Articles

Global ransomware group reappears; did it ever leave?

Brian Linder is an Emerging Threats Expert and Evangelist in Check Point’s Office of the CTO, specializing in the Modern Secured Workforce. Brian has appeared multiple times on CNBC, Fox, ABC, NBC, CBS, and NPR radio, and hosts Check Point’s CoffeeTalk Podcast and Weaponizers Underground, and has teamed on keynote CyberTalks at Check Point’s CPX360 events. For 20+ years, Brian has been an advisor at the C-level to firms big and small in financial, legal and telecommunications, on next generation cybersecurity solutions and strategies for cloud, mobile, and network. Brian holds a B.S. in computer science from Drexel University and an M.S. in Information Science from the Pennsylvania State University. 

Workforce Security Expert Brian Linder shares insights into the 12,000 lb. wrecking ball that is ransomware. Moreover, he takes a close look at the REvil ransomware gang, explaining who they are, why they pose a significant threat, and how organizations can regain control in the fight against ransomware. Discover how you can quickly strategize around and competently execute cutting-edge ransomware prevention and defense methodologies.

Did you miss our last conversation with Brian about ransomware? Click here.

Can you share a bit about REvil’s development and trajectory?

This particular ransomware gang has evolved through the years. The REvil group may have started out under the moniker of GandCrab, and it’s also known as Sodinokibi. Acclaimed cyber security researcher Brian Krebs started tracking it in 2016.

And, after the July 4th weekend attack on the IT firm known as Kaseya, REvil suddenly went offline. It was a moment of international interest and we were not sure about why it occurred.

Perhaps they went quiet in fear of law enforcement; a theory that seems a bit unlikely. Some experts have suggested that REvil disappeared due to internal discord. In the way that famous rock bands enjoy great success and then split up because their egos get the better of them, the same may have occurred among the members of the REvil group.

In early September, we saw some evidence suggesting that REvil would reemerge right out of the dust. Some of their tools reappeared online and their blog also reappeared. There was widespread discussion that perhaps this reemergence was simply a law enforcement effort to experiment with some of REvil’s infrastructure and tools. While this is possible, we lack evidence indicating that it’s not the REvil operators themselves.

What might REvil’s return look like?

What I’ve theorized, and still stand by, is that there will be some kind of a signal, a semaphore –placed on the dark web– notifying partners and affiliates that they are back in business. Remember, a successful ransomware platform like REvil is not just operating by itself. The group continually recruits partners. Together, REvil and partners launch a ransomware attack and then split the profits.

Why is REvil more dangerous than the average ransomware group?

First of all, REvil is likely perceived as the ‘top company’ to work for in the ransomware cottage industry. They are highly organized. Some researchers believe that –as in any competitive economy– REvil is attracting the best ransomware and cyber attacker talent.

The people running the REvil show are smart, quick to learn, and develop products that their partners are interested in deploying. In the world of cyber attack products, REvil is well-liked by hackers.

Why is this? The group has mastered the art of multiple extortion threats. In other words, they have determined which threats, and in what quantity, they can hold over a company’s head to increase the odds that the enterprise will pay the ransom.

Can you speak to the recent law enforcement actions around the REvil group?

As you know, the recent Kaseya ransomware attack, conducted by the REvil group, disrupted more than a thousand organizations around the world. Managed service providers became conduits of the attack, which then affected unsuspecting small businesses, from dentist’s offices to restaurants.

While companies scrambled to restore their infrastructure, the Federal Bureau of Investigation (FBI) actually had REvil’s ransomware decryption key within its possession. The FBI held onto it due to an intention to execute a related sting operation that would expunge the group from the internet.

Even if the FBI manages to root out and shut down REvil across international borders, and even if they make a public example of some of the leaders in that group, my belief is that REvil will simply reappear and reorganize under a new brand name.

As noted previously, members of REvil will also likely pursue a communication with their business partners to inform them that they’ve rebranded. To that effect, ‘is it even a worthwhile effort for law enforcement to pursue this?’ is a point of contention.

How can companies protect themselves?

The most pressing question is always ‘should we pay the ransom?’

Most companies, when hit with ransomware, have not done any preparedness training. Nor have they put any forethought into whether or not to pay a ransom. If struck by ransomware attackers, these enterprises will not have much of a choice–they will have to pay a ransom and hope for the best. If they decide against paying the ransom, they might face weeks and weeks of recovery time and high costs. However, companies that invest in ransomware prevention and detection tools will come out ahead.

Specifically, companies need to invest in the right controls on their endpoints. Training users and air gapping backups are definitely important things to do, but deploying controls to stop phishing emails before they ever reach users, and other means of deploying controls at the beginning of the attack chain, are among the most effective means of avoiding ransomware.

Can administrators deploy a control that stops ransomware encryption in its tracks?

Yes, it is possible to deploy a control that stops ransomware encryption in its tracks. How to stop ransomware is a problem that can be solved. What companies need are scalable, unified means of stopping ransomware within an ecosystem of innovation. Check Point, for example, is leading this charge with a product known as Harmony.

Quick tips for leaders to help prepare for the next inevitable ransomware attack:

  1. Air gap backups: Make sure the backups are not connected to the same network that might get hit.
  2. Sit down with an incident response team proactively. Don’t wait.
  3. Expect that you or your users will be the weakest link in the chain; put safeguards in place that cut down on user risk.

Ransomware is not a lost cause. However, beating ransomware requires making significant cyber security investments well ahead of the day when a ransomware attack begins.

For more expert insights into the ransomware threat landscape, see Brian Linder’s past Cyber Talk interviews here and here. To receive executive-level cyber security insights, cutting-edge analysis, and robust resources in your inbox each week, sign up for the Cyber Talk newsletter.

Back to top button