What is REvil Ransomware?

What is REvil ransomware?

REvil, also known as Sodinokibi, is a ransomware strain that has been one of the most prolific and dangerous cyber threats since its emergence in April 2019. It operates on a ransomware-as-a-service (RaaS) model, where the developers create the ransomware and affiliates distribute it. In return, the profits from ransom payments are split between the developers and the affiliates. This model allows for rapid distribution and a wider range of attacks.

REvil is known for its double-extortion tactic, where the attackers not only encrypt the victim's files, making them inaccessible, but also steal data before encrypting the files. The attackers then threaten to release the stolen data on public websites unless an additional ransom is paid. This increases the pressure on victims to pay the ransom to avoid the potentially devastating consequences of having sensitive data exposed publicly.

The ransomware targets a wide range of industries and has been responsible for several high-profile attacks. It exploits vulnerabilities in software and systems to gain access, often using phishing emails, compromised RDP (Remote Desktop Protocol) credentials, or exploiting known vulnerabilities in public-facing applications.

REvil has been linked to various countries and has had a global impact, affecting organizations worldwide. Due to its significant threat, law enforcement agencies and cybersecurity firms have been actively working to combat this ransomware. There have been instances where decryption keys have been released, allowing victims to recover their data without paying the ransom, and law enforcement actions have temporarily disrupted the operations of the REvil group. However, the adaptability and resilience of ransomware groups like REvil make them an ongoing threat in the cybersecurity landscape.

Who has been targeted by REvil ransomware?

REvil ransomware has targeted a wide range of entities across various sectors worldwide, impacting organizations both large and small. Some of the notable targets and sectors include:

  1. Kaseya (July 2021): Perhaps one of the most significant attacks was on Kaseya, a software company that provides IT management solutions. The ransomware exploited a vulnerability in Kaseya's VSA software, affecting around 1,500 businesses worldwide, including many small businesses that relied on Kaseya's software through managed service providers (MSPs).
  2. Acer (March 2021): The electronics and computer manufacturer Acer was reportedly hit by REvil ransomware, with the attackers demanding a $50 million ransom, one of the largest known demands at the time.
  3. Travelex (December 2019): The foreign exchange company Travelex was attacked on New Year’s Eve, leading to significant disruption in its operations. The attackers demanded a $6 million ransom.
  4. JBS Foods (May 2021): JBS Foods, one of the world's largest meat processing companies, was forced to shut down operations in some countries, including the United States, due to a REvil ransomware attack. The company paid an $11 million ransom to resume operations.
  5. Entertainment and media law firms: REvil has targeted law firms representing high-profile celebrities and media companies, threatening to release sensitive legal documents unless a ransom was paid.
  6. Healthcare and public health sectors: Hospitals and healthcare providers have also been victims of REvil ransomware, highlighting the threat to critical infrastructure and services.
  7. Educational institutions and local governments: Various schools, universities, and local government entities have been targeted, disrupting services and leading to financial and operational challenges.

These examples illustrate the broad scope of REvil's targeting strategy, impacting critical infrastructure, the private sector, and public services across different countries. The attackers have shown a willingness to target any organization from which they believe they can extort significant ransom payments, underlining the importance of robust cybersecurity measures and preparedness for organizations across all sectors.

What encryption does REvil ransomware use?

REvil ransomware uses a combination of asymmetric and symmetric encryption algorithms to encrypt the files of its victims, a common approach among sophisticated ransomware strains to ensure the security of the encryption while maintaining efficiency.

  1. Symmetric Encryption (AES): For the actual file encryption process, REvil uses AES (Advanced Encryption Standard) with a 256-bit key. AES is a widely used symmetric encryption algorithm due to its speed and security. In this context, "symmetric" means that the same key is used for both encrypting and decrypting the files. Each file is encrypted with a unique AES key.
  2. Asymmetric Encryption (RSA): The individual AES keys used to encrypt files are then encrypted with an RSA public key, implementing asymmetric encryption. RSA uses a pair of keys: a public key that can be shared openly for encrypting data, and a private key that is kept secret by the attacker for decrypting data. The RSA key pair is generally of a high bit length, often 2048 bits or more, making it computationally infeasible to crack with current technology. The use of RSA ensures that only the attacker, who possesses the corresponding RSA private key, can decrypt the AES keys used to encrypt the victim's files.

This combination allows REvil to efficiently encrypt large quantities of data while ensuring that the decryption keys can only be accessed by paying the ransom to obtain the private RSA key from the attackers. The sophistication of the encryption process used by REvil and similar ransomware makes it nearly impossible to decrypt the affected files without the unique keys, underscoring the critical importance of preventive measures, timely backups, and strong cybersecurity defenses to mitigate the risk of such attacks.

How can NAC help prevent REvil ransomware?

Network Access Control (NAC) is a critical security solution that can help prevent REvil ransomware attacks, along with a range of other cybersecurity threats. NAC does this by enforcing policies that control access to an organization's network and by monitoring and regulating the behavior of all devices connected to it. Here's how NAC can help in preventing REvil ransomware attacks:

  1. Device Authentication and Authorization: NAC systems require devices to be authenticated before they can access the network. This ensures that only authorized devices can connect, reducing the risk of infected devices introducing ransomware like REvil into the network.
  2. Access Control Policies: NAC allows for the creation and enforcement of granular access control policies. These policies can restrict what resources a device can access based on the device's role, location, security posture, and other attributes. By limiting access to sensitive areas of the network, NAC can reduce the attack surface available to ransomware.
  3. Segmentation: Through network segmentation, NAC can isolate critical parts of the network or quarantine devices that do not comply with security policies. If a device is compromised or behaves suspiciously, it can be automatically isolated to prevent the spread of ransomware across the network.
  4. Endpoint Compliance Checks: NAC systems can assess whether devices comply with an organization's security policies before they are allowed network access. This includes checking for up-to-date antivirus software, required security patches, or the absence of prohibited applications. Devices that do not meet these criteria can be denied access or placed into a quarantine area until they are compliant, reducing the risk of ransomware infection.
  5. Behavior Analysis and Anomaly Detection: Some advanced NAC solutions offer the ability to monitor the network for unusual behavior that might indicate a ransomware attack. For example, if a device starts trying to encrypt files on a network share, this could be flagged as suspicious activity, and the device could be automatically isolated.
  6. Security Posture Assessment: NAC can continuously assess the security posture of devices as they access the network. If a device's security posture changes (e.g., a security application is disabled), NAC can respond in real-time to mitigate potential threats.

By implementing these measures, NAC can play a significant role in an organization's defense-in-depth strategy, reducing the likelihood of successful REvil ransomware attacks and mitigating their impact should they occur. It's important to note, however, that NAC is just one component of a comprehensive cybersecurity strategy that should also include employee training, regular backups, and other security measures to protect against a variety of cyber threats.