– Originally written by Oliver Pinson-Roxburgh, CEO & Co-Founder of Defense.com –
Notoriously weaponised by the Russian-led criminal gang of the same name, REvil ransomware has been used against companies, and individuals, around the world for the past few years.
Through stealing sensitive data and extorting money, this cyber weapon has left many businesses in fear of falling victim to an attack, and concerned about the hefty price tag that comes with it.
Even with the arrests in early November 2021, thanks to a joint task force between Romanian police, the US Department of Justice (DOJ) and Europol, it’s unknown what the future holds for REvil and other cyber-attacks.
What is REvil Ransomware and what does it do?
Also known as Sodinokibi, REvil is a criminal ransomware-as-a-service (RaaS) group that has gained notoriety in recent years for stealing unencrypted and sensitive data from unprotected networks and computers before demanding large payments from the victims. It’s very lucrative for cybercriminals, with REvil often demanding between $1,500 and $42m, up to 9% of a company’s yearly revenue.
The REvil Ransomware itself is a program deployed through human-operated campaigns in which hackers use tools and techniques to map a network, gain access to internal systems and deploy the ransomware on as many computers as possible to maximise the damage.
To make REvil stand apart from other ransomware programs, and to make it more effective, it uses an Elliptic-Curve Diffie-Hellman key exchange. This algorithm uses shorter keys, is highly efficient and is harder to crack.
What is the impact of REvil Ransomware?
Following the increase in cyber-attacks in the past 18 months, the arrest of known REvil associates is a great step forward in the cyber security world. REvil has operated across the globe as one of the most prolific and dangerous cybercrime gangs around.
This includes running their “Happy Blog” which not only names and shames those who don’t pay the ransom, it also releases their stolen data.
However, although the arrests of REvil associates is great news, it does not mean the end for future ransomware attacks, or any other type of cyber security attack. As cybercriminals become more sophisticated, the volume of attacks is likely to continue to grow.
For example, in the U.S. in 2021, the number of cyber-attacks and data breaches by October had exceeded the total number of attacks in 2020, according to the Identity Theft Resource Centre (ITRC).
It’s still unknown what will happen in the coming months and years in terms of REvil, whether or not they will stay active or shut down operations. However, REvil is just one perpetrator amongst thousands of cybercriminals, so it’s vital for businesses to protect themselves against ransomware and other cyber-attacks.
How can businesses protect themselves against REvil Ransomware?
Although there is no one easy way to prevent your business from being the victim of a ransomware attack, there is a combination of tools and techniques that could be deployed.
Some techniques are as simple as:
- Ensuring all staff are effectively trained to detect cyber-attacks by teaching basic knowledge of information security.
- Update all cyber security measures to make sure they offer the best protection possible.
- Implement an ISMS (information security management system) which provides a systematic approach to protecting and managing a business’ information.
However, there are also more technical approaches that can be taken to better protect an organisation from cyber-attacks, including ransomware:
- Invest in detection-based security tooling. By investing in new security including endpoint detection and response (EDR) and network detection and response (NDR) tools, an organisation can improve a cyber security team’s visibility into potential attacks as these tools can detect fileless malware and analyse behavioural patterns to prevent attacks.
- Adapt modern management. By centralising IT systems to prevent a single point of entry, businesses can reduce the attack surface, have faster remediation with any issues, as well as experience more rapid resolutions to potential security issues.
Retain incident response services
Although many businesses do not have active IR retainers in place, they can be of value, with many IR retainers covering services beyond the operation and configuration of security tools. Plus, they eliminate time lost in vendor negotiations and paperwork when facing an incident, allowing a business to focus on response actions.