Trojan.Win32.Generic (with Behavior Detection)
$70-Million for Ransom
REvil has since allegedly demanded $70 million in Bitcoin for a universal decryptor, said two cybersecurity experts who reviewed an announcement on the group’s website. The universal decryptor would be used by the victims to decrypt all the data that is being held for ransom.
“At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations,” said Ross McKerchar, VP and CISO at Sophos.
Edited by Luis Monzon