REvil ransomware attack against MSPs and its clients around the world
#1
Bug 
Quote:
[Image: green_digits_abstract-1200x600.jpg]

An attack perpetrated by REvil aka Sodinokibi ransomware gang against Managed Service Providers (MSPs) and their clients was discovered on July 2. Some of the victims have reportedly been compromised through a popular MSP software which led to encryption of their customers. The total number of encrypted businesses could run into thousands.

REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific RaaS operations. According to an interview with the REvil operator, the gang earned over $100 million from its operations in 2020. The group’s activity was first observed in April 2019 after the shutdown of GandCrab, another now-defunct ransomware gang. More details about that gang can be found in our articles Ransomware world in 2021: who, how and why and Sodin ransomware exploits Windows vulnerability and processor architecture.

In this latest case, the attackers deployed a malicious dropper via the PowerShell script, which, in turn, was executed through the vendor’s agent.

This script disables Microsoft Defender features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft Defender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique (T1574.002).

Using our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time of writing.

REvil uses the Salsa20 symmetric stream algorithm for encrypting the content of files and the keys for it with an elliptic curve asymmetric algorithm.

Decryption of files affected by this malware is impossible without the cybercriminals’ keys due to the secure cryptographic scheme and implementation used in the malware.

Kaspersky products protect against this threat and detect it with the following names:
  • UDS: DangerousObject.Multi.Generic
  • Trojan-Ransom.Win32.Gen.gen
  • Trojan-Ransom.Win32.Sodin.gen
  • Trojan-Ransom.Win32.Convagent.gen
  • PDM:Trojan.Win32.Generic (with Behavior Detection)
The vendor whose software was reportedly compromised, issued a special advisory which is being periodically updated.

To keep your company protected against ransomware 2.0 attacks, Kaspersky experts recommend:
  • Not exposing remote desktop services (such as RDP) to public networks unless absolutely necessary and always using strong passwords for them.
  • Promptly installing available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
  • Always keeping software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities.
  • Focusing your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections. Back up data regularly. Make sure you can quickly access it in an emergency when needed. Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
  • Using solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and Response service which help to identify and stop attacks at the early stages, before the attackers reach their main goals.
  • Protecting the corporate environment and educating your employees. Dedicated training courses can help, such as those provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect against ransomware attacks is available here.
  • Using a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that can roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.
Indicators of Compromise

agent.cer (encrypted agent.exe)
95F0A946CD6881DD5953E6DB4DFB0CB9
agent.exe
561CFFBABA71A6E8CC1CDCEDA990EAD4
mpscv.dll, REvil ransomware
7EA501911850A077CF0F9FE6A7518859
A47CF00AEDF769D60D58BFE00C0B5421
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
UltraSearch 4.6.0.1091
UltraSearch 4.6.0....harlan4096 — 10:38
Brave 1.73.91
Release Channel 1....harlan4096 — 10:11
AdGuard Browser Extension 5.0.169 (MV3)
AdGuard Browser Ex...harlan4096 — 10:10
uBOLite_2024.11.20.858
uBOLite_2024.11.20...harlan4096 — 10:09
CrystalDiskInfo 9.5.0 [2024/11/20]
9.5.0 ​ Added D...harlan4096 — 10:08

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (56)Stefanos

[-]
Online Staff
There are no staff members currently online.

>