The REvil ransomware threat group is on a cyberattack tear, claiming over the past two weeks to have infected nine organizations across Africa, Europe, Mexico and the U.S.
The organizations include two law firms, an insurance company, an architectural firm, a construction company and an agricultural co-op, all located in the U.S.; as well as two large international banks (one in Mexico and one in Africa); and a European manufacturer. In an email interview with Threatpost, researchers with eSentire, who wrote an analysis of the threat group’s claims, said they would not name the victim companies.
“These new ransomware incidents, which the…gang is claiming, could certainly be plausible,” said Rob McLeod, senior director of the Threat Response Unit (TRU) for eSentire. “These attacks come directly on the heels of an extensive and well-planned drive-by-download campaign, which was launched in late December. This malicious campaign’s sole purpose is to infect business professionals’ computer systems with the…ransomware, the Gootkit banking trojan or the Cobalt Strike intrusion tool.”
The threat group is also known as the Sodinokibi ransomware gang, and is called “Sodin” by eSentire. The malware, which first surfaced in 2019, has since proliferated to hit an array of victims, including New York-based celebrity law firm Grubman Shire Meiselas & Sacks, Travelex and Brown-Forman Corp. (the maker behind Jack Daniels).
Ransomware Attacks
Researchers said that REvil cybercriminals posted documents on underground forums that purported to be from the victims’ systems – including company computer file directories, partial customer lists, customer quotes and copies of contracts. Researchers said they also posted what appears to be several official IDs, either belonging to an employee or a customer of the victim companies.
“We do not know the amount of the ransom they have demanded or if a ransom has been paid,” McLeod told Threatpost. “However, we have seen some victims posted, and then their information and name have been pulled from the website. We wonder if this indicates payment.”
Authentic Victims?
While researchers can’t be 100 percent sure the claims are accurate, “in reviewing several of the documents that the Sodin gang claims are from their new victims, many of them appear to be authentic,” said McLeod.
For one, the documents appear to relate to the business of each victim, they said. The documents also include dated timestamps that show that the attacks may have occurred not too long ago.
For one of the victims – the manufacturing company – researchers found news reports that the manufacturer had been hit by ransomware and had to stop production for a day or two. “As evidence, [REvil provided] Excel spreadsheets of annual budgets, purportedly from the manufacturer,” McLeod told Threatpost.
There is one caveat – a few documents relating to a bank in Africa and an insurance firm have older date stamps listed. This made researchers question whether these two firms were actually victims of the REvil gang — or instead if somehow the threat actors gained access to some old files belonging to the organizations.
Regardless, “Sodin gang has been very successful in compromising large organizations, as we have seen, and they have resources and the techniques to carry these ransomware attacks so it is extremely plausible these are real,” said McLeod.
REvil on the Move
Researchers said one puzzle piece to REvil’s recent success with ransomware attacks may be the Gootloader malware loader, which they said is “designed to seed the ransomware.”
This loader previously used for distributing the REvil ransomware as well as the Gootkit malware family, and has evolved into an increasingly sophisticated loader framework. It now also expanded the number of payloads its delivers to include the Kronos trojan and the Cobalt Strike commodity malware.
“We know this campaign has had some success because not only have we seen reports from other security groups, but we have also discovered multiple incidents where business professionals have been duped and have downloaded Gootloader onto their work computers,” said McLeod. “Luckily, we were able to disrupt the activity in midstream, preventing numerous related malware infections within the employee organizations, two of which were law firms and one which was a professional consulting firm.”
Researchers said they have seen REvil expanding its extortion tricks tactics and procedures (TTPs) to now contact victims’ business associates and the media, in order to put on the maximum amount of pressure on the victim to pay.
They noted that in the last couple days, the threat group also appears to be updating its website to make it easier to browse their victim list.
“The Sodin gang is well equipped with very good set of adversarial capabilities, and we do not believe they have shown their entire hand of what they can do,” McLeod warned. “Once they get on a system, they are very good and staying on and spreading throughout the victim’s environment.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)