A famed ransomware as a service had a rebranding — nay, a renaissance — this year.
Sodinokibi, or REvil, made its first appearance at the end of April, according to research from McAfee. Since then, the ransomware strain has been linked to the coordinated attack on more than 23 Texas municipalities, 400 U.S. dentist offices, managed service provider CyrusOne, and most recently, an IT service provider for dentist offices, Complete Technology Solutions (CTS).
The attack against CTS infected more than 100 customers' dentists offices, reported cybersecurity journalist Brian Krebs.
REvil's spread is not done. "Sadly, there is no typical lifespan for ransomware attacks," Oussama El-Hilali, CTO of Arcserve, told CIO Dive. Ransomware's ability to sustain itself, through constant iterations, makes it "almost impossible to tell how long the lifecycle of a strain is."
Hackers behind ransomware campaigns are renovators. When a strain has run its course, or when the security industry has begun to outpace it, hackers reevaluate their toolkit.
"Combined with the fact that the people behind the attack appear to be large in numbers, and have very deep pockets, they are the biggest threat since the GandCrab strain," which uses AES encryption, said El-Hilali.
GandCrab began circulating in January 2018 and relied on spam campaigns and exploit kits to spread. Cisco Talos researchers found "a series of compromised websites that were being used to deliver GandCrab."
Hackers behind GandCrab announced their "retirement" at the end of May, a month after its apparent rebrand, REvil's, debut, according to a forum disclosed by security researcher Damian. The operators claim to have made about $2 billion in ransoms from GandCrab.
REvil "has some of the top affiliates from GandCrab involved in its spread, therefore we have to anticipate considerable improvements," Raj Samani, fellow and chief strategist at McAfee, told CIO Dive. McAfee research found the RaaS model allows its affiliates to spread the virus "any way they like."
The year of ransomware
Ransomware hit nearly 950 government agencies, educational organizations, and healthcare providers, according to research from Emsisoft. Disruption led to patient redirections in hospitals, inaccessible medical records, canceled surgeries and intermittent 911 availability.
Maze, a ransomware that requires contact with its hackers, also made headlines this year. Most recently, Maze struck Pensacola, Florida, a day after a fatal shooting at a naval base on Dec. 6.
The timing between the Maze cyberattack and the shooting was coincidental, the operators told Bleeping Computer. Its operators claim its malware stops just short of "socially significant services," which they define as "hospitals, cancer centers, maternity hospitals and other socially vital objects."
However, Maze still targets government entities.
"The effectiveness of a ransomware attack lies in the importance of the data at stake, and how easy it can be to deploy," said El-Hilali.
The average cost of a ransomware attack is about $8 million and takes almost 290 days to recover, according to Emsisoft.
Hostage data cripples business functions, so entities "panic and pay," said El-Hilali. But organizations that don't pay can face consequences. A Michigan medical center was forced to close following its refusal to pay a ransom. The hackers deleted all its patient files.
REvil's resilience is measured by its impact, which can be profound. The strain has the ability to "delete snapshots of duplicated data," said El-Hilali. If needed, it can also exploit zero-day vulnerabilities in Microsoft Windows.
REvil's clean and "very well written code" in "pure assembly," while its packer is written in Visual C++, according to McAfee. The packer decrypts the actual malware so it can complete its first mission: "get all functions needed in runtime and make a dynamic IAT to try obfuscating the Windows call in a static analysis."
The security firm found a 40% code match between REvil and GandCrab.
Batting down the hatches
As REvil sets as GandCrab's prolific successor, preparing for the ransomware is a top priority, and preparations now involve privacy-related protocols.
REvil operators are following in the footsteps of Maze, threatening to publicly disclose or sell stolen data to a competitor if a ransom goes unpaid, reports Bleeping Computer. The hackers said before encryption CyrusOne's network, they stole their data.
Dangling a data breach over a company in exchange for money ups the ante.
Hackers are evolving with the changes in data storage strategies. CyrusOne's attack was executed by hackers who are "skilled at finding new ways to encrypt files and adapting the malware to become better at evading detection," said El-Hilali.
The RaaS model elicits a "parent-child relationship" in GandCrab's affiliates and developers, according to McAfee. Now "RaaS families" are migrating to REvil.
But ransomware isn't a commodity, according to Samani. Even GandCrab survived because the hackers behind it manipulated the strain to stay on par with security developments.
Regularly updating and testing business continuity and disaster recovery efforts is a layer of defense companies need. "You can only outsmart something you’re well-prepared for," said El-Hilali. But having a data center entirely free of ransomware is a near "impossible" feat.
To work around an ever-present threat, El-Hilali recommends a constantly updating data center replication. But IT managers have to pick up where replication data leaves off in terms of confirming "good versions" of data are truly clean.