Domino effect: 5000 attack attempts in 22 countries detected as a result of REvil

hacked device- data breach

On July 2, it became known that the REvil ransomware gang perpetrated a large attack against Managed Service Providers (MSPs) and its clients around the world. This led to thousands of companies becoming potential victims of ransomware. At the moment of writing, Kaspersky researchers have already observed over 5000 infection attempts in Europe, North and South America.

REvil (aka Sodinokibi) is one of the most prolific ransomware-as-a-service (RaaS) operators that first surfaced in 2019, and made numerous headlines in the past few months due to the targets they hit and their record ransomware earnings. In this latest attack, REVil infected a provider of IT Management Software for MSP, affecting multiple companies across the world. The attackers deployed a malicious payload via PowerShell script, which, in turn, was presumably executed through the MSP provider’s software.

This script disabled Microsoft Defender for Endpoint protection features and then decoded a malicious executable, which included a legitimate Microsoft binary, an older version of the Microsoft Defender solution, and a malicious library containing REvil ransomware. Using this combination of components in the loader, the attackers were able to exploit the DLL side-loading technique and attack multiple organizations.

Geography of attempted attacks based on Kaspersky’s telemetry

map.png

Using its Threat Intelligence Service, Kaspersky observed more than 5000 attack attempts in 22 countries, with the most affected being Italy (45.2% registered attack attempts), the USA (25.91%), Colombia (14.83%), Germany (3,21%) and Mexico (2.21%).

“Ransomware gangs and their affiliates continue to up their game after high-profile attacks on the Colonial Pipeline and JBS, and many other organizations in different countries since then. This time, REvil operators have carried out a massive attack on MSPs with thousands of managed businesses around the world, infecting them as well,” comments Vladimir Kuskov, Head of Threat Exploration at Kaspersky. “This case once again demonstrates how important it is to implement proper cybersecurity measurements and solutions at all stages – including suppliers and partners.”

Kaspersky protects against this threat and detects it with the following names:

  • UDS:DangerousObject.Multi.Generic
  • Trojan-Ransom.Win32.Gen.gen
  • Trojan-Ransom.Win32.Sodin.gen
  • Trojan-Ransom.Win32.Convagent.gen
  • PDM:Trojan.Win32.Generic (with Behaviour Detection)

Learn more about the latest REvil attack on Securelist.

To keep organizations protected from modern ransomware attacks, Kaspersky recommends to:

  • Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behaviour detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defence mechanisms which can prevent its removal by cybercriminals;
  • Not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
  • Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
  • Always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities.
  • Focus your defence strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections. Backup data regularly. Make sure you can quickly access it in an emergency when needed. Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
  • Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response service, which help to identify and stop the attack in its early stages, before attackers reach their final goals.

READ MORE:

Protect the corporate environment and educate employees. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect from ransomware attacks is available here.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...

Automated Testing Tools and Their Impact on Software Quality

Natalia Yanchii • 09th October 2024

Test automation refers to using specialized software tools and frameworks to automate the execution of test cases, thereby reducing the time and effort required for manual testing. This approach ensures that automation tests run quickly and consistently, allowing development teams to identify and resolve defects more effectively. Test automation provides greater accuracy by eliminating human...