Ransomware

Researchers with Symantec’s Threat Intelligence team observed REvil ransomware operators in the act of scanning one of their victim’s network Point of Sale (PoS) servers.

REvil (also known as Sodinokibi) is a Ransomware-as-a-Service (RaaS) operation known to breach corporate networks using exploits, exposed remote desktop services, spam and hacked Managed Service Providers.

After accessing the network of a target, the operators laterally spread while also stealing data from servers and workstations, later encrypting all machines on the network after having gained administrative access to a domain controller.

The REvil affiliates used the off-the-shelf Cobalt Attack penetration testing toolkit as part of the campaign observed by Symantec to deploy REvil (aka Sodinokibi) ransomware payloads on networks of their targets.

Ransom doubled within three hours

In total, the researchers found Cobalt Strike on the networks of eight companies that were targeted in this operation, with the REvil ransomware infecting and encrypting three companies from the retail, food and healthcare sectors.

“The companies targeted in this campaign were primarily large, even multinational, companies, which were likely targeted because the attackers believed they would be willing to pay a large ransom to recover access to their systems,” Symantec explained.

Each of the victims was asked to pay Monero’s cryptocurrency worth $50,000, or $100,000 if a three-hour deadline expired.

The REvil actors have done their best to evade detection by using infrastructure hosted on legitimate services such

as Pastebin (payload storage) and Amazon CloudFront (command and control server) after gaining access to networks of their targets.

They also disabled security software to prevent security teams from detecting their attacks and later stole credentials that were used to add rogue accounts to the compromised machines as a simple way to gain persistence.

Scanning PoS systems

While the utilities and food corporations were the ideal targets because big entities were willing to pay a huge ransom to unlock their networks, the smaller healthcare org was a smaller company that couldn’t afford the ransom.

In this case, probably prompted by the fact that there was a high possibility that the victim won’t be able to pay for their “decryptor,” the REvil operators also scanned the healthcare organization’s network for PoS systems as part of a credit card data theft attempt or as an additional valuable target worth encrypting.

“While many of the elements of this attack are ‘typical’ tactics seen in previous attacks using Sodinokibi, the scanning of victim systems for PoS software is interesting, as this is not typically something you see happening alongside targeted ransomware attacks,” Symantec concluded.

“It will be interesting to see if this was just opportunistic activity in this campaign, or if it is set to be a new tactic adopted by targeted ransomware gangs.”

REvil ransomware also released an auction platform earlier this month for selling the stolen data from their victims to the highest bidder.