1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

6/5/2020

0 Comments

REvil Ransomware Group Resorts to Auctioning Stolen Data

 
REvil ransomware group

REvil Ransomware Group Resorts to Auctioning Stolen Data

It's now a known fact that ransomware groups steal data prior to encrypting files and demanding ransom from victims.

The group behind the ransomware called "REvil", also known by the name "Sodinokibi", has recently flaunted its data-stealing capability by auctioning the stolen data of one of its ransomware victims that refuses to pay ransom.

On the dark web, the group behind the REvil ransomware created an e-bay-like auction site, auctioning the files of one of its victims that continued to refuse to pay ransom: a Canadian agricultural production company. The newly created auction site of REvil says that a successful bidder will receive 3 databases and 22,000 files stolen from the agricultural company.

The minimum deposit is set at USD$5,000 in virtual currency Monero, and the starting bidding price is USD$50,000. To date, the Canadian agricultural production company hasn't acknowledged the ransomware attack and the related stolen data.

Ransomware: More than Encryption

Ransomware is a type of malicious software (malware) that encrypts victims' computers or files, rendering these computers or files inaccessible to legitimate users. In a ransomware attack, a ransom note is shown on the victim’s computer screen that the only way to access the computer or files again is by paying a ransom, typically in the form of virtual currency.

In the past, ransomware victims aren't hesitant to acknowledge ransomware attacks. Often though in the victims' cyber incident reports and press releases, they assure affected clients or costumers that there's no need to worry as there's no evidence of data exfiltration.

The ransomware called "Maze" openly exposed the data exfiltration process that comes along in a ransomware attack. Maze ransomware is the first ransomware that publishes online the names of the victims that refused to acknowledge the ransomware attack on their systems and/or continues to refuse to pay the ransom.

The group behind Maze ransomware threatens the "shamed" victims that continued refusal to pay the ransom will result in the publication of the data stolen prior to the data encryption. Publication of stolen data led one of the victims of Maze ransomware to file a case in court against the group behind Maze ransomware.

Close to a dozen of other ransomware groups, including REvil, followed Maze's tactic of naming ransomware victims and threatening to publish victims' stolen data – an open acknowledgment that these ransomware groups steal data prior to encrypting files.

Microsoft Threat Protection Intelligence Team, in the blog post “Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk", said that “while only a few of these [ransomware] groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.”

Getting to Know REvil Ransomware

REvil Ransomware first appeared in the wild in April 2019. Exploiting software vulnerabilities, brute-forcing RDP access and using third-party software are some of the known strategies used by the group behind the REvil ransomware in gaining access to victims’ networks and eventually drop the ransomware.

Researchers at Cisco reported that the group behind the REvil ransomware has been exploiting CVE-2019-2725 since at least April 17, 2019 in installing the ransomware. CVE-2019-2725 is a security vulnerability in Oracle WebLogic. Oracle first patched this vulnerability on April 26, 2019. "This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack," researchers at Cisco said.

Researchers at McAfee Labs, meanwhile, reported that the group behind REvil ransomware initially gains access to victims' networks by brute-forcing RDP access in installing the ransomware. Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows a user to access Windows workstations or servers over the internet.

In a related report, McAfee Labs reported that the number of RDP ports exposed to the internet has grown from roughly three million in January 2020 to more than four and a half million in March. "RDP ports are often exposed to the Internet, which makes them particularly interesting for attackers," researchers at McAfee Labs said. "In fact, accessing an RDP box can allow an attacker access to an entire network, which can generally be used as an entry point for spreading malware, or other criminal activities."

Kaspersky Lab, meanwhile, reported that since the beginning of March 2020, the number of Bruteforce.Generic.RDP attacks has rocketed across almost the entire planet. In a brute force attack, attackers systematically try all possible username and password combinations until the correct combination is found.

Aside from exploiting software security vulnerabilities, brute-forcing RDP access, the group behind the REvil ransomware has also been known to install on the victims' networks the ransomware by using third-party software. In August 2019, the mayor of Keene, Texas revealed that the group behind the REvil ransomware managed to install the ransomware on the municipality’s network through a software that a third-party IT company used to manage the municipality’s network.

While the motive behind this new tactic of auctioning ransomware victims' stolen data isn't yet clear, the timing of the launching of this new tactic amid the on-going COVID-19 pandemic and the resulting government-mandated home quarantine could mean that ransomware victims are refusing to pay ransom as they could've hardened their backup systems or that victims are hard-pressed in paying out ransomware attackers due to the economic fallout resulting in the on-going pandemic. Falling in the wrong hands, the auctioned stolen files could be used against victims and the victims’ customers.

Cybercriminals are not playing by rules and are winning in most cases. Protect your organization today by engaging with our expert team. Connect with us today.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit