Menu
How channel partners can better defend against ransomware.
In a June 2021 incident, the Sophos Rapid Response team responded to a security alert that flagged Cobalt Strike on the network of a midsize media company. Cobalt Strike is a remote access agent that is widely used by adversaries as a precursor to ransomware attack. The attackers proceeded to release ransomware a few hours later, at 4 a.m. local time, targeting proximately 600 computing devices–25 of them servers–and three Active Directory domains that were critical to the company’s ability to maintain its 24/7 operations.
The ransom note demanded a payment of $2.5 million, and it was signed by REvil. Also known as Sodinokibi, REvil is a ransomware-as-a-service (RaaS) offering, which means that criminal customers can lease the malware from the developers and then use their own tools and resources to target and perform the attack. Although REvil was also used in the recent Kaseya attack, the approach and impact of an attack involving REvil ransomware is highly variable, making it difficult for defenders to know what to expect and look out for.
Following the initial ransomware attack, the target’s IT team and Sophos’ Rapid Response team were locked in live combat with the human adversaries orchestrating the attack. The attackers tried repeatedly to breach protected devices and encrypt files, launching attacks from different unprotected devices they had been able to compromise. Every attempt needed to be blocked and investigated to ensure there was nothing else going on and that there was no further damage–even though by then the next attack attempt was already underway. This task was made harder than normal because the organization needed to keep most of its servers online to support the 24/7 broadcasting systems.
Eventually, the onslaught began to slow down. By day two, inbound attacks were still detected intermittently, but it was clear the main attack attempt was over and had failed. Unfortunately, even though the attack ultimately failed, the attackers had already encrypted the data on unprotected devices, deleted online backups, and decimated one online and undefended domain.
Lessons Learned from This REvil Attack
Sophos experts believe there are two important lessons that partners and defenders should take away from this incident.
The first is about risk management. When organizations make changes to their environment–for example, changing a network from air-gapped to online as in the case of this business–the level of risk changes. New areas of vulnerability open up, and partners and IT security teams need to understand and address that.
The second is about preserving data. The first compromised account in this attack belonged to a member of the IT team. All data was wiped, which meant that valuable information–such as details of the original breach, which could have been used for forensic analysis and investigation–was lost. The more information is kept intact, the easier it is to see what happened and to enable partners and the victim organization to make sure it doesn’t happen again.
Responding to a REvil Attack
Sophos recommends the following best practices for partners to help defend against REvil and other families of ransomware and related cyberattacks:
Dealing with a cyberattack like REvil is a stressful experience. It can be tempting for partners to clear the immediate threat and close the book on the incident, but the truth is that in doing so you are unlikely to have eliminated all traces of the attack. It is important that you take time to identify how the attackers got in, learn from any mistakes and make improvements to security systems. If you don’t, you run the risk that the same adversary or another one might attack again in the future.
This guest blog is part of a Channel Futures sponsorship.
Session expired
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.